annotate syslog2iptables.conf @ 53:d6fb7fca0394 stable-1-0-13

Document multiple contexts
author Carl Byington <carl@five-ten-sg.com>
date Sun, 25 Jan 2009 08:37:36 -0800
parents 206448c00b55
children d237bc6331ad
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
51
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
1 context dns {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
2 threshold 1100;
27
28fec0c67646 make add/remove commands configureable
carl
parents: 21
diff changeset
3
51
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
4 add_command "/sbin/iptables -I INPUT --protocol udp --destination-port 53 --src %s --jump DROP";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
5 remove_command "/sbin/iptables -D INPUT --protocol udp --destination-port 53 --src %s --jump DROP";
3
8fe310e5cd44 initial coding
carl
parents: 1
diff changeset
6
51
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
7 ignore {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
8 127.0.0.0/8; // localhost
5
276c4edc8521 initial coding
carl
parents: 4
diff changeset
9 };
50
75361069c6ef changes for fedora 10
Carl Byington <carl@five-ten-sg.com>
parents: 42
diff changeset
10
51
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
11 file "/var/log/messages" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
12 pattern "named.*client (.*)#.*query.*cache.*denied" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
13 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
14 bucket 400;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
15 message "DNS attack";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
16 };
50
75361069c6ef changes for fedora 10
Carl Byington <carl@five-ten-sg.com>
parents: 42
diff changeset
17 };
5
276c4edc8521 initial coding
carl
parents: 4
diff changeset
18 };
276c4edc8521 initial coding
carl
parents: 4
diff changeset
19
51
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
20
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
21 context general {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
22 threshold 550;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
23
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
24 add_command "/sbin/iptables -I INPUT --src %s --jump DROP";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
25 remove_command "/sbin/iptables -D INPUT --src %s --jump DROP";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
26
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
27 ignore {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
28 127.0.0.0/8; // localhost
20
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
29 };
51
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
30
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
31 file "/var/log/secure" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
32 pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
33 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
34 bucket 400;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
35 message "ssh failed password";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
36 };
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
37 pattern "sshd.*Failed password .* from (.*) port" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
38 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
39 bucket 400;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
40 message "ssh failed password";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
41 };
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
42 pattern "proftpd.*no such user found from (.*) \[" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
43 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
44 bucket 400;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
45 message "ftp failed password";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
46 };
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
47 };
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
48
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
49 file "/var/log/messages" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
50 pattern "ipop3d.* Login failed .* \[(.*)\]" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
51 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
52 bucket 400;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
53 message "pop3 failed password";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
54 };
20
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
55 };
51
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
56
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
57 file "/var/log/httpd/access_log" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
58 // of course you cannot use this if you actually use cgi-bin directories
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
59 pattern "(.*) - - .* /cgi-bin" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
60 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
61 bucket 400;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
62 message "apache cgi-bin reference";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
63 };
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
64 // or if you actually have an index2.php script
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
65 pattern "(.*) - - .*/index2.php" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
66 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
67 bucket 400;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
68 message "apache index2.php reference";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
69 };
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
70 // or if you have a main.php script
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
71 pattern "(.*) - - .*/main.php" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
72 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
73 bucket 400;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
74 message "apache main.php reference";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
75 };
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
76 pattern "(.*) - - .*/awstats.pl" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
77 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
78 bucket 400;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
79 message "apache awstats.pl reference";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
80 };
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
81 pattern "(.*) - - .*/adxmlrpc" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
82 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
83 bucket 400;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
84 message "apache adxmlrpc reference";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
85 };
35
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
86 };
51
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
87
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
88 file "/var/log/maillog" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
89 pattern "lost input channel from .* \[(.*)\] .* after (mail|rcpt|auth)" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
90 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
91 bucket 200;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
92 message "sendmail spammer dropping connection";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
93 };
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
94 pattern " \[(.*)\]: possible SMTP attack" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
95 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
96 bucket 600;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
97 message "sendmail authentication attack";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
98 };
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
99 pattern "rejecting commands from .* \[(.*)\] due to pre-greeting traffic" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
100 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
101 bucket 200;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
102 message "sendmail pre-greeting";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
103 };
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
104 pattern "dovecot.*Aborted login.*rip=(.*)," {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
105 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
106 bucket 100;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
107 message "dovecot failed password";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
108 };
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
109 pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
110 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
111 bucket 100;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
112 message "dovecot failed password";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
113 };
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
114
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
115 // make sure your upstream MX servers are listed in the
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
116 // ignore block above, otherwise you will kill them off
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
117 // when they try to forward such mail to you.
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
118 pattern "sendmail.*from=<>,.*nrcpts=0,.*\[(.*)\]" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
119 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
120 bucket 200;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
121 message "sendmail rejected bounce";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
122 };
50
75361069c6ef changes for fedora 10
Carl Byington <carl@five-ten-sg.com>
parents: 42
diff changeset
123 };
35
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
124 };
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
125