Mercurial > syslog2iptables
annotate xml/syslog2iptables.in @ 76:c6c8a2102a3e
add more logging when blocked addresses move to higher scale values
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Wed, 15 Jul 2020 13:38:43 -0700 |
parents | 45e53c44c46c |
children |
rev | line source |
---|---|
11 | 1 <reference> |
50 | 2 <title>@PACKAGE@ - Version @VERSION@</title> |
11 | 3 <partintro> |
4 <title>Packages</title> | |
44
9e9f09cf411c
Add fixes for Solaris from sm-archive.
Carl Byington <carl@five-ten-sg.com>
parents:
42
diff
changeset
|
5 |
11 | 6 <para>The various source and binary packages are available at <ulink |
19 | 7 url="http://www.five-ten-sg.com/@PACKAGE@/packages/">http://www.five-ten-sg.com/@PACKAGE@/packages/</ulink> |
12 | 8 The most recent documentation is available at <ulink |
9 url="http://www.five-ten-sg.com/@PACKAGE@/">http://www.five-ten-sg.com/@PACKAGE@/</ulink> | |
11 | 10 </para> |
44
9e9f09cf411c
Add fixes for Solaris from sm-archive.
Carl Byington <carl@five-ten-sg.com>
parents:
42
diff
changeset
|
11 |
9e9f09cf411c
Add fixes for Solaris from sm-archive.
Carl Byington <carl@five-ten-sg.com>
parents:
42
diff
changeset
|
12 <para>A <ulink |
9e9f09cf411c
Add fixes for Solaris from sm-archive.
Carl Byington <carl@five-ten-sg.com>
parents:
42
diff
changeset
|
13 url="http://www.selenic.com/mercurial/wiki/">Mercurial</ulink> source |
9e9f09cf411c
Add fixes for Solaris from sm-archive.
Carl Byington <carl@five-ten-sg.com>
parents:
42
diff
changeset
|
14 code repository for this project is available at <ulink |
9e9f09cf411c
Add fixes for Solaris from sm-archive.
Carl Byington <carl@five-ten-sg.com>
parents:
42
diff
changeset
|
15 url="http://hg.five-ten-sg.com/@PACKAGE@/">http://hg.five-ten-sg.com/@PACKAGE@/</ulink>. |
9e9f09cf411c
Add fixes for Solaris from sm-archive.
Carl Byington <carl@five-ten-sg.com>
parents:
42
diff
changeset
|
16 </para> |
9e9f09cf411c
Add fixes for Solaris from sm-archive.
Carl Byington <carl@five-ten-sg.com>
parents:
42
diff
changeset
|
17 |
11 | 18 </partintro> |
19 | |
20 <refentry id="@PACKAGE@.1"> | |
21 <refentryinfo> | |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
22 <date>2015-12-18</date> |
58
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
53
diff
changeset
|
23 <author> |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
53
diff
changeset
|
24 <firstname>Carl</firstname> |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
53
diff
changeset
|
25 <surname>Byington</surname> |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
53
diff
changeset
|
26 <affiliation> |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
53
diff
changeset
|
27 <orgname>510 Software Group</orgname> |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
53
diff
changeset
|
28 </affiliation> |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
53
diff
changeset
|
29 </author> |
11 | 30 </refentryinfo> |
31 | |
32 <refmeta> | |
33 <refentrytitle>@PACKAGE@</refentrytitle> | |
34 <manvolnum>1</manvolnum> | |
35 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo> | |
36 </refmeta> | |
37 | |
38 <refnamediv id='name.1'> | |
39 <refname>@PACKAGE@</refname> | |
40 <refpurpose>a simple adaptive firewall</refpurpose> | |
41 </refnamediv> | |
42 | |
43 <refsynopsisdiv id='synopsis.1'> | |
44 <title>Synopsis</title> | |
45 <cmdsynopsis> | |
46 <command>@PACKAGE@</command> | |
47 <arg><option>-c</option></arg> | |
48 <arg><option>-d <replaceable class="parameter">n</replaceable></option></arg> | |
49 </cmdsynopsis> | |
50 </refsynopsisdiv> | |
51 | |
52 <refsect1 id='description.1'> | |
53 <title>Description</title> | |
12 | 54 |
55 <para><command>@PACKAGE@</command> is a simple adaptive firewall. It | |
56 maintains the INPUT chain of the <citerefentry> | |
57 <refentrytitle>iptables</refentrytitle> <manvolnum>1</manvolnum> | |
58 </citerefentry> firewall set based on syslog entries. These syslog | |
59 entries are typically generated by your hardware firewall, but they | |
60 could come from any source. Any syslog entry that contains a host name | |
61 or ip address can be used as input to this package.</para> | |
11 | 62 |
12 | 63 <para>The <citerefentry> <refentrytitle>@PACKAGE@.conf</refentrytitle> |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
64 <manvolnum>5</manvolnum> </citerefentry> file specifies the syslog |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
65 files to be monitored, and the regular expressions (<citerefentry> |
12 | 66 <refentrytitle>regex</refentrytitle> <manvolnum>7</manvolnum> |
67 </citerefentry>) to be applied to new lines in those files. Each | |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
68 regular expression needs an INDEX to specify the matching substring |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
69 that contains either an ip address or host name, and a DELTA which is |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
70 used to modify the leaky bucket count for that ip address when a |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
71 matching line is read from that syslog file. </para> |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
72 |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
73 <para>If the DELTA is negative, the leaky bucket count is set to that |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
74 DELTA value, any existing blocking for that ip address is removed, and |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
75 new blocking is prevented until that bucket leaks upward to zero. |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
76 </para> |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
77 |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
78 <para>If the DELTA is positive and the current leaky bucket count is |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
79 not negative, that DELTA value is added to the leaky bucket count for |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
80 that ip address. Once the bucket contains more than a configurable |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
81 THRESHOLD number of tokens, that ip address is added to the INPUT |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
82 chain with a DROP target.</para> |
11 | 83 |
12 | 84 <para>Each ip address has an associated leaky bucket, which leaks one |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
85 token per second so the count moves toward zero. When the bucket is |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
86 drained to zero, that ip address is removed from the INPUT |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
87 chain.</para> |
12 | 88 |
89 <para>The discussion has focused on syslog files, but any ascii text | |
90 file can be used, so long as some other process appends lines to that | |
91 file, and those lines containing hostname or ip addresses can be matched | |
92 with some regular expression.</para> | |
93 | |
94 <para>Considering syslog files in particular, these are normally rotated | |
95 via logrotate. <command>@PACKAGE@</command> properly detects and | |
96 handles this case by closing the old file, and reopening the newly | |
97 created file.</para> | |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
98 |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
99 <para>With the default config file, you can manually unblock an ip |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
100 address with <command>logger -p authpriv.info "manual unblock |
67 | 101 1.2.3.4"</command> and you can manually block an ip address with |
102 <command>logger -p authpriv.info "manual block 1.2.3.4"</command> | |
103 </para> | |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
104 |
11 | 105 </refsect1> |
106 | |
107 <refsect1 id='options.1'> | |
108 <title>Options</title> | |
109 <variablelist> | |
110 <varlistentry> | |
111 <term>-c</term> | |
112 <listitem> | |
113 <para> | |
114 Load the configuration file, print a cannonical form | |
115 of the configuration on stdout, and exit. | |
116 </para> | |
117 </listitem> | |
118 </varlistentry> | |
119 <varlistentry> | |
120 <term>-d <replaceable class="parameter">n</replaceable></term> | |
121 <listitem> | |
122 <para> | |
123 Set the debug level to <replaceable class="parameter">n</replaceable>. | |
124 </para> | |
125 </listitem> | |
126 </varlistentry> | |
127 </variablelist> | |
128 </refsect1> | |
129 | |
16 | 130 <refsect1 id='usage.1'> |
11 | 131 <title>Usage</title> |
132 <para><command>@PACKAGE@</command> -d 2</para> | |
133 </refsect1> | |
134 | |
16 | 135 <refsect1 id='configuration.1'> |
11 | 136 <title>Configuration</title> |
137 <para> | |
138 The configuration file is documented in <citerefentry> | |
139 <refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum> | |
12 | 140 </citerefentry>. Any change to the config file will cause it to be |
141 reloaded within three minutes. | |
11 | 142 </para> |
143 </refsect1> | |
144 | |
24 | 145 <refsect1 id='todo.1'> |
146 <title>TODO</title> | |
147 <para> | |
148 The following ideas are under consideration. | |
149 </para> | |
150 <para> | |
151 Add a configuration option for the iptables table name in the | |
152 pattern statement. This implies handling multiple tables, so each | |
153 table needs its own map of ip addresses and bucket values. | |
154 </para> | |
155 </refsect1> | |
156 | |
16 | 157 <refsect1 id='copyright.1'> |
11 | 158 <title>Copyright</title> |
159 <para> | |
31 | 160 Copyright (C) 2007 by 510 Software Group <carl@five-ten-sg.com> |
11 | 161 </para> |
162 <para> | |
163 This program is free software; you can redistribute it and/or modify it | |
164 under the terms of the GNU General Public License as published by the | |
31 | 165 Free Software Foundation; either version 3, or (at your option) any |
11 | 166 later version. |
167 </para> | |
168 <para> | |
169 You should have received a copy of the GNU General Public License along | |
170 with this program; see the file COPYING. If not, please write to the | |
171 Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. | |
172 </para> | |
173 </refsect1> | |
31 | 174 |
175 <refsect1 id='version.1'> | |
42
d9ae11033b4b
Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents:
36
diff
changeset
|
176 <title>Version</title> |
31 | 177 <para> |
42
d9ae11033b4b
Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents:
36
diff
changeset
|
178 @VERSION@ |
31 | 179 </para> |
180 </refsect1> | |
11 | 181 </refentry> |
182 | |
183 | |
184 <refentry id="@PACKAGE@.conf.5"> | |
185 <refentryinfo> | |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
186 <date>2015-12-18</date> |
11 | 187 </refentryinfo> |
188 | |
189 <refmeta> | |
190 <refentrytitle>@PACKAGE@.conf</refentrytitle> | |
191 <manvolnum>5</manvolnum> | |
192 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo> | |
193 </refmeta> | |
194 | |
195 <refnamediv id='name.5'> | |
196 <refname>@PACKAGE@.conf</refname> | |
197 <refpurpose>configuration file for @PACKAGE@</refpurpose> | |
198 </refnamediv> | |
199 | |
200 <refsynopsisdiv id='synopsis.5'> | |
201 <title>Synopsis</title> | |
202 <cmdsynopsis> | |
203 <command>@PACKAGE@.conf</command> | |
204 </cmdsynopsis> | |
205 </refsynopsisdiv> | |
206 | |
207 <refsect1 id='description.5'> | |
208 <title>Description</title> | |
209 <para>The <command>@PACKAGE@.conf</command> configuration file is | |
27 | 210 specified by this partial bnf description. The entire config file |
211 is case sensitive. All the keywords are lower case. | |
212 </para> | |
11 | 213 |
214 <literallayout class="monospaced"><![CDATA[ | |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
215 CONFIG = {CONTEXT ";"}+ |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
216 CONTEXT = "context" NAME "{" {STATEMENT}+ "}" |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
217 STATEMENT := (THRESHOLD | ADD-CMD | REM-CMD | IGNORE | FILE) ";" |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
218 THRESHOLD := "threshold" THRESHOLD-INTEGER-VALUE |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
219 ADD-CMD := "add_command" IPT-CMD |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
220 REM-CMD := "remove_command" IPT-CMD |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
221 IGNORE := "ignore" "{" IG-SINGLE+ "}" |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
222 IG-SINGLE := IP-ADDRESS "/" CIDR-BITS |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
223 FILE := "file" FILENAME "{" PATTERN+ "}" |
35 | 224 PATTERN := "pattern" REGULAR-EXPRESSION "{" {INDEX | BUCKET | MESSAGE}+ "};" |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
225 INDEX := "index" REGEX-INTEGER ";" |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
226 DELTA := "bucket" BUCKET-DELTA-INTEGER ";" |
35 | 227 MESSAGE := "message" REASON ";" |
228 REASON := string to appear in syslog messages | |
27 | 229 IPT-CMD := string containing exactly one %s replacement token for |
29 | 230 the ip address]]></literallayout> |
11 | 231 </refsect1> |
232 | |
233 <refsect1 id='sample.5'> | |
234 <title>Sample</title> | |
235 <literallayout class="monospaced"><![CDATA[ | |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
236 context general { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
237 threshold 550; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
238 |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
239 add_command "/sbin/iptables -I INPUT --src %s --jump DROP"; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
240 remove_command "/sbin/iptables -D INPUT --src %s --jump DROP"; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
241 |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
242 ignore { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
243 127.0.0.0/8; // localhost |
35 | 244 }; |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
245 |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
246 file "/var/log/secure" { |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
247 pattern "manual unblock (.*)" { |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
248 index 1; // zero based |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
249 bucket -5000; |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
250 message "manual unblock"; |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
251 }; |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
252 pattern "sshd.*Failed password .* from ::ffff:(.*) port" { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
253 index 1; // zero based |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
254 bucket 400; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
255 message "ssh failed password"; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
256 }; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
257 pattern "sshd.*Failed password .* from (.*) port" { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
258 index 1; // zero based |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
259 bucket 400; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
260 message "ssh failed password"; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
261 }; |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
262 pattern "sshd.*authentication failure; .* rhost=(.*) " { |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
263 index 1; // zero based |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
264 bucket 400; |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
265 message "ssh failed password"; |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
266 }; |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
267 pattern "sshd.*Did not receive identification string from (.*)" { |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
268 index 1; // zero based |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
269 bucket 400; |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
270 message "ssh failed password"; |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
271 }; |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
272 pattern "proftpd.*no such user found from (.*) \[" { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
273 index 1; // zero based |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
274 bucket 400; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
275 message "ftp failed password"; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
276 }; |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
277 pattern "proftpd.* authentication failure; .* rhost=(.*) " { |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
278 index 1; // zero based |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
279 bucket 400; |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
280 message "ftp failed password"; |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
281 }; |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
282 pattern "vsftpd.* authentication failure; .* rhost=(.*) " { |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
283 index 1; // zero based |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
284 bucket 400; |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
285 message "ftp failed password"; |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
286 }; |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
287 pattern "dovecot.* authentication failure; .* rhost=::ffff:(.*) " { |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
288 index 1; // zero based |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
289 bucket 100; |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
290 message "dovecot failed password"; |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
291 }; |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
292 pattern "dovecot.* authentication failure; .* rhost=(.*) " { |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
293 index 1; // zero based |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
294 bucket 100; |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
295 message "dovecot failed password"; |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
296 }; |
35 | 297 }; |
298 | |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
299 file "/var/log/messages" { |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
300 pattern "dovecot.* authentication failure; .* rhost=(.*) " { |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
301 index 1; // zero based |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
302 bucket 100; |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
303 message "dovecot failed password"; |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
304 }; |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
305 pattern "kernel.*local-net-to.*SRC=(.*) DST=.*DPT=" { |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
306 index 1; // zero based |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
307 bucket 400; |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
308 message "kernel firewall blocked packet"; |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
309 }; |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
310 pattern "kernel.*outside-net-from.*SRC=(.*) DST=.*DPT=" { |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
311 index 1; // zero based |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
312 bucket 400; |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
313 message "kernel firewall blocked packet"; |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
314 }; |
35 | 315 }; |
316 | |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
317 file "/var/log/maillog" { |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
318 pattern "lost input channel from.* \[(.*)\] .* after (mail|rcpt|auth)" { |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
319 index 1; // zero based |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
320 bucket 100; |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
321 message "sendmail spammer dropping connection"; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
322 }; |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
323 pattern " \[(.*)\].* possible SMTP attack" { |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
324 index 1; // zero based |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
325 bucket 100; |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
326 message "sendmail authentication attack"; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
327 }; |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
328 pattern "rejecting commands from.* \[(.*)\] due to pre-greeting traffic" { |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
329 index 1; // zero based |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
330 bucket 1800; |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
331 message "sendmail pre-greeting"; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
332 }; |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
333 pattern "authentication failure: checkpass failed, .*\[(.*)\]" { |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
334 index 1; // zero based |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
335 bucket 100; |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
336 message "sendmail authentication failed"; |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
337 }; |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
338 pattern "dovecot.*Aborted login .* rip=(.*)," { |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
339 index 1; // zero based |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
340 bucket 100; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
341 message "dovecot failed password"; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
342 }; |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
343 pattern "dovecot.*Login: .* rip=(.*)," { |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
344 index 1; // zero based |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
345 bucket -5000; |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
346 message "dovecot good authentication"; |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
347 }; |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
348 pattern "sendmail.*AUTH=server, .*\[(.*)\]," { |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
349 index 1; // zero based |
63
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
350 bucket -5000; |
60f59936fabb
good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents:
58
diff
changeset
|
351 message "sendmail good authentication"; |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
352 }; |
11 | 353 }; |
354 };]]></literallayout> | |
355 </refsect1> | |
356 | |
31 | 357 <refsect1 id='version.5'> |
42
d9ae11033b4b
Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents:
36
diff
changeset
|
358 <title>Version</title> |
31 | 359 <para> |
42
d9ae11033b4b
Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents:
36
diff
changeset
|
360 @VERSION@ |
31 | 361 </para> |
362 </refsect1> | |
363 | |
11 | 364 </refentry> |
365 </reference> |