Mercurial > syslog2iptables
comparison syslog2iptables.conf @ 58:b45dddebe8fc
Add exponential increase in penalty for repeat offenders
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Tue, 10 Jun 2014 08:48:53 -0700 |
parents | 73dd2daeaf8e |
children |
comparison
equal
deleted
inserted
replaced
57:c95acc20f7ed | 58:b45dddebe8fc |
---|---|
1 context dns { | |
2 threshold 1100; | |
3 | |
4 add_command "/sbin/iptables -I INPUT --protocol udp --destination-port 53 --src %s --jump DROP"; | |
5 remove_command "/sbin/iptables -D INPUT --protocol udp --destination-port 53 --src %s --jump DROP"; | |
6 | |
7 ignore { | |
8 127.0.0.0/8; // localhost | |
9 }; | |
10 | |
11 file "/var/log/messages" { | |
12 pattern "named.*client (.*)#.*query.*cache.*'\./NS/IN'.*denied" { | |
13 index 1; // zero based | |
14 bucket 400; | |
15 message "DNS attack"; | |
16 }; | |
17 }; | |
18 }; | |
19 | |
20 | |
21 context general { | 1 context general { |
22 threshold 550; | 2 threshold 550; |
23 | 3 |
24 add_command "/sbin/iptables -I INPUT --src %s --jump DROP"; | 4 add_command "/sbin/iptables -I INPUT --src %s --jump DROP"; |
25 remove_command "/sbin/iptables -D INPUT --src %s --jump DROP"; | 5 remove_command "/sbin/iptables -D INPUT --src %s --jump DROP"; |
37 pattern "sshd.*Failed password .* from (.*) port" { | 17 pattern "sshd.*Failed password .* from (.*) port" { |
38 index 1; // zero based | 18 index 1; // zero based |
39 bucket 400; | 19 bucket 400; |
40 message "ssh failed password"; | 20 message "ssh failed password"; |
41 }; | 21 }; |
22 pattern "sshd.*authentication failure; .* rhost=(.*) " { | |
23 index 1; // zero based | |
24 bucket 400; | |
25 message "ssh failed password"; | |
26 }; | |
27 pattern "sshd.*Did not receive identification string from (.*)" { | |
28 index 1; // zero based | |
29 bucket 400; | |
30 message "ssh failed password"; | |
31 }; | |
42 pattern "proftpd.*no such user found from (.*) \[" { | 32 pattern "proftpd.*no such user found from (.*) \[" { |
33 index 1; // zero based | |
34 bucket 400; | |
35 message "ftp failed password"; | |
36 }; | |
37 pattern "proftpd.* authentication failure; .* rhost=(.*) " { | |
43 index 1; // zero based | 38 index 1; // zero based |
44 bucket 400; | 39 bucket 400; |
45 message "ftp failed password"; | 40 message "ftp failed password"; |
46 }; | 41 }; |
47 pattern "vsftpd.* authentication failure; .* rhost=(.*) " { | 42 pattern "vsftpd.* authentication failure; .* rhost=(.*) " { |
96 pattern "(.*) - - .*/awstats.pl" { | 91 pattern "(.*) - - .*/awstats.pl" { |
97 index 1; // zero based | 92 index 1; // zero based |
98 bucket 400; | 93 bucket 400; |
99 message "apache awstats.pl reference"; | 94 message "apache awstats.pl reference"; |
100 }; | 95 }; |
96 pattern "(.*) - - .*/xmlrpc" { | |
97 index 1; // zero based | |
98 bucket 400; | |
99 message "apache xmlrpc reference"; | |
100 }; | |
101 pattern "(.*) - - .*/adxmlrpc" { | 101 pattern "(.*) - - .*/adxmlrpc" { |
102 index 1; // zero based | 102 index 1; // zero based |
103 bucket 400; | 103 bucket 400; |
104 message "apache adxmlrpc reference"; | 104 message "apache adxmlrpc reference"; |
105 }; | 105 }; |
106 pattern "(.*) - - .*/includes/general.js" { | 106 pattern "(.*) - - .*/includes/general.js" { |
107 index 1; // zero based | 107 index 1; // zero based |
108 bucket 400; | 108 bucket 400; |
109 message "apache general.js reference"; | 109 message "apache general.js reference"; |
110 }; | 110 }; |
111 pattern "(.*) - - .*/Admin/" { | |
112 index 1; // zero based | |
113 bucket 400; | |
114 message "apache phpMyAdmin reference"; | |
115 }; | |
116 pattern "(.*) - - .*/MyAdmin/" { | |
117 index 1; // zero based | |
118 bucket 400; | |
119 message "apache phpMyAdmin reference"; | |
120 }; | |
111 pattern "(.*) - - .*/phpMyAdmin/" { | 121 pattern "(.*) - - .*/phpMyAdmin/" { |
112 index 1; // zero based | 122 index 1; // zero based |
113 bucket 400; | 123 bucket 400; |
114 message "apache phpMyAdmin reference"; | 124 message "apache phpMyAdmin reference"; |
125 }; | |
126 pattern "(.*) - - .*/user/soapCaller" { | |
127 index 1; // zero based | |
128 bucket 400; | |
129 message "apache soapCaller reference"; | |
130 }; | |
131 pattern "(.*) - - .*POST /contact.php" { | |
132 index 1; // zero based | |
133 bucket 400; | |
134 message "apache contact.php post"; | |
135 }; | |
136 pattern "(.*) - - .*/crossdomain.xml" { | |
137 index 1; // zero based | |
138 bucket 400; | |
139 message "apache crossdomain.xml reference"; | |
115 }; | 140 }; |
116 pattern "(.*) - - .*/cart/" { | 141 pattern "(.*) - - .*/cart/" { |
117 index 1; // zero based | 142 index 1; // zero based |
118 bucket 400; | 143 bucket 400; |
119 message "apache cart reference"; | 144 message "apache cart reference"; |
141 bucket 600; | 166 bucket 600; |
142 message "sendmail authentication attack"; | 167 message "sendmail authentication attack"; |
143 }; | 168 }; |
144 pattern "rejecting commands from .* \[(.*)\] due to pre-greeting traffic" { | 169 pattern "rejecting commands from .* \[(.*)\] due to pre-greeting traffic" { |
145 index 1; // zero based | 170 index 1; // zero based |
146 bucket 200; | 171 bucket 1800; |
147 message "sendmail pre-greeting"; | 172 message "sendmail pre-greeting"; |
148 }; | 173 }; |
149 pattern "dovecot.*Aborted login.*rip=(.*)," { | 174 pattern "dovecot.*Aborted login.*rip=(.*)," { |
150 index 1; // zero based | 175 index 1; // zero based |
151 bucket 100; | 176 bucket 100; |