Mercurial > syslog2iptables
comparison syslog2iptables.conf @ 50:75361069c6ef
changes for fedora 10
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Wed, 24 Dec 2008 18:40:54 -0800 |
parents | d9ae11033b4b |
children | 206448c00b55 |
comparison
equal
deleted
inserted
replaced
49:546fe911f7a6 | 50:75361069c6ef |
---|---|
24 pattern "sshd.*Failed password .* from (.*) port" { | 24 pattern "sshd.*Failed password .* from (.*) port" { |
25 index 1; // zero based | 25 index 1; // zero based |
26 bucket 400; | 26 bucket 400; |
27 message "ssh failed password"; | 27 message "ssh failed password"; |
28 }; | 28 }; |
29 pattern "proftpd.*no such user found from (.*) \[" { | |
30 index 1; // zero based | |
31 bucket 400; | |
32 message "ftp failed password"; | |
33 }; | |
34 }; | |
35 | |
36 file "/var/log/messages" { | |
37 pattern "ipop3d.* Login failed .* \[(.*)\]" { | |
38 index 1; // zero based | |
39 bucket 400; | |
40 message "pop3 failed password"; | |
41 }; | |
29 }; | 42 }; |
30 | 43 |
31 file "/var/log/httpd/access_log" { | 44 file "/var/log/httpd/access_log" { |
32 // of course you cannot use this if you actually use cgi-bin directories | 45 // of course you cannot use this if you actually use cgi-bin directories |
33 pattern "(.*) - - .* /cgi-bin" { | 46 pattern "(.*) - - .* /cgi-bin" { |
45 pattern "(.*) - - .*/main.php" { | 58 pattern "(.*) - - .*/main.php" { |
46 index 1; // zero based | 59 index 1; // zero based |
47 bucket 400; | 60 bucket 400; |
48 message "apache main.php reference"; | 61 message "apache main.php reference"; |
49 }; | 62 }; |
63 pattern "(.*) - - .*/awstats.pl" { | |
64 index 1; // zero based | |
65 bucket 400; | |
66 message "apache awstats.pl reference"; | |
67 }; | |
68 pattern "(.*) - - .*/adxmlrpc" { | |
69 index 1; // zero based | |
70 bucket 400; | |
71 message "apache adxmlrpc reference"; | |
72 }; | |
50 }; | 73 }; |
51 | 74 |
52 file "/var/log/maillog" { | 75 file "/var/log/maillog" { |
53 pattern "lost input channel from .* \[(.*)\] .* after mail" { | 76 pattern "lost input channel from .* \[(.*)\] .* after (mail|rcpt|auth)" { |
54 index 1; // zero based | 77 index 1; // zero based |
55 bucket 200; | 78 bucket 200; |
56 message "sendmail spammer dropping connection"; | 79 message "sendmail spammer dropping connection"; |
80 }; | |
81 pattern " \[(.*)\]: possible SMTP attack" { | |
82 index 1; // zero based | |
83 bucket 600; | |
84 message "sendmail authentication attack"; | |
85 }; | |
86 pattern "rejecting commands from .* \[(.*)\] due to pre-greeting traffic" { | |
87 index 1; // zero based | |
88 bucket 200; | |
89 message "sendmail pre-greeting"; | |
90 }; | |
91 pattern "dovecot.*Aborted login.*rip=(.*)," { | |
92 index 1; // zero based | |
93 bucket 100; | |
94 message "dovecot failed password"; | |
95 }; | |
96 pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," { | |
97 index 1; // zero based | |
98 bucket 100; | |
99 message "dovecot failed password"; | |
57 }; | 100 }; |
58 | 101 |
59 // make sure your upstream MX servers are listed in the | 102 // make sure your upstream MX servers are listed in the |
60 // ignore block above, otherwise you will kill them off | 103 // ignore block above, otherwise you will kill them off |
61 // when they try to forward such mail to you. | 104 // when they try to forward such mail to you. |