annotate xml/syslog2iptables.in @ 40:cdd6dde8d4ec stable-1-8

shutdown removes iptables entries that we added
author carl
date Thu, 08 Nov 2007 12:20:14 -0800
parents 6a2f26976898
children d9ae11033b4b
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
1 <reference>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
2 <title>@PACKAGE@</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
3 <partintro>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
4 <title>Packages</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
5 <para>The various source and binary packages are available at <ulink
19
13b2e663b553 add trailing / on http package directory reference
carl
parents: 16
diff changeset
6 url="http://www.five-ten-sg.com/@PACKAGE@/packages/">http://www.five-ten-sg.com/@PACKAGE@/packages/</ulink>
12
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
7 The most recent documentation is available at <ulink
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
8 url="http://www.five-ten-sg.com/@PACKAGE@/">http://www.five-ten-sg.com/@PACKAGE@/</ulink>
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
9 </para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
10 </partintro>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
12 <refentry id="@PACKAGE@.1">
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
13 <refentryinfo>
36
6a2f26976898 shutdown removes iptables entries that we added
carl
parents: 35
diff changeset
14 <date>2007-11-08</date>
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
15 </refentryinfo>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
16
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
17 <refmeta>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
18 <refentrytitle>@PACKAGE@</refentrytitle>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
19 <manvolnum>1</manvolnum>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
20 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
21 </refmeta>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
22
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
23 <refnamediv id='name.1'>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
24 <refname>@PACKAGE@</refname>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
25 <refpurpose>a simple adaptive firewall</refpurpose>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
26 </refnamediv>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
27
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
28 <refsynopsisdiv id='synopsis.1'>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
29 <title>Synopsis</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
30 <cmdsynopsis>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
31 <command>@PACKAGE@</command>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
32 <arg><option>-c</option></arg>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
33 <arg><option>-d <replaceable class="parameter">n</replaceable></option></arg>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
34 </cmdsynopsis>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
35 </refsynopsisdiv>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
36
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
37 <refsect1 id='description.1'>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
38 <title>Description</title>
12
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
39
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
40 <para><command>@PACKAGE@</command> is a simple adaptive firewall. It
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
41 maintains the INPUT chain of the <citerefentry>
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
42 <refentrytitle>iptables</refentrytitle> <manvolnum>1</manvolnum>
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
43 </citerefentry> firewall set based on syslog entries. These syslog
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
44 entries are typically generated by your hardware firewall, but they
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
45 could come from any source. Any syslog entry that contains a host name
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
46 or ip address can be used as input to this package.</para>
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
47
12
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
48 <para>The <citerefentry> <refentrytitle>@PACKAGE@.conf</refentrytitle>
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
49 <manvolnum>5</manvolnum> </citerefentry> file specifies the syslog files
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
50 to be monitored, and the regular expressions (<citerefentry>
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
51 <refentrytitle>regex</refentrytitle> <manvolnum>7</manvolnum>
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
52 </citerefentry>) to be applied to new lines in those files. Each
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
53 regular expression needs an index to specify the matching substring that
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
54 contains either an ip address or host name, and a bucket count which is
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
55 added to the leaky bucket for that ip address when a matching line is
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
56 read from that syslog file.</para>
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
57
12
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
58 <para>Each ip address has an associated leaky bucket, which leaks one
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
59 token per second. Once the bucket contains more than a configurable
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
60 threshold number of tokens, that ip address is added to the INPUT chain
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
61 with a DROP target. When the bucket is drained to zero, that ip address
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
62 is removed from the INPUT chain.</para>
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
63
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
64 <para>The discussion has focused on syslog files, but any ascii text
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
65 file can be used, so long as some other process appends lines to that
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
66 file, and those lines containing hostname or ip addresses can be matched
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
67 with some regular expression.</para>
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
68
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
69 <para>Considering syslog files in particular, these are normally rotated
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
70 via logrotate. <command>@PACKAGE@</command> properly detects and
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
71 handles this case by closing the old file, and reopening the newly
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
72 created file.</para>
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
73 </refsect1>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
74
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
75 <refsect1 id='options.1'>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
76 <title>Options</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
77 <variablelist>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
78 <varlistentry>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
79 <term>-c</term>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
80 <listitem>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
81 <para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
82 Load the configuration file, print a cannonical form
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
83 of the configuration on stdout, and exit.
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
84 </para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
85 </listitem>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
86 </varlistentry>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
87 <varlistentry>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
88 <term>-d <replaceable class="parameter">n</replaceable></term>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
89 <listitem>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
90 <para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
91 Set the debug level to <replaceable class="parameter">n</replaceable>.
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
92 </para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
93 </listitem>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
94 </varlistentry>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
95 </variablelist>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
96 </refsect1>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
97
16
ae2767aabdbc add id strings to all ref sections
carl
parents: 14
diff changeset
98 <refsect1 id='usage.1'>
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
99 <title>Usage</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
100 <para><command>@PACKAGE@</command> -d 2</para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
101 </refsect1>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
102
16
ae2767aabdbc add id strings to all ref sections
carl
parents: 14
diff changeset
103 <refsect1 id='configuration.1'>
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
104 <title>Configuration</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
105 <para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
106 The configuration file is documented in <citerefentry>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
107 <refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum>
12
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
108 </citerefentry>. Any change to the config file will cause it to be
c2a2e35a85ac final documentation, rpm builds properly
carl
parents: 11
diff changeset
109 reloaded within three minutes.
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
110 </para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
111 </refsect1>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
112
24
ec051169fdfd don't flush input chain, use -D option instead
carl
parents: 19
diff changeset
113 <refsect1 id='todo.1'>
ec051169fdfd don't flush input chain, use -D option instead
carl
parents: 19
diff changeset
114 <title>TODO</title>
ec051169fdfd don't flush input chain, use -D option instead
carl
parents: 19
diff changeset
115 <para>
ec051169fdfd don't flush input chain, use -D option instead
carl
parents: 19
diff changeset
116 The following ideas are under consideration.
ec051169fdfd don't flush input chain, use -D option instead
carl
parents: 19
diff changeset
117 </para>
ec051169fdfd don't flush input chain, use -D option instead
carl
parents: 19
diff changeset
118 <para>
ec051169fdfd don't flush input chain, use -D option instead
carl
parents: 19
diff changeset
119 Add a configuration option for the iptables table name in the
ec051169fdfd don't flush input chain, use -D option instead
carl
parents: 19
diff changeset
120 pattern statement. This implies handling multiple tables, so each
ec051169fdfd don't flush input chain, use -D option instead
carl
parents: 19
diff changeset
121 table needs its own map of ip addresses and bucket values.
ec051169fdfd don't flush input chain, use -D option instead
carl
parents: 19
diff changeset
122 </para>
ec051169fdfd don't flush input chain, use -D option instead
carl
parents: 19
diff changeset
123 </refsect1>
ec051169fdfd don't flush input chain, use -D option instead
carl
parents: 19
diff changeset
124
16
ae2767aabdbc add id strings to all ref sections
carl
parents: 14
diff changeset
125 <refsect1 id='copyright.1'>
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
126 <title>Copyright</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
127 <para>
31
carl
parents: 30
diff changeset
128 Copyright (C) 2007 by 510 Software Group &lt;carl@five-ten-sg.com&gt;
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
129 </para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
130 <para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
131 This program is free software; you can redistribute it and/or modify it
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
132 under the terms of the GNU General Public License as published by the
31
carl
parents: 30
diff changeset
133 Free Software Foundation; either version 3, or (at your option) any
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
134 later version.
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
135 </para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
136 <para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
137 You should have received a copy of the GNU General Public License along
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
138 with this program; see the file COPYING. If not, please write to the
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
139 Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
140 </para>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
141 </refsect1>
31
carl
parents: 30
diff changeset
142
carl
parents: 30
diff changeset
143 <refsect1 id='version.1'>
carl
parents: 30
diff changeset
144 <title>CVS Version</title>
carl
parents: 30
diff changeset
145 <para>
carl
parents: 30
diff changeset
146 $Id$
carl
parents: 30
diff changeset
147 </para>
carl
parents: 30
diff changeset
148 </refsect1>
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
149 </refentry>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
150
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
151
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
152 <refentry id="@PACKAGE@.conf.5">
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
153 <refentryinfo>
36
6a2f26976898 shutdown removes iptables entries that we added
carl
parents: 35
diff changeset
154 <date>2007-11-08</date>
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
155 </refentryinfo>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
156
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
157 <refmeta>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
158 <refentrytitle>@PACKAGE@.conf</refentrytitle>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
159 <manvolnum>5</manvolnum>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
160 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
161 </refmeta>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
162
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
163 <refnamediv id='name.5'>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
164 <refname>@PACKAGE@.conf</refname>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
165 <refpurpose>configuration file for @PACKAGE@</refpurpose>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
166 </refnamediv>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
167
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
168 <refsynopsisdiv id='synopsis.5'>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
169 <title>Synopsis</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
170 <cmdsynopsis>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
171 <command>@PACKAGE@.conf</command>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
172 </cmdsynopsis>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
173 </refsynopsisdiv>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
174
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
175 <refsect1 id='description.5'>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
176 <title>Description</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
177 <para>The <command>@PACKAGE@.conf</command> configuration file is
27
28fec0c67646 make add/remove commands configureable
carl
parents: 24
diff changeset
178 specified by this partial bnf description. The entire config file
28fec0c67646 make add/remove commands configureable
carl
parents: 24
diff changeset
179 is case sensitive. All the keywords are lower case.
28fec0c67646 make add/remove commands configureable
carl
parents: 24
diff changeset
180 </para>
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
181
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
182 <literallayout class="monospaced"><![CDATA[
27
28fec0c67646 make add/remove commands configureable
carl
parents: 24
diff changeset
183 CONFIG := {THRESHOLD | ADD-CMD | REM-CMD | IGNORE | FILE}+
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
184 THRESHOLD := "threshold" THRESHOLD-INTEGER-VALUE ";"
27
28fec0c67646 make add/remove commands configureable
carl
parents: 24
diff changeset
185 ADD-CMD := "add_command" IPT-CMD ";"
28fec0c67646 make add/remove commands configureable
carl
parents: 24
diff changeset
186 REM-CMD := "remove_command" IPT-CMD ";"
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
187 IGNORE := "ignore" "{" IG-SINGLE+ "};"
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
188 IG-SINGLE := IP-ADDRESS "/" CIDR-BITS ";"
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
189 FILE := "file" FILENAME "{" PATTERN+ "};"
35
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
190 PATTERN := "pattern" REGULAR-EXPRESSION "{" {INDEX | BUCKET | MESSAGE}+ "};"
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
191 INDEX := "index" REGEX-INTEGER-VALUE ";"
29
e16a5fb390fa make add/remove commands configureable
carl
parents: 27
diff changeset
192 BUCKET := "bucket" BUCKET-ADD-INTEGER-VALUE ";"
35
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
193 MESSAGE := "message" REASON ";"
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
194 REASON := string to appear in syslog messages
27
28fec0c67646 make add/remove commands configureable
carl
parents: 24
diff changeset
195 IPT-CMD := string containing exactly one %s replacement token for
29
e16a5fb390fa make add/remove commands configureable
carl
parents: 27
diff changeset
196 the ip address]]></literallayout>
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
197 </refsect1>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
198
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
199 <refsect1 id='sample.5'>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
200 <title>Sample</title>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
201 <literallayout class="monospaced"><![CDATA[
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
202 threshold 550;
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
203
27
28fec0c67646 make add/remove commands configureable
carl
parents: 24
diff changeset
204 add_command "/sbin/iptables -I INPUT --src %s --jump DROP";
28fec0c67646 make add/remove commands configureable
carl
parents: 24
diff changeset
205 remove_command "/sbin/iptables -D INPUT --src %s --jump DROP";
28fec0c67646 make add/remove commands configureable
carl
parents: 24
diff changeset
206
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
207 ignore {
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
208 127.0.0.0/8; // localhost
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
209 };
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
210
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
211 file "/var/log/cisco.log" {
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
212 pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" {
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
213 index 2; // zero based
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
214 bucket 200;
35
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
215 message "cisco firewall blocked packet";
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
216 };
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
217 };
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
218
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
219 file "/var/log/secure" {
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
220 pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
221 index 1; // zero based
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
222 bucket 400;
35
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
223 message "ssh failed password";
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
224 };
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
225 pattern "sshd.*Failed password .* from (.*) port" {
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
226 index 1; // zero based
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
227 bucket 400;
35
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
228 message "ssh failed password";
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
229 };
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
230 };
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
231
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
232 file "/var/log/httpd/access_log" {
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
233 pattern "(.*) - - .* /cgi-bin" {
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
234 index 1; // zero based
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
235 bucket 400;
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
236 message "apache cgi-bin reference";
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
237 };
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
238 pattern "(.*) - - .*/index2.php" {
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
239 index 1; // zero based
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
240 bucket 400;
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
241 message "apache index2.php reference";
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
242 };
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
243 pattern "(.*) - - .*/main.php" {
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
244 index 1; // zero based
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
245 bucket 400;
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
246 message "apache main.php reference";
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
247 };
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
248 };
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
249
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
250 file "/var/log/maillog" {
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
251 pattern "lost input channel from .* \[(.*)\] .* after mail" {
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
252 index 1; // zero based
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
253 bucket 200;
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
254 message "sendmail spammer dropping connection";
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
255 };
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
256 };
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
257
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
258 file "/var/log/messages" {
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
259 pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" {
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
260 index 1; // zero based
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
261 bucket 300;
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
262 message "ssh failed password";
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
263 };
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
264 pattern "sshd.pam_unix.*authentication failure.*rhost=(.*)$" {
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
265 index 1; // zero based
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
266 bucket 300;
d2ceebcf6595 add message description in patterns
carl
parents: 31
diff changeset
267 message "ssh failed password";
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
268 };
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
269 };]]></literallayout>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
270 </refsect1>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
271
31
carl
parents: 30
diff changeset
272 <refsect1 id='version.5'>
carl
parents: 30
diff changeset
273 <title>CVS Version</title>
carl
parents: 30
diff changeset
274 <para>
carl
parents: 30
diff changeset
275 $Id$
carl
parents: 30
diff changeset
276 </para>
carl
parents: 30
diff changeset
277 </refsect1>
carl
parents: 30
diff changeset
278
11
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
279 </refentry>
a9b52f657f08 finish coding 1.0 version
carl
parents:
diff changeset
280 </reference>