annotate xml/syslog2iptables.in @ 76:c6c8a2102a3e

add more logging when blocked addresses move to higher scale values
author Carl Byington <carl@five-ten-sg.com>
date Wed, 15 Jul 2020 13:38:43 -0700
parents 45e53c44c46c
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
1 <reference>
50
75361069c6ef changes for fedora 10
Carl Byington <carl@five-ten-sg.com>
parents: 44
diff changeset
2 <title>@PACKAGE@ - Version @VERSION@</title>
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
3 <partintro>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
4 <title>Packages</title>
44
9e9f09cf411c Add fixes for Solaris from sm-archive.
Carl Byington <carl@five-ten-sg.com>
parents: 42
diff changeset
5
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
6 <para>The various source and binary packages are available at <ulink
19
13b2e663b553 add trailing / on http package directory reference
carl
parents: 16
diff changeset
7 url="http://www.five-ten-sg.com/@PACKAGE@/packages/">http://www.five-ten-sg.com/@PACKAGE@/packages/</ulink>
12
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
8 The most recent documentation is available at <ulink
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
9 url="http://www.five-ten-sg.com/@PACKAGE@/">http://www.five-ten-sg.com/@PACKAGE@/</ulink>
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
10 </para>
44
9e9f09cf411c Add fixes for Solaris from sm-archive.
Carl Byington <carl@five-ten-sg.com>
parents: 42
diff changeset
11
9e9f09cf411c Add fixes for Solaris from sm-archive.
Carl Byington <carl@five-ten-sg.com>
parents: 42
diff changeset
12 <para>A <ulink
9e9f09cf411c Add fixes for Solaris from sm-archive.
Carl Byington <carl@five-ten-sg.com>
parents: 42
diff changeset
13 url="http://www.selenic.com/mercurial/wiki/">Mercurial</ulink> source
9e9f09cf411c Add fixes for Solaris from sm-archive.
Carl Byington <carl@five-ten-sg.com>
parents: 42
diff changeset
14 code repository for this project is available at <ulink
9e9f09cf411c Add fixes for Solaris from sm-archive.
Carl Byington <carl@five-ten-sg.com>
parents: 42
diff changeset
15 url="http://hg.five-ten-sg.com/@PACKAGE@/">http://hg.five-ten-sg.com/@PACKAGE@/</ulink>.
9e9f09cf411c Add fixes for Solaris from sm-archive.
Carl Byington <carl@five-ten-sg.com>
parents: 42
diff changeset
16 </para>
9e9f09cf411c Add fixes for Solaris from sm-archive.
Carl Byington <carl@five-ten-sg.com>
parents: 42
diff changeset
17
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
18 </partintro>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
19
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
20 <refentry id="@PACKAGE@.1">
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
21 <refentryinfo>
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
22 <date>2015-12-18</date>
58
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 53
diff changeset
23 <author>
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 53
diff changeset
24 <firstname>Carl</firstname>
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 53
diff changeset
25 <surname>Byington</surname>
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 53
diff changeset
26 <affiliation>
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 53
diff changeset
27 <orgname>510 Software Group</orgname>
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 53
diff changeset
28 </affiliation>
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 53
diff changeset
29 </author>
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
30 </refentryinfo>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
31
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
32 <refmeta>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
33 <refentrytitle>@PACKAGE@</refentrytitle>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
34 <manvolnum>1</manvolnum>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
35 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
36 </refmeta>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
37
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
38 <refnamediv id='name.1'>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
39 <refname>@PACKAGE@</refname>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
40 <refpurpose>a simple adaptive firewall</refpurpose>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
41 </refnamediv>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
42
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
43 <refsynopsisdiv id='synopsis.1'>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
44 <title>Synopsis</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
45 <cmdsynopsis>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
46 <command>@PACKAGE@</command>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
47 <arg><option>-c</option></arg>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
48 <arg><option>-d <replaceable class="parameter">n</replaceable></option></arg>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
49 </cmdsynopsis>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
50 </refsynopsisdiv>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
51
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
52 <refsect1 id='description.1'>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
53 <title>Description</title>
12
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
54
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
55 <para><command>@PACKAGE@</command> is a simple adaptive firewall. It
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
56 maintains the INPUT chain of the <citerefentry>
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
57 <refentrytitle>iptables</refentrytitle> <manvolnum>1</manvolnum>
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
58 </citerefentry> firewall set based on syslog entries. These syslog
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
59 entries are typically generated by your hardware firewall, but they
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
60 could come from any source. Any syslog entry that contains a host name
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
61 or ip address can be used as input to this package.</para>
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
62
12
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
63 <para>The <citerefentry> <refentrytitle>@PACKAGE@.conf</refentrytitle>
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
64 <manvolnum>5</manvolnum> </citerefentry> file specifies the syslog
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
65 files to be monitored, and the regular expressions (<citerefentry>
12
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
66 <refentrytitle>regex</refentrytitle> <manvolnum>7</manvolnum>
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
67 </citerefentry>) to be applied to new lines in those files. Each
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
68 regular expression needs an INDEX to specify the matching substring
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
69 that contains either an ip address or host name, and a DELTA which is
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
70 used to modify the leaky bucket count for that ip address when a
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
71 matching line is read from that syslog file. </para>
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
72
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
73 <para>If the DELTA is negative, the leaky bucket count is set to that
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
74 DELTA value, any existing blocking for that ip address is removed, and
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
75 new blocking is prevented until that bucket leaks upward to zero.
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
76 </para>
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
77
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
78 <para>If the DELTA is positive and the current leaky bucket count is
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
79 not negative, that DELTA value is added to the leaky bucket count for
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
80 that ip address. Once the bucket contains more than a configurable
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
81 THRESHOLD number of tokens, that ip address is added to the INPUT
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
82 chain with a DROP target.</para>
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
83
12
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
84 <para>Each ip address has an associated leaky bucket, which leaks one
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
85 token per second so the count moves toward zero. When the bucket is
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
86 drained to zero, that ip address is removed from the INPUT
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
87 chain.</para>
12
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
88
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
89 <para>The discussion has focused on syslog files, but any ascii text
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
90 file can be used, so long as some other process appends lines to that
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
91 file, and those lines containing hostname or ip addresses can be matched
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
92 with some regular expression.</para>
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
93
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
94 <para>Considering syslog files in particular, these are normally rotated
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
95 via logrotate. <command>@PACKAGE@</command> properly detects and
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
96 handles this case by closing the old file, and reopening the newly
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
97 created file.</para>
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
98
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
99 <para>With the default config file, you can manually unblock an ip
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
100 address with <command>logger -p authpriv.info "manual unblock
67
45e53c44c46c bump version
Carl Byington <carl@five-ten-sg.com>
parents: 63
diff changeset
101 1.2.3.4"</command> and you can manually block an ip address with
45e53c44c46c bump version
Carl Byington <carl@five-ten-sg.com>
parents: 63
diff changeset
102 <command>logger -p authpriv.info "manual block 1.2.3.4"</command>
45e53c44c46c bump version
Carl Byington <carl@five-ten-sg.com>
parents: 63
diff changeset
103 </para>
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
104
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
105 </refsect1>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
106
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
107 <refsect1 id='options.1'>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
108 <title>Options</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
109 <variablelist>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
110 <varlistentry>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
111 <term>-c</term>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
112 <listitem>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
113 <para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
114 Load the configuration file, print a cannonical form
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
115 of the configuration on stdout, and exit.
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
116 </para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
117 </listitem>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
118 </varlistentry>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
119 <varlistentry>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
120 <term>-d <replaceable class="parameter">n</replaceable></term>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
121 <listitem>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
122 <para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
123 Set the debug level to <replaceable class="parameter">n</replaceable>.
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
124 </para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
125 </listitem>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
126 </varlistentry>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
127 </variablelist>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
128 </refsect1>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
129
16
ae2767aabdbc add id strings to all ref sections
carl
parents: 14
diff changeset
130 <refsect1 id='usage.1'>
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
131 <title>Usage</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
132 <para><command>@PACKAGE@</command> -d 2</para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
133 </refsect1>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
134
16
ae2767aabdbc add id strings to all ref sections
carl
parents: 14
diff changeset
135 <refsect1 id='configuration.1'>
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
136 <title>Configuration</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
137 <para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
138 The configuration file is documented in <citerefentry>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
139 <refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum>
12
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
140 </citerefentry>. Any change to the config file will cause it to be
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
141 reloaded within three minutes.
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
142 </para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
143 </refsect1>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
144
24
ec051169fdfd don't flush input chain, use -D option instead
carl
parents: 19
diff changeset
145 <refsect1 id='todo.1'>
ec051169fdfd don't flush input chain, use -D option instead
carl
parents: 19
diff changeset
146 <title>TODO</title>
ec051169fdfd don't flush input chain, use -D option instead
carl
parents: 19
diff changeset
147 <para>
ec051169fdfd don't flush input chain, use -D option instead
carl
parents: 19
diff changeset
148 The following ideas are under consideration.
ec051169fdfd don't flush input chain, use -D option instead
carl
parents: 19
diff changeset
149 </para>
ec051169fdfd don't flush input chain, use -D option instead
carl
parents: 19
diff changeset
150 <para>
ec051169fdfd don't flush input chain, use -D option instead
carl
parents: 19
diff changeset
151 Add a configuration option for the iptables table name in the
ec051169fdfd don't flush input chain, use -D option instead
carl
parents: 19
diff changeset
152 pattern statement. This implies handling multiple tables, so each
ec051169fdfd don't flush input chain, use -D option instead
carl
parents: 19
diff changeset
153 table needs its own map of ip addresses and bucket values.
ec051169fdfd don't flush input chain, use -D option instead
carl
parents: 19
diff changeset
154 </para>
ec051169fdfd don't flush input chain, use -D option instead
carl
parents: 19
diff changeset
155 </refsect1>
ec051169fdfd don't flush input chain, use -D option instead
carl
parents: 19
diff changeset
156
16
ae2767aabdbc add id strings to all ref sections
carl
parents: 14
diff changeset
157 <refsect1 id='copyright.1'>
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
158 <title>Copyright</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
159 <para>
31
carl
parents: 30
diff changeset
160 Copyright (C) 2007 by 510 Software Group &lt;carl@five-ten-sg.com&gt;
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
161 </para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
162 <para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
163 This program is free software; you can redistribute it and/or modify it
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
164 under the terms of the GNU General Public License as published by the
31
carl
parents: 30
diff changeset
165 Free Software Foundation; either version 3, or (at your option) any
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
166 later version.
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
167 </para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
168 <para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
169 You should have received a copy of the GNU General Public License along
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
170 with this program; see the file COPYING. If not, please write to the
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
171 Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
172 </para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
173 </refsect1>
31
carl
parents: 30
diff changeset
174
carl
parents: 30
diff changeset
175 <refsect1 id='version.1'>
42
d9ae11033b4b Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents: 36
diff changeset
176 <title>Version</title>
31
carl
parents: 30
diff changeset
177 <para>
42
d9ae11033b4b Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents: 36
diff changeset
178 @VERSION@
31
carl
parents: 30
diff changeset
179 </para>
carl
parents: 30
diff changeset
180 </refsect1>
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
181 </refentry>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
182
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
183
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
184 <refentry id="@PACKAGE@.conf.5">
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
185 <refentryinfo>
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
186 <date>2015-12-18</date>
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
187 </refentryinfo>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
188
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
189 <refmeta>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
190 <refentrytitle>@PACKAGE@.conf</refentrytitle>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
191 <manvolnum>5</manvolnum>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
192 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
193 </refmeta>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
194
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
195 <refnamediv id='name.5'>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
196 <refname>@PACKAGE@.conf</refname>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
197 <refpurpose>configuration file for @PACKAGE@</refpurpose>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
198 </refnamediv>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
199
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
200 <refsynopsisdiv id='synopsis.5'>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
201 <title>Synopsis</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
202 <cmdsynopsis>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
203 <command>@PACKAGE@.conf</command>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
204 </cmdsynopsis>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
205 </refsynopsisdiv>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
206
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
207 <refsect1 id='description.5'>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
208 <title>Description</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
209 <para>The <command>@PACKAGE@.conf</command> configuration file is
27
28fec0c67646 make add/remove commands configureable
carl
parents: 24
diff changeset
210 specified by this partial bnf description. The entire config file
28fec0c67646 make add/remove commands configureable
carl
parents: 24
diff changeset
211 is case sensitive. All the keywords are lower case.
28fec0c67646 make add/remove commands configureable
carl
parents: 24
diff changeset
212 </para>
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
213
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
214 <literallayout class="monospaced"><![CDATA[
53
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
215 CONFIG = {CONTEXT ";"}+
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
216 CONTEXT = "context" NAME "{" {STATEMENT}+ "}"
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
217 STATEMENT := (THRESHOLD | ADD-CMD | REM-CMD | IGNORE | FILE) ";"
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
218 THRESHOLD := "threshold" THRESHOLD-INTEGER-VALUE
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
219 ADD-CMD := "add_command" IPT-CMD
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
220 REM-CMD := "remove_command" IPT-CMD
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
221 IGNORE := "ignore" "{" IG-SINGLE+ "}"
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
222 IG-SINGLE := IP-ADDRESS "/" CIDR-BITS
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
223 FILE := "file" FILENAME "{" PATTERN+ "}"
35
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
224 PATTERN := "pattern" REGULAR-EXPRESSION "{" {INDEX | BUCKET | MESSAGE}+ "};"
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
225 INDEX := "index" REGEX-INTEGER ";"
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
226 DELTA := "bucket" BUCKET-DELTA-INTEGER ";"
35
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
227 MESSAGE := "message" REASON ";"
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
228 REASON := string to appear in syslog messages
27
28fec0c67646 make add/remove commands configureable
carl
parents: 24
diff changeset
229 IPT-CMD := string containing exactly one %s replacement token for
29
e16a5fb390fa make add/remove commands configureable
carl
parents: 27
diff changeset
230 the ip address]]></literallayout>
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
231 </refsect1>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
232
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
233 <refsect1 id='sample.5'>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
234 <title>Sample</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
235 <literallayout class="monospaced"><![CDATA[
53
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
236 context general {
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
237 threshold 550;
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
238
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
239 add_command "/sbin/iptables -I INPUT --src %s --jump DROP";
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
240 remove_command "/sbin/iptables -D INPUT --src %s --jump DROP";
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
241
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
242 ignore {
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
243 127.0.0.0/8; // localhost
35
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
244 };
53
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
245
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
246 file "/var/log/secure" {
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
247 pattern "manual unblock (.*)" {
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
248 index 1; // zero based
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
249 bucket -5000;
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
250 message "manual unblock";
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
251 };
53
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
252 pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
253 index 1; // zero based
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
254 bucket 400;
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
255 message "ssh failed password";
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
256 };
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
257 pattern "sshd.*Failed password .* from (.*) port" {
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
258 index 1; // zero based
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
259 bucket 400;
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
260 message "ssh failed password";
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
261 };
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
262 pattern "sshd.*authentication failure; .* rhost=(.*) " {
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
263 index 1; // zero based
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
264 bucket 400;
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
265 message "ssh failed password";
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
266 };
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
267 pattern "sshd.*Did not receive identification string from (.*)" {
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
268 index 1; // zero based
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
269 bucket 400;
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
270 message "ssh failed password";
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
271 };
53
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
272 pattern "proftpd.*no such user found from (.*) \[" {
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
273 index 1; // zero based
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
274 bucket 400;
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
275 message "ftp failed password";
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
276 };
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
277 pattern "proftpd.* authentication failure; .* rhost=(.*) " {
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
278 index 1; // zero based
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
279 bucket 400;
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
280 message "ftp failed password";
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
281 };
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
282 pattern "vsftpd.* authentication failure; .* rhost=(.*) " {
53
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
283 index 1; // zero based
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
284 bucket 400;
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
285 message "ftp failed password";
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
286 };
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
287 pattern "dovecot.* authentication failure; .* rhost=::ffff:(.*) " {
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
288 index 1; // zero based
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
289 bucket 100;
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
290 message "dovecot failed password";
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
291 };
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
292 pattern "dovecot.* authentication failure; .* rhost=(.*) " {
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
293 index 1; // zero based
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
294 bucket 100;
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
295 message "dovecot failed password";
53
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
296 };
35
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
297 };
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
298
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
299 file "/var/log/messages" {
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
300 pattern "dovecot.* authentication failure; .* rhost=(.*) " {
53
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
301 index 1; // zero based
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
302 bucket 100;
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
303 message "dovecot failed password";
53
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
304 };
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
305 pattern "kernel.*local-net-to.*SRC=(.*) DST=.*DPT=" {
53
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
306 index 1; // zero based
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
307 bucket 400;
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
308 message "kernel firewall blocked packet";
53
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
309 };
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
310 pattern "kernel.*outside-net-from.*SRC=(.*) DST=.*DPT=" {
53
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
311 index 1; // zero based
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
312 bucket 400;
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
313 message "kernel firewall blocked packet";
53
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
314 };
35
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
315 };
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
316
53
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
317 file "/var/log/maillog" {
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
318 pattern "lost input channel from.* \[(.*)\] .* after (mail|rcpt|auth)" {
53
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
319 index 1; // zero based
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
320 bucket 100;
53
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
321 message "sendmail spammer dropping connection";
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
322 };
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
323 pattern " \[(.*)\].* possible SMTP attack" {
53
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
324 index 1; // zero based
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
325 bucket 100;
53
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
326 message "sendmail authentication attack";
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
327 };
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
328 pattern "rejecting commands from.* \[(.*)\] due to pre-greeting traffic" {
53
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
329 index 1; // zero based
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
330 bucket 1800;
53
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
331 message "sendmail pre-greeting";
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
332 };
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
333 pattern "authentication failure: checkpass failed, .*\[(.*)\]" {
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
334 index 1; // zero based
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
335 bucket 100;
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
336 message "sendmail authentication failed";
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
337 };
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
338 pattern "dovecot.*Aborted login .* rip=(.*)," {
53
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
339 index 1; // zero based
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
340 bucket 100;
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
341 message "dovecot failed password";
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
342 };
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
343 pattern "dovecot.*Login: .* rip=(.*)," {
53
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
344 index 1; // zero based
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
345 bucket -5000;
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
346 message "dovecot good authentication";
53
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
347 };
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
348 pattern "sendmail.*AUTH=server, .*\[(.*)\]," {
53
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
349 index 1; // zero based
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
350 bucket -5000;
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 58
diff changeset
351 message "sendmail good authentication";
53
d6fb7fca0394 Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
352 };
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
353 };
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
354 };]]></literallayout>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
355 </refsect1>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
356
31
carl
parents: 30
diff changeset
357 <refsect1 id='version.5'>
42
d9ae11033b4b Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents: 36
diff changeset
358 <title>Version</title>
31
carl
parents: 30
diff changeset
359 <para>
42
d9ae11033b4b Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents: 36
diff changeset
360 @VERSION@
31
carl
parents: 30
diff changeset
361 </para>
carl
parents: 30
diff changeset
362 </refsect1>
carl
parents: 30
diff changeset
363
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
364 </refentry>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
365 </reference>