Mercurial > syslog2iptables
comparison syslog2iptables.conf @ 51:206448c00b55 stable-1-0-12
Allow multiple contexts with independent add/remove commands.
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Sat, 24 Jan 2009 15:52:20 -0800 |
parents | 75361069c6ef |
children | d6fb7fca0394 |
comparison
equal
deleted
inserted
replaced
50:75361069c6ef | 51:206448c00b55 |
---|---|
1 threshold 550; | 1 context dns { |
2 threshold 1100; | |
2 | 3 |
3 add_command "/sbin/iptables -I INPUT --src %s --jump DROP"; | 4 add_command "/sbin/iptables -I INPUT --protocol udp --destination-port 53 --src %s --jump DROP"; |
4 remove_command "/sbin/iptables -D INPUT --src %s --jump DROP"; | 5 remove_command "/sbin/iptables -D INPUT --protocol udp --destination-port 53 --src %s --jump DROP"; |
5 | 6 |
6 ignore { | 7 ignore { |
7 127.0.0.0/8; // localhost | 8 127.0.0.0/8; // localhost |
8 }; | 9 }; |
9 | 10 |
10 // file "/var/log/cisco.log" { | 11 file "/var/log/messages" { |
11 // pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" { | 12 pattern "named.*client (.*)#.*query.*cache.*denied" { |
12 // index 2; // zero based | 13 index 1; // zero based |
13 // bucket 200; | 14 bucket 400; |
14 // message "cisco firewall blocked packet"; | 15 message "DNS attack"; |
15 // }; | 16 }; |
16 // }; | |
17 | |
18 file "/var/log/secure" { | |
19 pattern "sshd.*Failed password .* from ::ffff:(.*) port" { | |
20 index 1; // zero based | |
21 bucket 400; | |
22 message "ssh failed password"; | |
23 }; | |
24 pattern "sshd.*Failed password .* from (.*) port" { | |
25 index 1; // zero based | |
26 bucket 400; | |
27 message "ssh failed password"; | |
28 }; | |
29 pattern "proftpd.*no such user found from (.*) \[" { | |
30 index 1; // zero based | |
31 bucket 400; | |
32 message "ftp failed password"; | |
33 }; | 17 }; |
34 }; | 18 }; |
35 | 19 |
36 file "/var/log/messages" { | 20 |
37 pattern "ipop3d.* Login failed .* \[(.*)\]" { | 21 context general { |
38 index 1; // zero based | 22 threshold 550; |
39 bucket 400; | 23 |
40 message "pop3 failed password"; | 24 add_command "/sbin/iptables -I INPUT --src %s --jump DROP"; |
25 remove_command "/sbin/iptables -D INPUT --src %s --jump DROP"; | |
26 | |
27 ignore { | |
28 127.0.0.0/8; // localhost | |
41 }; | 29 }; |
30 | |
31 // file "/var/log/cisco.log" { | |
32 // pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" { | |
33 // index 2; // zero based | |
34 // bucket 200; | |
35 // message "cisco firewall blocked packet"; | |
36 // }; | |
37 // }; | |
38 | |
39 file "/var/log/secure" { | |
40 pattern "sshd.*Failed password .* from ::ffff:(.*) port" { | |
41 index 1; // zero based | |
42 bucket 400; | |
43 message "ssh failed password"; | |
44 }; | |
45 pattern "sshd.*Failed password .* from (.*) port" { | |
46 index 1; // zero based | |
47 bucket 400; | |
48 message "ssh failed password"; | |
49 }; | |
50 pattern "proftpd.*no such user found from (.*) \[" { | |
51 index 1; // zero based | |
52 bucket 400; | |
53 message "ftp failed password"; | |
54 }; | |
55 }; | |
56 | |
57 file "/var/log/messages" { | |
58 pattern "ipop3d.* Login failed .* \[(.*)\]" { | |
59 index 1; // zero based | |
60 bucket 400; | |
61 message "pop3 failed password"; | |
62 }; | |
63 }; | |
64 | |
65 file "/var/log/httpd/access_log" { | |
66 // of course you cannot use this if you actually use cgi-bin directories | |
67 pattern "(.*) - - .* /cgi-bin" { | |
68 index 1; // zero based | |
69 bucket 400; | |
70 message "apache cgi-bin reference"; | |
71 }; | |
72 // or if you actually have an index2.php script | |
73 pattern "(.*) - - .*/index2.php" { | |
74 index 1; // zero based | |
75 bucket 400; | |
76 message "apache index2.php reference"; | |
77 }; | |
78 // or if you have a main.php script | |
79 pattern "(.*) - - .*/main.php" { | |
80 index 1; // zero based | |
81 bucket 400; | |
82 message "apache main.php reference"; | |
83 }; | |
84 pattern "(.*) - - .*/awstats.pl" { | |
85 index 1; // zero based | |
86 bucket 400; | |
87 message "apache awstats.pl reference"; | |
88 }; | |
89 pattern "(.*) - - .*/adxmlrpc" { | |
90 index 1; // zero based | |
91 bucket 400; | |
92 message "apache adxmlrpc reference"; | |
93 }; | |
94 }; | |
95 | |
96 file "/var/log/maillog" { | |
97 pattern "lost input channel from .* \[(.*)\] .* after (mail|rcpt|auth)" { | |
98 index 1; // zero based | |
99 bucket 200; | |
100 message "sendmail spammer dropping connection"; | |
101 }; | |
102 pattern " \[(.*)\]: possible SMTP attack" { | |
103 index 1; // zero based | |
104 bucket 600; | |
105 message "sendmail authentication attack"; | |
106 }; | |
107 pattern "rejecting commands from .* \[(.*)\] due to pre-greeting traffic" { | |
108 index 1; // zero based | |
109 bucket 200; | |
110 message "sendmail pre-greeting"; | |
111 }; | |
112 pattern "dovecot.*Aborted login.*rip=(.*)," { | |
113 index 1; // zero based | |
114 bucket 100; | |
115 message "dovecot failed password"; | |
116 }; | |
117 pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," { | |
118 index 1; // zero based | |
119 bucket 100; | |
120 message "dovecot failed password"; | |
121 }; | |
122 | |
123 // make sure your upstream MX servers are listed in the | |
124 // ignore block above, otherwise you will kill them off | |
125 // when they try to forward such mail to you. | |
126 pattern "sendmail.*from=<>,.*nrcpts=0,.*\[(.*)\]" { | |
127 index 1; // zero based | |
128 bucket 200; | |
129 message "sendmail rejected bounce"; | |
130 }; | |
131 }; | |
132 | |
133 // file "/var/log/messages" { | |
134 // pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" { | |
135 // index 1; // zero based | |
136 // bucket 300; | |
137 // message "ssh failed password"; | |
138 // }; | |
139 // pattern "sshd.pam_unix.*authentication failure.*rhost=(.*)$" { | |
140 // index 1; // zero based | |
141 // bucket 300; | |
142 // message "ssh failed password"; | |
143 // }; | |
144 // }; | |
42 }; | 145 }; |
43 | 146 |
44 file "/var/log/httpd/access_log" { | |
45 // of course you cannot use this if you actually use cgi-bin directories | |
46 pattern "(.*) - - .* /cgi-bin" { | |
47 index 1; // zero based | |
48 bucket 400; | |
49 message "apache cgi-bin reference"; | |
50 }; | |
51 // or if you actually have an index2.php script | |
52 pattern "(.*) - - .*/index2.php" { | |
53 index 1; // zero based | |
54 bucket 400; | |
55 message "apache index2.php reference"; | |
56 }; | |
57 // or if you have a main.php script | |
58 pattern "(.*) - - .*/main.php" { | |
59 index 1; // zero based | |
60 bucket 400; | |
61 message "apache main.php reference"; | |
62 }; | |
63 pattern "(.*) - - .*/awstats.pl" { | |
64 index 1; // zero based | |
65 bucket 400; | |
66 message "apache awstats.pl reference"; | |
67 }; | |
68 pattern "(.*) - - .*/adxmlrpc" { | |
69 index 1; // zero based | |
70 bucket 400; | |
71 message "apache adxmlrpc reference"; | |
72 }; | |
73 }; | |
74 | |
75 file "/var/log/maillog" { | |
76 pattern "lost input channel from .* \[(.*)\] .* after (mail|rcpt|auth)" { | |
77 index 1; // zero based | |
78 bucket 200; | |
79 message "sendmail spammer dropping connection"; | |
80 }; | |
81 pattern " \[(.*)\]: possible SMTP attack" { | |
82 index 1; // zero based | |
83 bucket 600; | |
84 message "sendmail authentication attack"; | |
85 }; | |
86 pattern "rejecting commands from .* \[(.*)\] due to pre-greeting traffic" { | |
87 index 1; // zero based | |
88 bucket 200; | |
89 message "sendmail pre-greeting"; | |
90 }; | |
91 pattern "dovecot.*Aborted login.*rip=(.*)," { | |
92 index 1; // zero based | |
93 bucket 100; | |
94 message "dovecot failed password"; | |
95 }; | |
96 pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," { | |
97 index 1; // zero based | |
98 bucket 100; | |
99 message "dovecot failed password"; | |
100 }; | |
101 | |
102 // make sure your upstream MX servers are listed in the | |
103 // ignore block above, otherwise you will kill them off | |
104 // when they try to forward such mail to you. | |
105 pattern "sendmail.*from=<>,.*nrcpts=0,.*\[(.*)\]" { | |
106 index 1; // zero based | |
107 bucket 200; | |
108 message "sendmail rejected bounce"; | |
109 }; | |
110 }; | |
111 | |
112 // file "/var/log/messages" { | |
113 // pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" { | |
114 // index 1; // zero based | |
115 // bucket 300; | |
116 // message "ssh failed password"; | |
117 // }; | |
118 // pattern "sshd.pam_unix.*authentication failure.*rhost=(.*)$" { | |
119 // index 1; // zero based | |
120 // bucket 300; | |
121 // message "ssh failed password"; | |
122 // }; | |
123 // }; |