Mercurial > syslog2iptables

annotate syslog2iptables.conf @ 59:f133196b8591

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
fix c++11 compiler warnings
author Carl Byington <carl@five-ten-sg.com>
date Tue, 10 Jun 2014 09:03:08 -0700
parents b45dddebe8fc
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
51
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
1 context general {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
2 threshold 550;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
3
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
4 add_command "/sbin/iptables -I INPUT --src %s --jump DROP";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
5 remove_command "/sbin/iptables -D INPUT --src %s --jump DROP";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
6
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
7 ignore {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
8 127.0.0.0/8; // localhost
20
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
9 };
51
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
10
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
11 file "/var/log/secure" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
12 pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
13 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
14 bucket 400;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
15 message "ssh failed password";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
16 };
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
17 pattern "sshd.*Failed password .* from (.*) port" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
18 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
19 bucket 400;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
20 message "ssh failed password";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
21 };
58
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
22 pattern "sshd.*authentication failure; .* rhost=(.*) " {
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
23 index 1; // zero based
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
24 bucket 400;
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
25 message "ssh failed password";
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
26 };
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
27 pattern "sshd.*Did not receive identification string from (.*)" {
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
28 index 1; // zero based
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
29 bucket 400;
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
30 message "ssh failed password";
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
31 };
51
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
32 pattern "proftpd.*no such user found from (.*) \[" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
33 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
34 bucket 400;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
35 message "ftp failed password";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
36 };
58
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
37 pattern "proftpd.* authentication failure; .* rhost=(.*) " {
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
38 index 1; // zero based
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
39 bucket 400;
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
40 message "ftp failed password";
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
41 };
56
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
42 pattern "vsftpd.* authentication failure; .* rhost=(.*) " {
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
43 index 1; // zero based
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
44 bucket 400;
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
45 message "ftp failed password";
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
46 };
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
47 pattern "dovecot.* authentication failure; .* rhost=::ffff:(.*) " {
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
48 index 1; // zero based
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
49 bucket 400;
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
50 message "dovecot failed password";
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
51 };
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
52 pattern "dovecot.* authentication failure; .* rhost=(.*) " {
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
53 index 1; // zero based
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
54 bucket 400;
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
55 message "dovecot failed password";
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
56 };
51
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
57 };
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
58
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
59 file "/var/log/messages" {
56
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
60 pattern "dovecot.* authentication failure; .* rhost=(.*) " {
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
61 index 1; // zero based
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
62 bucket 400;
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
63 message "dovecot failed password";
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
64 };
51
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
65 pattern "ipop3d.* Login failed .* \[(.*)\]" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
66 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
67 bucket 400;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
68 message "pop3 failed password";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
69 };
20
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
70 };
51
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
71
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
72 file "/var/log/httpd/access_log" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
73 // of course you cannot use this if you actually use cgi-bin directories
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
74 pattern "(.*) - - .* /cgi-bin" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
75 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
76 bucket 400;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
77 message "apache cgi-bin reference";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
78 };
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
79 // or if you actually have an index2.php script
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
80 pattern "(.*) - - .*/index2.php" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
81 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
82 bucket 400;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
83 message "apache index2.php reference";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
84 };
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
85 // or if you have a main.php script
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
86 pattern "(.*) - - .*/main.php" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
87 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
88 bucket 400;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
89 message "apache main.php reference";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
90 };
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
91 pattern "(.*) - - .*/awstats.pl" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
92 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
93 bucket 400;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
94 message "apache awstats.pl reference";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
95 };
58
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
96 pattern "(.*) - - .*/xmlrpc" {
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
97 index 1; // zero based
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
98 bucket 400;
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
99 message "apache xmlrpc reference";
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
100 };
51
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
101 pattern "(.*) - - .*/adxmlrpc" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
102 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
103 bucket 400;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
104 message "apache adxmlrpc reference";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
105 };
56
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
106 pattern "(.*) - - .*/includes/general.js" {
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
107 index 1; // zero based
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
108 bucket 400;
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
109 message "apache general.js reference";
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
110 };
58
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
111 pattern "(.*) - - .*/Admin/" {
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
112 index 1; // zero based
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
113 bucket 400;
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
114 message "apache phpMyAdmin reference";
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
115 };
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
116 pattern "(.*) - - .*/MyAdmin/" {
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
117 index 1; // zero based
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
118 bucket 400;
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
119 message "apache phpMyAdmin reference";
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
120 };
56
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
121 pattern "(.*) - - .*/phpMyAdmin/" {
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
122 index 1; // zero based
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
123 bucket 400;
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
124 message "apache phpMyAdmin reference";
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
125 };
58
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
126 pattern "(.*) - - .*/user/soapCaller" {
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
127 index 1; // zero based
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
128 bucket 400;
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
129 message "apache soapCaller reference";
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
130 };
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
131 pattern "(.*) - - .*POST /contact.php" {
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
132 index 1; // zero based
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
133 bucket 400;
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
134 message "apache contact.php post";
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
135 };
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
136 pattern "(.*) - - .*/crossdomain.xml" {
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
137 index 1; // zero based
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
138 bucket 400;
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
139 message "apache crossdomain.xml reference";
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
140 };
56
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
141 pattern "(.*) - - .*/cart/" {
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
142 index 1; // zero based
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
143 bucket 400;
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
144 message "apache cart reference";
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
145 };
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
146 pattern "(.*) - - .*/zen/" {
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
147 index 1; // zero based
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
148 bucket 400;
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
149 message "apache zen reference";
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
150 };
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
151 pattern "(.*) - - .*/zencart/" {
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
152 index 1; // zero based
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
153 bucket 400;
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
154 message "apache zencart reference";
73dd2daeaf8e switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents: 55
diff changeset
155 };
35
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
156 };
51
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
157
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
158 file "/var/log/maillog" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
159 pattern "lost input channel from .* \[(.*)\] .* after (mail|rcpt|auth)" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
160 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
161 bucket 200;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
162 message "sendmail spammer dropping connection";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
163 };
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
164 pattern " \[(.*)\]: possible SMTP attack" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
165 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
166 bucket 600;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
167 message "sendmail authentication attack";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
168 };
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
169 pattern "rejecting commands from .* \[(.*)\] due to pre-greeting traffic" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
170 index 1; // zero based
58
b45dddebe8fc Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents: 56
diff changeset
171 bucket 1800;
51
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
172 message "sendmail pre-greeting";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
173 };
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
174 pattern "dovecot.*Aborted login.*rip=(.*)," {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
175 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
176 bucket 100;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
177 message "dovecot failed password";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
178 };
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
179 pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
180 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
181 bucket 100;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
182 message "dovecot failed password";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
183 };
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
184
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
185 // make sure your upstream MX servers are listed in the
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
186 // ignore block above, otherwise you will kill them off
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
187 // when they try to forward such mail to you.
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
188 pattern "sendmail.*from=<>,.*nrcpts=0,.*\[(.*)\]" {
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
189 index 1; // zero based
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
190 bucket 200;
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
191 message "sendmail rejected bounce";
206448c00b55 Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents: 50
diff changeset
192 };
50
75361069c6ef changes for fedora 10
Carl Byington <carl@five-ten-sg.com>
parents: 42
diff changeset
193 };
35
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
194 };
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
195