Mercurial > syslog2iptables

annotate xml/syslog2iptables.in @ 11:a9b52f657f08

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
finish coding 1.0 version
author carl
date Thu, 15 Dec 2005 16:20:17 -0800
parents
children c2a2e35a85ac
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
1 <reference>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
2 <title>@PACKAGE@</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
3 <partintro>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
4 <title>Packages</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
5 <para>The various source and binary packages are available at <ulink
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
6 url="http://www.five-ten-sg.com/syslog2iptables/packages">http://www.five-ten-sg.com/syslog2iptables/packages</ulink>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
7 </para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
8 <para>The most recent documentation is available at <ulink
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
9 url="http://www.five-ten-sg.com/syslog2iptables/">http://www.five-ten-sg.com/syslog2iptables/</ulink>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
10 </para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
11 </partintro>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
12
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
13 <refentry id="@PACKAGE@.1">
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
14 <refentryinfo>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
15 <date>2005-12-15</date>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
16 </refentryinfo>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
17
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
18 <refmeta>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
19 <refentrytitle>@PACKAGE@</refentrytitle>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
20 <manvolnum>1</manvolnum>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
21 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
22 </refmeta>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
23
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
24 <refnamediv id='name.1'>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
25 <refname>@PACKAGE@</refname>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
26 <refpurpose>a simple adaptive firewall</refpurpose>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
27 </refnamediv>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
28
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
29 <refsynopsisdiv id='synopsis.1'>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
30 <title>Synopsis</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
31 <cmdsynopsis>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
32 <command>@PACKAGE@</command>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
33 <arg><option>-c</option></arg>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
34 <arg><option>-d <replaceable class="parameter">n</replaceable></option></arg>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
35 </cmdsynopsis>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
36 </refsynopsisdiv>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
37
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
38 <refsect1 id='description.1'>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
39 <title>Description</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
40 <para><command>@PACKAGE@</command> is a simple adaptive firewall. It
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
41 maintains the INPUT chain of the <citerefentry>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
42 <refentrytitle>iptables</refentrytitle> <manvolnum>1</manvolnum>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
43 </citerefentry> firewall set based on syslog entries. These syslog
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
44 entries are typically generated by your hardware firewall, but they
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
45 could come from any source. Any syslog entry that contains a host name
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
46 or ip address can be used as input to this package.</para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
47
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
48 <para>The <citerefentry> <refentrytitle>@PACKAGE@.conf</refentrytitle>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
49 <manvolnum>5</manvolnum> </citerefentry> file specifies the syslog files
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
50 to be monitored, and the regular expressions (<citerefentry>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
51 <refentrytitle>regex</refentrytitle> <manvolnum>7</manvolnum>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
52 </citerefentry>) to be applied to new lines in those files. Each
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
53 regular expression needs an index to specify the matching substring that
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
54 contains either an ip address or host name, and a bucket count which is
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
55 added to the leaky bucket for that ip address when a matching line is
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
56 read from that syslog file.</para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
57
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
58 <para>Each ip address has an associated leaky bucket, which leaks one
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
59 token per second. Once the bucket contains more than a configurable
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
60 number of tokens, that ip address is added to the INPUT chain with a
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
61 DROP target. When the bucket is drained to zero, that ip address is
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
62 removed from the INPUT chain.</para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
63 </refsect1>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
64
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
65 <refsect1 id='options.1'>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
66 <title>Options</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
67 <variablelist>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
68 <varlistentry>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
69 <term>-c</term>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
70 <listitem>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
71 <para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
72 Load the configuration file, print a cannonical form
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
73 of the configuration on stdout, and exit.
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
74 </para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
75 </listitem>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
76 </varlistentry>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
77 <varlistentry>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
78 <term>-d <replaceable class="parameter">n</replaceable></term>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
79 <listitem>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
80 <para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
81 Set the debug level to <replaceable class="parameter">n</replaceable>.
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
82 </para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
83 </listitem>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
84 </varlistentry>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
85 </variablelist>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
86 </refsect1>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
87
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
88 <refsect1>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
89 <title>Usage</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
90 <para><command>@PACKAGE@</command> -d 2</para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
91 </refsect1>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
92
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
93 <refsect1>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
94 <title>Configuration</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
95 <para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
96 The configuration file is documented in <citerefentry>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
97 <refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
98 </citerefentry>.
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
99 </para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
100 </refsect1>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
101
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
102 <refsect1>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
103 <title>Copyright</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
104 <para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
105 Copyright (C) 2005 by 510 Software Group &lt;carl@five-ten-sg.com&gt;
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
106 </para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
107 <para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
108 This program is free software; you can redistribute it and/or modify it
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
109 under the terms of the GNU General Public License as published by the
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
110 Free Software Foundation; either version 2, or (at your option) any
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
111 later version.
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
112 </para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
113 <para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
114 You should have received a copy of the GNU General Public License along
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
115 with this program; see the file COPYING. If not, please write to the
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
116 Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
117 </para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
118 </refsect1>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
119 </refentry>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
120
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
121
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
122 <refentry id="@PACKAGE@.conf.5">
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
123 <refentryinfo>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
124 <date>2005-12-15</date>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
125 </refentryinfo>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
126
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
127 <refmeta>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
128 <refentrytitle>@PACKAGE@.conf</refentrytitle>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
129 <manvolnum>5</manvolnum>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
130 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
131 </refmeta>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
132
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
133 <refnamediv id='name.5'>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
134 <refname>@PACKAGE@.conf</refname>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
135 <refpurpose>configuration file for @PACKAGE@</refpurpose>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
136 </refnamediv>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
137
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
138 <refsynopsisdiv id='synopsis.5'>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
139 <title>Synopsis</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
140 <cmdsynopsis>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
141 <command>@PACKAGE@.conf</command>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
142 </cmdsynopsis>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
143 </refsynopsisdiv>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
144
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
145 <refsect1 id='description.5'>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
146 <title>Description</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
147 <para>The <command>@PACKAGE@.conf</command> configuration file is
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
148 specified by this partial bnf description.</para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
149
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
150 <literallayout class="monospaced"><![CDATA[
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
151 CONFIG := THRESHOLD IGNORE {FILE}+
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
152 THRESHOLD := "threshold" THRESHOLD-INTEGER-VALUE ";"
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
153 IGNORE := "ignore" "{" IG-SINGLE+ "};"
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
154 IG-SINGLE := IP-ADDRESS "/" CIDR-BITS ";"
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
155 FILE := "file" FILENAME "{" PATTERN+ "};"
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
156 PATTERN := "pattern" REGULAR-EXPRESSION "{" {INDEX | BUCKET}+ "};"
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
157 INDEX := "index" REGEX-INTEGER-VALUE ";"
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
158 BUCKET := "bucket" BUCKET-ADD-INTEGER-VALUE ";"]]></literallayout>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
159 </refsect1>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
160
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
161 <refsect1 id='sample.5'>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
162 <title>Sample</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
163 <literallayout class="monospaced"><![CDATA[
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
164 threshold 550;
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
165
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
166 ignore {
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
167 127.0.0.0/8; // localhost
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
168 };
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
169
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
170 file "/var/log/cisco.log" {
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
171 pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" {
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
172 index 2; // zero based
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
173 bucket 200;
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
174 };
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
175 };
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
176
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
177 file "/var/log/secure" {
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
178 pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
179 index 1; // zero based
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
180 bucket 400;
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
181 };
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
182 pattern "sshd.*Failed password .* from (.*) port" {
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
183 index 1; // zero based
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
184 bucket 400;
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
185 };
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
186 };]]></literallayout>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
187 </refsect1>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
188
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
189 </refentry>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
190 </reference>