Mercurial > syslog2iptables
annotate syslog2iptables.conf @ 57:c95acc20f7ed
Added tag stable-1-0-13-2 for changeset 73dd2daeaf8e
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Wed, 17 Aug 2011 10:16:17 -0700 |
parents | 73dd2daeaf8e |
children | b45dddebe8fc |
rev | line source |
---|---|
51
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
1 context dns { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
2 threshold 1100; |
27 | 3 |
51
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
4 add_command "/sbin/iptables -I INPUT --protocol udp --destination-port 53 --src %s --jump DROP"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
5 remove_command "/sbin/iptables -D INPUT --protocol udp --destination-port 53 --src %s --jump DROP"; |
3 | 6 |
51
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
7 ignore { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
8 127.0.0.0/8; // localhost |
5 | 9 }; |
50 | 10 |
51
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
11 file "/var/log/messages" { |
55
d237bc6331ad
autoconf cleanup from libpst changes
Carl Byington <carl@five-ten-sg.com>
parents:
53
diff
changeset
|
12 pattern "named.*client (.*)#.*query.*cache.*'\./NS/IN'.*denied" { |
51
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
13 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
14 bucket 400; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
15 message "DNS attack"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
16 }; |
50 | 17 }; |
5 | 18 }; |
19 | |
51
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
20 |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
21 context general { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
22 threshold 550; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
23 |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
24 add_command "/sbin/iptables -I INPUT --src %s --jump DROP"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
25 remove_command "/sbin/iptables -D INPUT --src %s --jump DROP"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
26 |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
27 ignore { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
28 127.0.0.0/8; // localhost |
20 | 29 }; |
51
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
30 |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
31 file "/var/log/secure" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
32 pattern "sshd.*Failed password .* from ::ffff:(.*) port" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
33 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
34 bucket 400; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
35 message "ssh failed password"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
36 }; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
37 pattern "sshd.*Failed password .* from (.*) port" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
38 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
39 bucket 400; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
40 message "ssh failed password"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
41 }; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
42 pattern "proftpd.*no such user found from (.*) \[" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
43 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
44 bucket 400; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
45 message "ftp failed password"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
46 }; |
56
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
47 pattern "vsftpd.* authentication failure; .* rhost=(.*) " { |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
48 index 1; // zero based |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
49 bucket 400; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
50 message "ftp failed password"; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
51 }; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
52 pattern "dovecot.* authentication failure; .* rhost=::ffff:(.*) " { |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
53 index 1; // zero based |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
54 bucket 400; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
55 message "dovecot failed password"; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
56 }; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
57 pattern "dovecot.* authentication failure; .* rhost=(.*) " { |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
58 index 1; // zero based |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
59 bucket 400; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
60 message "dovecot failed password"; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
61 }; |
51
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
62 }; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
63 |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
64 file "/var/log/messages" { |
56
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
65 pattern "dovecot.* authentication failure; .* rhost=(.*) " { |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
66 index 1; // zero based |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
67 bucket 400; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
68 message "dovecot failed password"; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
69 }; |
51
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
70 pattern "ipop3d.* Login failed .* \[(.*)\]" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
71 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
72 bucket 400; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
73 message "pop3 failed password"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
74 }; |
20 | 75 }; |
51
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
76 |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
77 file "/var/log/httpd/access_log" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
78 // of course you cannot use this if you actually use cgi-bin directories |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
79 pattern "(.*) - - .* /cgi-bin" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
80 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
81 bucket 400; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
82 message "apache cgi-bin reference"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
83 }; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
84 // or if you actually have an index2.php script |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
85 pattern "(.*) - - .*/index2.php" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
86 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
87 bucket 400; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
88 message "apache index2.php reference"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
89 }; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
90 // or if you have a main.php script |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
91 pattern "(.*) - - .*/main.php" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
92 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
93 bucket 400; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
94 message "apache main.php reference"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
95 }; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
96 pattern "(.*) - - .*/awstats.pl" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
97 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
98 bucket 400; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
99 message "apache awstats.pl reference"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
100 }; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
101 pattern "(.*) - - .*/adxmlrpc" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
102 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
103 bucket 400; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
104 message "apache adxmlrpc reference"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
105 }; |
56
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
106 pattern "(.*) - - .*/includes/general.js" { |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
107 index 1; // zero based |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
108 bucket 400; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
109 message "apache general.js reference"; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
110 }; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
111 pattern "(.*) - - .*/phpMyAdmin/" { |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
112 index 1; // zero based |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
113 bucket 400; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
114 message "apache phpMyAdmin reference"; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
115 }; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
116 pattern "(.*) - - .*/cart/" { |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
117 index 1; // zero based |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
118 bucket 400; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
119 message "apache cart reference"; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
120 }; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
121 pattern "(.*) - - .*/zen/" { |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
122 index 1; // zero based |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
123 bucket 400; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
124 message "apache zen reference"; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
125 }; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
126 pattern "(.*) - - .*/zencart/" { |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
127 index 1; // zero based |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
128 bucket 400; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
129 message "apache zencart reference"; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
130 }; |
35 | 131 }; |
51
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
132 |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
133 file "/var/log/maillog" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
134 pattern "lost input channel from .* \[(.*)\] .* after (mail|rcpt|auth)" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
135 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
136 bucket 200; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
137 message "sendmail spammer dropping connection"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
138 }; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
139 pattern " \[(.*)\]: possible SMTP attack" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
140 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
141 bucket 600; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
142 message "sendmail authentication attack"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
143 }; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
144 pattern "rejecting commands from .* \[(.*)\] due to pre-greeting traffic" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
145 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
146 bucket 200; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
147 message "sendmail pre-greeting"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
148 }; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
149 pattern "dovecot.*Aborted login.*rip=(.*)," { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
150 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
151 bucket 100; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
152 message "dovecot failed password"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
153 }; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
154 pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
155 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
156 bucket 100; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
157 message "dovecot failed password"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
158 }; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
159 |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
160 // make sure your upstream MX servers are listed in the |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
161 // ignore block above, otherwise you will kill them off |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
162 // when they try to forward such mail to you. |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
163 pattern "sendmail.*from=<>,.*nrcpts=0,.*\[(.*)\]" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
164 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
165 bucket 200; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
166 message "sendmail rejected bounce"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
167 }; |
50 | 168 }; |
35 | 169 }; |
170 |