Mercurial > syslog2iptables
comparison syslog2iptables.conf.top @ 63:60f59936fabb
good authentication prevents ip blocking for awhile
| author | Carl Byington <carl@five-ten-sg.com> |
|---|---|
| date | Sat, 19 Dec 2015 10:12:24 -0800 |
| parents | d80641be405b |
| children | f17e6599b82c |
comparison
equal
deleted
inserted
replaced
| 62:c30df5975c49 | 63:60f59936fabb |
|---|---|
| 7 ignore { | 7 ignore { |
| 8 127.0.0.0/8; // localhost | 8 127.0.0.0/8; // localhost |
| 9 }; | 9 }; |
| 10 | 10 |
| 11 file "/var/log/secure" { | 11 file "/var/log/secure" { |
| 12 pattern "manual unblock (.*)" { | |
| 13 index 1; // zero based | |
| 14 bucket -5000; | |
| 15 message "manual unblock"; | |
| 16 }; | |
| 12 pattern "sshd.*Failed password .* from ::ffff:(.*) port" { | 17 pattern "sshd.*Failed password .* from ::ffff:(.*) port" { |
| 13 index 1; // zero based | 18 index 1; // zero based |
| 14 bucket 400; | 19 bucket 400; |
| 15 message "ssh failed password"; | 20 message "ssh failed password"; |
| 16 }; | 21 }; |
| 44 bucket 400; | 49 bucket 400; |
| 45 message "ftp failed password"; | 50 message "ftp failed password"; |
| 46 }; | 51 }; |
| 47 pattern "dovecot.* authentication failure; .* rhost=::ffff:(.*) " { | 52 pattern "dovecot.* authentication failure; .* rhost=::ffff:(.*) " { |
| 48 index 1; // zero based | 53 index 1; // zero based |
| 49 bucket 400; | 54 bucket 100; |
| 50 message "dovecot failed password"; | 55 message "dovecot failed password"; |
| 51 }; | 56 }; |
| 52 pattern "dovecot.* authentication failure; .* rhost=(.*) " { | 57 pattern "dovecot.* authentication failure; .* rhost=(.*) " { |
| 53 index 1; // zero based | 58 index 1; // zero based |
| 54 bucket 400; | 59 bucket 100; |
| 55 message "dovecot failed password"; | 60 message "dovecot failed password"; |
| 56 }; | 61 }; |
| 57 }; | 62 }; |
| 58 | 63 |
| 59 file "/var/log/messages" { | 64 file "/var/log/messages" { |
| 60 pattern "dovecot.* authentication failure; .* rhost=(.*) " { | 65 pattern "dovecot.* authentication failure; .* rhost=(.*) " { |
| 61 index 1; // zero based | 66 index 1; // zero based |
| 62 bucket 400; | 67 bucket 100; |
| 63 message "dovecot failed password"; | 68 message "dovecot failed password"; |
| 64 }; | 69 }; |
| 65 pattern "kernel.*local-net-to.*SRC=(.*) DST=.*DPT=" { | 70 pattern "kernel.*local-net-to.*SRC=(.*) DST=.*DPT=" { |
| 66 index 1; // zero based | 71 index 1; // zero based |
| 67 bucket 400; | 72 bucket 400; |
| 73 message "kernel firewall blocked packet"; | 78 message "kernel firewall blocked packet"; |
| 74 }; | 79 }; |
| 75 }; | 80 }; |
| 76 | 81 |
| 77 file "/var/log/maillog" { | 82 file "/var/log/maillog" { |
| 78 pattern "\]: .* \[(.*)\] did not issue MAIL" { | |
| 79 index 1; // zero based | |
| 80 bucket 200; | |
| 81 message "sendmail banner probe"; | |
| 82 }; | |
| 83 pattern "lost input channel from.* \[(.*)\] .* after (mail|rcpt|auth)" { | 83 pattern "lost input channel from.* \[(.*)\] .* after (mail|rcpt|auth)" { |
| 84 index 1; // zero based | 84 index 1; // zero based |
| 85 bucket 200; | 85 bucket 100; |
| 86 message "sendmail spammer dropping connection"; | 86 message "sendmail spammer dropping connection"; |
| 87 }; | 87 }; |
| 88 pattern " \[(.*)\]: possible SMTP attack" { | 88 pattern " \[(.*)\].* possible SMTP attack" { |
| 89 index 1; // zero based | 89 index 1; // zero based |
| 90 bucket 600; | 90 bucket 100; |
| 91 message "sendmail authentication attack"; | 91 message "sendmail authentication attack"; |
| 92 }; | 92 }; |
| 93 pattern "rejecting commands from.* \[(.*)\] due to pre-greeting traffic" { | 93 pattern "rejecting commands from.* \[(.*)\] due to pre-greeting traffic" { |
| 94 index 1; // zero based | 94 index 1; // zero based |
| 95 bucket 1800; | 95 bucket 1800; |
| 96 message "sendmail pre-greeting"; | 96 message "sendmail pre-greeting"; |
| 97 }; | 97 }; |
| 98 pattern "authentication failure: checkpass failed,.*\[(.*)\]" { | 98 pattern "authentication failure: checkpass failed, .*\[(.*)\]" { |
| 99 index 1; // zero based | 99 index 1; // zero based |
| 100 bucket 600; | 100 bucket 100; |
| 101 message "sendmail authentication attack"; | 101 message "sendmail authentication failed"; |
| 102 }; | 102 }; |
| 103 pattern "dovecot.*Aborted login.*rip=(.*)," { | 103 pattern "dovecot.*Aborted login .* rip=(.*)," { |
| 104 index 1; // zero based | 104 index 1; // zero based |
| 105 bucket 100; | 105 bucket 100; |
| 106 message "dovecot failed password"; | 106 message "dovecot failed password"; |
| 107 }; | 107 }; |
| 108 pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," { | 108 pattern "dovecot.*Login: .* rip=(.*)," { |
| 109 index 1; // zero based | 109 index 1; // zero based |
| 110 bucket 100; | 110 bucket -5000; |
| 111 message "dovecot failed password"; | 111 message "dovecot good authentication"; |
| 112 }; | |
| 113 pattern "sendmail.*AUTH=server, .*\[(.*)\]," { | |
| 114 index 1; // zero based | |
| 115 bucket -5000; | |
| 116 message "sendmail good authentication"; | |
| 112 }; | 117 }; |
| 113 }; | 118 }; |