syslog2iptables: xml/syslog2iptables.in comparison

comparison xml/syslog2iptables.in @ 63:60f59936fabb

good authentication prevents ip blocking for awhile

author	Carl Byington <carl@five-ten-sg.com>
date	Sat, 19 Dec 2015 10:12:24 -0800
parents	b45dddebe8fc
children	45e53c44c46c

comparison

equal deleted inserted replaced

-:c30df5975c49
+:60f59936fabb
 </partintro>
 <refentry id="@PACKAGE@.1">
 <refentryinfo>
-<date>2009-01-25</date>
+<date>2015-12-18</date>
 <author>
 <firstname>Carl</firstname>
 <surname>Byington</surname>
 <affiliation>
 <orgname>510 Software Group</orgname>
 entries are typically generated by your hardware firewall, but they
 could come from any source.  Any syslog entry that contains a host name
 or ip address can be used as input to this package.</para>
 <para>The <citerefentry> <refentrytitle>@PACKAGE@.conf</refentrytitle>
-<manvolnum>5</manvolnum> </citerefentry> file specifies the syslog files
+<manvolnum>5</manvolnum> </citerefentry> file specifies the syslog
-to be monitored, and the regular expressions (<citerefentry>
+files to be monitored, and the regular expressions (<citerefentry>
 <refentrytitle>regex</refentrytitle> <manvolnum>7</manvolnum>
 </citerefentry>) to be applied to new lines in those files.  Each
-regular expression needs an index to specify the matching substring that
+regular expression needs an INDEX to specify the matching substring
-contains either an ip address or host name, and a bucket count which is
+that contains either an ip address or host name, and a DELTA which is
-added to the leaky bucket for that ip address when a matching line is
+used to modify the leaky bucket count for that ip address when a
-read from that syslog file.</para>
+matching line is read from that syslog file. </para>
+<para>If the DELTA is negative, the leaky bucket count is set to that
+DELTA value, any existing blocking for that ip address is removed, and
+new blocking is prevented until that bucket leaks upward to zero.
+</para>
+<para>If the DELTA is positive and the current leaky bucket count is
+not negative, that DELTA value is added to the leaky bucket count for
+that ip address. Once the bucket contains more than a configurable
+THRESHOLD number of tokens, that ip address is added to the INPUT
+chain with a DROP target.</para>
 <para>Each ip address has an associated leaky bucket, which leaks one
-token per second.  Once the bucket contains more than a configurable
+token per second so the count moves toward zero.  When the bucket is
-threshold number of tokens, that ip address is added to the INPUT chain
+drained to zero, that ip address is removed from the INPUT
-with a DROP target.  When the bucket is drained to zero, that ip address
+chain.</para>
-is removed from the INPUT chain.</para>
 <para>The discussion has focused on syslog files, but any ascii text
 file can be used, so long as some other process appends lines to that
 file, and those lines containing hostname or ip addresses can be matched
 with some regular expression.</para>
 <para>Considering syslog files in particular, these are normally rotated
 via logrotate.  <command>@PACKAGE@</command> properly detects and
 handles this case by closing the old file, and reopening the newly
 created file.</para>
+<para>With the default config file, you can manually unblock an ip
+address with <command>logger -p authpriv.info "manual unblock
+1.2.3.4"</command> </para>
 </refsect1>
 <refsect1 id='options.1'>
 <title>Options</title>
 <variablelist>
 </refentry>
 <refentry id="@PACKAGE@.conf.5">
 <refentryinfo>
-<date>2009-01-25</date>
+<date>2015-12-18</date>
 </refentryinfo>
 <refmeta>
 <refentrytitle>@PACKAGE@.conf</refentrytitle>
 <manvolnum>5</manvolnum>
 REM-CMD   := "remove_command" IPT-CMD
 IGNORE    := "ignore" "{" IG-SINGLE+ "}"
 IG-SINGLE := IP-ADDRESS "/" CIDR-BITS
 FILE      := "file" FILENAME "{" PATTERN+ "}"
 PATTERN   := "pattern" REGULAR-EXPRESSION "{" {INDEX | BUCKET | MESSAGE}+ "};"
-INDEX     := "index" REGEX-INTEGER-VALUE ";"
+INDEX     := "index" REGEX-INTEGER ";"
-BUCKET    := "bucket" BUCKET-ADD-INTEGER-VALUE ";"
+DELTA     := "bucket" BUCKET-DELTA-INTEGER ";"
 MESSAGE   := "message" REASON ";"
 REASON    := string to appear in syslog messages
 IPT-CMD   := string containing exactly one %s replacement token for
 the ip address]]></literallayout>
 </refsect1>
 <refsect1 id='sample.5'>
 <title>Sample</title>
 <literallayout class="monospaced"><![CDATA[
-context dns {
+context general {
-threshold 1100;
+threshold 550;
-add_command    "/sbin/iptables -I INPUT --protocol udp --destination-port 53 --src %s --jump DROP";
+add_command    "/sbin/iptables -I INPUT --src %s --jump DROP";
-remove_command "/sbin/iptables -D INPUT --protocol udp --destination-port 53 --src %s --jump DROP";
+remove_command "/sbin/iptables -D INPUT --src %s --jump DROP";
 ignore {
 127.0.0.0/8;        // localhost
 };
+file "/var/log/secure" {
+pattern "manual unblock (.*)" {
+index 1;    // zero based
+bucket -5000;
+message "manual unblock";
+};
+pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
+index 1;    // zero based
+bucket 400;
+message "ssh failed password";
+};
+pattern "sshd.*Failed password .* from (.*) port" {
+index 1;    // zero based
+bucket 400;
+message "ssh failed password";
+};
+pattern "sshd.*authentication failure; .* rhost=(.*) " {
+index 1;    // zero based
+bucket 400;
+message "ssh failed password";
+};
+pattern "sshd.*Did not receive identification string from (.*)" {
+index 1;    // zero based
+bucket 400;
+message "ssh failed password";
+};
+pattern "proftpd.*no such user found from (.*) \[" {
+index 1;    // zero based
+bucket 400;
+message "ftp failed password";
+};
+pattern "proftpd.* authentication failure; .* rhost=(.*) " {
+index 1;    // zero based
+bucket 400;
+message "ftp failed password";
+};
+pattern "vsftpd.* authentication failure; .* rhost=(.*) " {
+index 1;    // zero based
+bucket 400;
+message "ftp failed password";
+};
+pattern "dovecot.* authentication failure; .* rhost=::ffff:(.*) " {
+index 1;    // zero based
+bucket 100;
+message "dovecot failed password";
+};
+pattern "dovecot.* authentication failure; .* rhost=(.*) " {
+index 1;    // zero based
+bucket 100;
+message "dovecot failed password";
+};
+};
 file "/var/log/messages" {
-pattern "named.*client (.*)#.*query.*cache.*denied" {
+pattern "dovecot.* authentication failure; .* rhost=(.*) " {
 index 1;    // zero based
-bucket 400;
+bucket 100;
-message "DNS attack";
+message "dovecot failed password";
+};
+pattern "kernel.*local-net-to.*SRC=(.*) DST=.*DPT=" {
+index 1;    // zero based
+bucket 400;
+message "kernel firewall blocked packet";
+};
+pattern "kernel.*outside-net-from.*SRC=(.*) DST=.*DPT=" {
+index 1;    // zero based
+bucket 400;
+message "kernel firewall blocked packet";
 };
 };
-};
-context general {
-threshold 550;
-add_command    "/sbin/iptables -I INPUT --src %s --jump DROP";
-remove_command "/sbin/iptables -D INPUT --src %s --jump DROP";
-ignore {
-127.0.0.0/8;        // localhost
-};
-file "/var/log/secure" {
-pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
-index 1;    // zero based
-bucket 400;
-message "ssh failed password";
-};
-pattern "sshd.*Failed password .* from (.*) port" {
-index 1;    // zero based
-bucket 400;
-message "ssh failed password";
-};
-pattern "proftpd.*no such user found from (.*) \[" {
-index 1;    // zero based
-bucket 400;
-message "ftp failed password";
-};
-};
-file "/var/log/messages" {
-pattern "ipop3d.* Login failed .* \[(.*)\]" {
-index 1;    // zero based
-bucket 400;
-message "pop3 failed password";
-};
-};
-file "/var/log/httpd/access_log" {
-// of course you cannot use this if you actually use cgi-bin directories
-pattern "(.*) - - .* /cgi-bin" {
-index 1;    // zero based
-bucket 400;
-message "apache cgi-bin reference";
-};
-// or if you actually have an index2.php script
-pattern "(.*) - - .*/index2.php" {
-index 1;    // zero based
-bucket 400;
-message "apache index2.php reference";
-};
-// or if you have a main.php script
-pattern "(.*) - - .*/main.php" {
-index 1;    // zero based
-bucket 400;
-message "apache main.php reference";
-};
-pattern "(.*) - - .*/awstats.pl" {
-index 1;    // zero based
-bucket 400;
-message "apache awstats.pl reference";
-};
-pattern "(.*) - - .*/adxmlrpc" {
-index 1;    // zero based
-bucket 400;
-message "apache adxmlrpc reference";
-};
-};
 file "/var/log/maillog" {
-pattern "lost input channel from .* \[(.*)\] .* after (mail|rcpt|auth)" {
+pattern "lost input channel from.* \[(.*)\] .* after (mail|rcpt|auth)" {
 index 1;    // zero based
-bucket 200;
+bucket 100;
 message "sendmail spammer dropping connection";
 };
-pattern " \[(.*)\]: possible SMTP attack" {
+pattern " \[(.*)\].* possible SMTP attack" {
 index 1;    // zero based
-bucket 600;
+bucket 100;
 message "sendmail authentication attack";
 };
-pattern "rejecting commands from .* \[(.*)\] due to pre-greeting traffic" {
+pattern "rejecting commands from.* \[(.*)\] due to pre-greeting traffic" {
 index 1;    // zero based
-bucket 200;
+bucket 1800;
 message "sendmail pre-greeting";
 };
-pattern "dovecot.*Aborted login.*rip=(.*)," {
+pattern "authentication failure: checkpass failed, .*\[(.*)\]" {
+index 1;    // zero based
+bucket 100;
+message "sendmail authentication failed";
+};
+pattern "dovecot.*Aborted login .* rip=(.*)," {
 index 1;    // zero based
 bucket 100;
 message "dovecot failed password";
 };
-pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," {
+pattern "dovecot.*Login: .* rip=(.*)," {
 index 1;    // zero based
-bucket 100;
+bucket -5000;
-message "dovecot failed password";
+message "dovecot good authentication";
 };
+pattern "sendmail.*AUTH=server, .*\[(.*)\]," {
-// make sure your upstream MX servers are listed in the
+index 1;    // zero based
-// ignore block above, otherwise you will kill them off
+bucket -5000;
-// when they try to forward such mail to you.
+message "sendmail good authentication";
-pattern "sendmail.*from=<>,.*nrcpts=0,.*\[(.*)\]" {
-index 1;    // zero based
-bucket 200;
-message "sendmail rejected bounce";
 };
 };
 };]]></literallayout>
 </refsect1>

Mercurial > syslog2iptables

comparison xml/syslog2iptables.in @ 63:60f59936fabb