comparison syslog2iptables.conf @ 51:206448c00b55 stable-1-0-12

Allow multiple contexts with independent add/remove commands.
author Carl Byington <carl@five-ten-sg.com>
date Sat, 24 Jan 2009 15:52:20 -0800
parents 75361069c6ef
children d6fb7fca0394
comparison
equal deleted inserted replaced
50:75361069c6ef 51:206448c00b55
1 threshold 550; 1 context dns {
2 threshold 1100;
2 3
3 add_command "/sbin/iptables -I INPUT --src %s --jump DROP"; 4 add_command "/sbin/iptables -I INPUT --protocol udp --destination-port 53 --src %s --jump DROP";
4 remove_command "/sbin/iptables -D INPUT --src %s --jump DROP"; 5 remove_command "/sbin/iptables -D INPUT --protocol udp --destination-port 53 --src %s --jump DROP";
5 6
6 ignore { 7 ignore {
7 127.0.0.0/8; // localhost 8 127.0.0.0/8; // localhost
8 }; 9 };
9 10
10 // file "/var/log/cisco.log" { 11 file "/var/log/messages" {
11 // pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" { 12 pattern "named.*client (.*)#.*query.*cache.*denied" {
12 // index 2; // zero based 13 index 1; // zero based
13 // bucket 200; 14 bucket 400;
14 // message "cisco firewall blocked packet"; 15 message "DNS attack";
15 // }; 16 };
16 // };
17
18 file "/var/log/secure" {
19 pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
20 index 1; // zero based
21 bucket 400;
22 message "ssh failed password";
23 };
24 pattern "sshd.*Failed password .* from (.*) port" {
25 index 1; // zero based
26 bucket 400;
27 message "ssh failed password";
28 };
29 pattern "proftpd.*no such user found from (.*) \[" {
30 index 1; // zero based
31 bucket 400;
32 message "ftp failed password";
33 }; 17 };
34 }; 18 };
35 19
36 file "/var/log/messages" { 20
37 pattern "ipop3d.* Login failed .* \[(.*)\]" { 21 context general {
38 index 1; // zero based 22 threshold 550;
39 bucket 400; 23
40 message "pop3 failed password"; 24 add_command "/sbin/iptables -I INPUT --src %s --jump DROP";
25 remove_command "/sbin/iptables -D INPUT --src %s --jump DROP";
26
27 ignore {
28 127.0.0.0/8; // localhost
41 }; 29 };
30
31 // file "/var/log/cisco.log" {
32 // pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" {
33 // index 2; // zero based
34 // bucket 200;
35 // message "cisco firewall blocked packet";
36 // };
37 // };
38
39 file "/var/log/secure" {
40 pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
41 index 1; // zero based
42 bucket 400;
43 message "ssh failed password";
44 };
45 pattern "sshd.*Failed password .* from (.*) port" {
46 index 1; // zero based
47 bucket 400;
48 message "ssh failed password";
49 };
50 pattern "proftpd.*no such user found from (.*) \[" {
51 index 1; // zero based
52 bucket 400;
53 message "ftp failed password";
54 };
55 };
56
57 file "/var/log/messages" {
58 pattern "ipop3d.* Login failed .* \[(.*)\]" {
59 index 1; // zero based
60 bucket 400;
61 message "pop3 failed password";
62 };
63 };
64
65 file "/var/log/httpd/access_log" {
66 // of course you cannot use this if you actually use cgi-bin directories
67 pattern "(.*) - - .* /cgi-bin" {
68 index 1; // zero based
69 bucket 400;
70 message "apache cgi-bin reference";
71 };
72 // or if you actually have an index2.php script
73 pattern "(.*) - - .*/index2.php" {
74 index 1; // zero based
75 bucket 400;
76 message "apache index2.php reference";
77 };
78 // or if you have a main.php script
79 pattern "(.*) - - .*/main.php" {
80 index 1; // zero based
81 bucket 400;
82 message "apache main.php reference";
83 };
84 pattern "(.*) - - .*/awstats.pl" {
85 index 1; // zero based
86 bucket 400;
87 message "apache awstats.pl reference";
88 };
89 pattern "(.*) - - .*/adxmlrpc" {
90 index 1; // zero based
91 bucket 400;
92 message "apache adxmlrpc reference";
93 };
94 };
95
96 file "/var/log/maillog" {
97 pattern "lost input channel from .* \[(.*)\] .* after (mail|rcpt|auth)" {
98 index 1; // zero based
99 bucket 200;
100 message "sendmail spammer dropping connection";
101 };
102 pattern " \[(.*)\]: possible SMTP attack" {
103 index 1; // zero based
104 bucket 600;
105 message "sendmail authentication attack";
106 };
107 pattern "rejecting commands from .* \[(.*)\] due to pre-greeting traffic" {
108 index 1; // zero based
109 bucket 200;
110 message "sendmail pre-greeting";
111 };
112 pattern "dovecot.*Aborted login.*rip=(.*)," {
113 index 1; // zero based
114 bucket 100;
115 message "dovecot failed password";
116 };
117 pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," {
118 index 1; // zero based
119 bucket 100;
120 message "dovecot failed password";
121 };
122
123 // make sure your upstream MX servers are listed in the
124 // ignore block above, otherwise you will kill them off
125 // when they try to forward such mail to you.
126 pattern "sendmail.*from=<>,.*nrcpts=0,.*\[(.*)\]" {
127 index 1; // zero based
128 bucket 200;
129 message "sendmail rejected bounce";
130 };
131 };
132
133 // file "/var/log/messages" {
134 // pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" {
135 // index 1; // zero based
136 // bucket 300;
137 // message "ssh failed password";
138 // };
139 // pattern "sshd.pam_unix.*authentication failure.*rhost=(.*)$" {
140 // index 1; // zero based
141 // bucket 300;
142 // message "ssh failed password";
143 // };
144 // };
42 }; 145 };
43 146
44 file "/var/log/httpd/access_log" {
45 // of course you cannot use this if you actually use cgi-bin directories
46 pattern "(.*) - - .* /cgi-bin" {
47 index 1; // zero based
48 bucket 400;
49 message "apache cgi-bin reference";
50 };
51 // or if you actually have an index2.php script
52 pattern "(.*) - - .*/index2.php" {
53 index 1; // zero based
54 bucket 400;
55 message "apache index2.php reference";
56 };
57 // or if you have a main.php script
58 pattern "(.*) - - .*/main.php" {
59 index 1; // zero based
60 bucket 400;
61 message "apache main.php reference";
62 };
63 pattern "(.*) - - .*/awstats.pl" {
64 index 1; // zero based
65 bucket 400;
66 message "apache awstats.pl reference";
67 };
68 pattern "(.*) - - .*/adxmlrpc" {
69 index 1; // zero based
70 bucket 400;
71 message "apache adxmlrpc reference";
72 };
73 };
74
75 file "/var/log/maillog" {
76 pattern "lost input channel from .* \[(.*)\] .* after (mail|rcpt|auth)" {
77 index 1; // zero based
78 bucket 200;
79 message "sendmail spammer dropping connection";
80 };
81 pattern " \[(.*)\]: possible SMTP attack" {
82 index 1; // zero based
83 bucket 600;
84 message "sendmail authentication attack";
85 };
86 pattern "rejecting commands from .* \[(.*)\] due to pre-greeting traffic" {
87 index 1; // zero based
88 bucket 200;
89 message "sendmail pre-greeting";
90 };
91 pattern "dovecot.*Aborted login.*rip=(.*)," {
92 index 1; // zero based
93 bucket 100;
94 message "dovecot failed password";
95 };
96 pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," {
97 index 1; // zero based
98 bucket 100;
99 message "dovecot failed password";
100 };
101
102 // make sure your upstream MX servers are listed in the
103 // ignore block above, otherwise you will kill them off
104 // when they try to forward such mail to you.
105 pattern "sendmail.*from=<>,.*nrcpts=0,.*\[(.*)\]" {
106 index 1; // zero based
107 bucket 200;
108 message "sendmail rejected bounce";
109 };
110 };
111
112 // file "/var/log/messages" {
113 // pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" {
114 // index 1; // zero based
115 // bucket 300;
116 // message "ssh failed password";
117 // };
118 // pattern "sshd.pam_unix.*authentication failure.*rhost=(.*)$" {
119 // index 1; // zero based
120 // bucket 300;
121 // message "ssh failed password";
122 // };
123 // };