Mercurial > syslog2iptables
annotate syslog2iptables.conf @ 59:f133196b8591
fix c++11 compiler warnings
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Tue, 10 Jun 2014 09:03:08 -0700 |
parents | b45dddebe8fc |
children |
rev | line source |
---|---|
51
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
1 context general { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
2 threshold 550; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
3 |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
4 add_command "/sbin/iptables -I INPUT --src %s --jump DROP"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
5 remove_command "/sbin/iptables -D INPUT --src %s --jump DROP"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
6 |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
7 ignore { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
8 127.0.0.0/8; // localhost |
20 | 9 }; |
51
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
10 |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
11 file "/var/log/secure" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
12 pattern "sshd.*Failed password .* from ::ffff:(.*) port" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
13 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
14 bucket 400; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
15 message "ssh failed password"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
16 }; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
17 pattern "sshd.*Failed password .* from (.*) port" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
18 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
19 bucket 400; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
20 message "ssh failed password"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
21 }; |
58
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
22 pattern "sshd.*authentication failure; .* rhost=(.*) " { |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
23 index 1; // zero based |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
24 bucket 400; |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
25 message "ssh failed password"; |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
26 }; |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
27 pattern "sshd.*Did not receive identification string from (.*)" { |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
28 index 1; // zero based |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
29 bucket 400; |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
30 message "ssh failed password"; |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
31 }; |
51
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
32 pattern "proftpd.*no such user found from (.*) \[" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
33 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
34 bucket 400; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
35 message "ftp failed password"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
36 }; |
58
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
37 pattern "proftpd.* authentication failure; .* rhost=(.*) " { |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
38 index 1; // zero based |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
39 bucket 400; |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
40 message "ftp failed password"; |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
41 }; |
56
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
42 pattern "vsftpd.* authentication failure; .* rhost=(.*) " { |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
43 index 1; // zero based |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
44 bucket 400; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
45 message "ftp failed password"; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
46 }; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
47 pattern "dovecot.* authentication failure; .* rhost=::ffff:(.*) " { |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
48 index 1; // zero based |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
49 bucket 400; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
50 message "dovecot failed password"; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
51 }; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
52 pattern "dovecot.* authentication failure; .* rhost=(.*) " { |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
53 index 1; // zero based |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
54 bucket 400; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
55 message "dovecot failed password"; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
56 }; |
51
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
57 }; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
58 |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
59 file "/var/log/messages" { |
56
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
60 pattern "dovecot.* authentication failure; .* rhost=(.*) " { |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
61 index 1; // zero based |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
62 bucket 400; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
63 message "dovecot failed password"; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
64 }; |
51
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
65 pattern "ipop3d.* Login failed .* \[(.*)\]" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
66 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
67 bucket 400; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
68 message "pop3 failed password"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
69 }; |
20 | 70 }; |
51
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
71 |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
72 file "/var/log/httpd/access_log" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
73 // of course you cannot use this if you actually use cgi-bin directories |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
74 pattern "(.*) - - .* /cgi-bin" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
75 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
76 bucket 400; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
77 message "apache cgi-bin reference"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
78 }; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
79 // or if you actually have an index2.php script |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
80 pattern "(.*) - - .*/index2.php" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
81 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
82 bucket 400; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
83 message "apache index2.php reference"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
84 }; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
85 // or if you have a main.php script |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
86 pattern "(.*) - - .*/main.php" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
87 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
88 bucket 400; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
89 message "apache main.php reference"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
90 }; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
91 pattern "(.*) - - .*/awstats.pl" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
92 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
93 bucket 400; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
94 message "apache awstats.pl reference"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
95 }; |
58
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
96 pattern "(.*) - - .*/xmlrpc" { |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
97 index 1; // zero based |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
98 bucket 400; |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
99 message "apache xmlrpc reference"; |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
100 }; |
51
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
101 pattern "(.*) - - .*/adxmlrpc" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
102 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
103 bucket 400; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
104 message "apache adxmlrpc reference"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
105 }; |
56
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
106 pattern "(.*) - - .*/includes/general.js" { |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
107 index 1; // zero based |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
108 bucket 400; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
109 message "apache general.js reference"; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
110 }; |
58
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
111 pattern "(.*) - - .*/Admin/" { |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
112 index 1; // zero based |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
113 bucket 400; |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
114 message "apache phpMyAdmin reference"; |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
115 }; |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
116 pattern "(.*) - - .*/MyAdmin/" { |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
117 index 1; // zero based |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
118 bucket 400; |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
119 message "apache phpMyAdmin reference"; |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
120 }; |
56
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
121 pattern "(.*) - - .*/phpMyAdmin/" { |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
122 index 1; // zero based |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
123 bucket 400; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
124 message "apache phpMyAdmin reference"; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
125 }; |
58
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
126 pattern "(.*) - - .*/user/soapCaller" { |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
127 index 1; // zero based |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
128 bucket 400; |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
129 message "apache soapCaller reference"; |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
130 }; |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
131 pattern "(.*) - - .*POST /contact.php" { |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
132 index 1; // zero based |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
133 bucket 400; |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
134 message "apache contact.php post"; |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
135 }; |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
136 pattern "(.*) - - .*/crossdomain.xml" { |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
137 index 1; // zero based |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
138 bucket 400; |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
139 message "apache crossdomain.xml reference"; |
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
140 }; |
56
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
141 pattern "(.*) - - .*/cart/" { |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
142 index 1; // zero based |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
143 bucket 400; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
144 message "apache cart reference"; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
145 }; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
146 pattern "(.*) - - .*/zen/" { |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
147 index 1; // zero based |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
148 bucket 400; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
149 message "apache zen reference"; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
150 }; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
151 pattern "(.*) - - .*/zencart/" { |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
152 index 1; // zero based |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
153 bucket 400; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
154 message "apache zencart reference"; |
73dd2daeaf8e
switch to auto requires
Carl Byington <carl@five-ten-sg.com>
parents:
55
diff
changeset
|
155 }; |
35 | 156 }; |
51
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
157 |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
158 file "/var/log/maillog" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
159 pattern "lost input channel from .* \[(.*)\] .* after (mail|rcpt|auth)" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
160 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
161 bucket 200; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
162 message "sendmail spammer dropping connection"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
163 }; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
164 pattern " \[(.*)\]: possible SMTP attack" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
165 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
166 bucket 600; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
167 message "sendmail authentication attack"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
168 }; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
169 pattern "rejecting commands from .* \[(.*)\] due to pre-greeting traffic" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
170 index 1; // zero based |
58
b45dddebe8fc
Add exponential increase in penalty for repeat offenders
Carl Byington <carl@five-ten-sg.com>
parents:
56
diff
changeset
|
171 bucket 1800; |
51
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
172 message "sendmail pre-greeting"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
173 }; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
174 pattern "dovecot.*Aborted login.*rip=(.*)," { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
175 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
176 bucket 100; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
177 message "dovecot failed password"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
178 }; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
179 pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
180 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
181 bucket 100; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
182 message "dovecot failed password"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
183 }; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
184 |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
185 // make sure your upstream MX servers are listed in the |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
186 // ignore block above, otherwise you will kill them off |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
187 // when they try to forward such mail to you. |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
188 pattern "sendmail.*from=<>,.*nrcpts=0,.*\[(.*)\]" { |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
189 index 1; // zero based |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
190 bucket 200; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
191 message "sendmail rejected bounce"; |
206448c00b55
Allow multiple contexts with independent add/remove commands.
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
192 }; |
50 | 193 }; |
35 | 194 }; |
195 |