Mercurial > syslog2iptables
comparison syslog2iptables.conf @ 58:b45dddebe8fc
Add exponential increase in penalty for repeat offenders
| author | Carl Byington <carl@five-ten-sg.com> |
|---|---|
| date | Tue, 10 Jun 2014 08:48:53 -0700 |
| parents | 73dd2daeaf8e |
| children |
comparison
equal
deleted
inserted
replaced
| 57:c95acc20f7ed | 58:b45dddebe8fc |
|---|---|
| 1 context dns { | |
| 2 threshold 1100; | |
| 3 | |
| 4 add_command "/sbin/iptables -I INPUT --protocol udp --destination-port 53 --src %s --jump DROP"; | |
| 5 remove_command "/sbin/iptables -D INPUT --protocol udp --destination-port 53 --src %s --jump DROP"; | |
| 6 | |
| 7 ignore { | |
| 8 127.0.0.0/8; // localhost | |
| 9 }; | |
| 10 | |
| 11 file "/var/log/messages" { | |
| 12 pattern "named.*client (.*)#.*query.*cache.*'\./NS/IN'.*denied" { | |
| 13 index 1; // zero based | |
| 14 bucket 400; | |
| 15 message "DNS attack"; | |
| 16 }; | |
| 17 }; | |
| 18 }; | |
| 19 | |
| 20 | |
| 21 context general { | 1 context general { |
| 22 threshold 550; | 2 threshold 550; |
| 23 | 3 |
| 24 add_command "/sbin/iptables -I INPUT --src %s --jump DROP"; | 4 add_command "/sbin/iptables -I INPUT --src %s --jump DROP"; |
| 25 remove_command "/sbin/iptables -D INPUT --src %s --jump DROP"; | 5 remove_command "/sbin/iptables -D INPUT --src %s --jump DROP"; |
| 37 pattern "sshd.*Failed password .* from (.*) port" { | 17 pattern "sshd.*Failed password .* from (.*) port" { |
| 38 index 1; // zero based | 18 index 1; // zero based |
| 39 bucket 400; | 19 bucket 400; |
| 40 message "ssh failed password"; | 20 message "ssh failed password"; |
| 41 }; | 21 }; |
| 22 pattern "sshd.*authentication failure; .* rhost=(.*) " { | |
| 23 index 1; // zero based | |
| 24 bucket 400; | |
| 25 message "ssh failed password"; | |
| 26 }; | |
| 27 pattern "sshd.*Did not receive identification string from (.*)" { | |
| 28 index 1; // zero based | |
| 29 bucket 400; | |
| 30 message "ssh failed password"; | |
| 31 }; | |
| 42 pattern "proftpd.*no such user found from (.*) \[" { | 32 pattern "proftpd.*no such user found from (.*) \[" { |
| 33 index 1; // zero based | |
| 34 bucket 400; | |
| 35 message "ftp failed password"; | |
| 36 }; | |
| 37 pattern "proftpd.* authentication failure; .* rhost=(.*) " { | |
| 43 index 1; // zero based | 38 index 1; // zero based |
| 44 bucket 400; | 39 bucket 400; |
| 45 message "ftp failed password"; | 40 message "ftp failed password"; |
| 46 }; | 41 }; |
| 47 pattern "vsftpd.* authentication failure; .* rhost=(.*) " { | 42 pattern "vsftpd.* authentication failure; .* rhost=(.*) " { |
| 96 pattern "(.*) - - .*/awstats.pl" { | 91 pattern "(.*) - - .*/awstats.pl" { |
| 97 index 1; // zero based | 92 index 1; // zero based |
| 98 bucket 400; | 93 bucket 400; |
| 99 message "apache awstats.pl reference"; | 94 message "apache awstats.pl reference"; |
| 100 }; | 95 }; |
| 96 pattern "(.*) - - .*/xmlrpc" { | |
| 97 index 1; // zero based | |
| 98 bucket 400; | |
| 99 message "apache xmlrpc reference"; | |
| 100 }; | |
| 101 pattern "(.*) - - .*/adxmlrpc" { | 101 pattern "(.*) - - .*/adxmlrpc" { |
| 102 index 1; // zero based | 102 index 1; // zero based |
| 103 bucket 400; | 103 bucket 400; |
| 104 message "apache adxmlrpc reference"; | 104 message "apache adxmlrpc reference"; |
| 105 }; | 105 }; |
| 106 pattern "(.*) - - .*/includes/general.js" { | 106 pattern "(.*) - - .*/includes/general.js" { |
| 107 index 1; // zero based | 107 index 1; // zero based |
| 108 bucket 400; | 108 bucket 400; |
| 109 message "apache general.js reference"; | 109 message "apache general.js reference"; |
| 110 }; | 110 }; |
| 111 pattern "(.*) - - .*/Admin/" { | |
| 112 index 1; // zero based | |
| 113 bucket 400; | |
| 114 message "apache phpMyAdmin reference"; | |
| 115 }; | |
| 116 pattern "(.*) - - .*/MyAdmin/" { | |
| 117 index 1; // zero based | |
| 118 bucket 400; | |
| 119 message "apache phpMyAdmin reference"; | |
| 120 }; | |
| 111 pattern "(.*) - - .*/phpMyAdmin/" { | 121 pattern "(.*) - - .*/phpMyAdmin/" { |
| 112 index 1; // zero based | 122 index 1; // zero based |
| 113 bucket 400; | 123 bucket 400; |
| 114 message "apache phpMyAdmin reference"; | 124 message "apache phpMyAdmin reference"; |
| 125 }; | |
| 126 pattern "(.*) - - .*/user/soapCaller" { | |
| 127 index 1; // zero based | |
| 128 bucket 400; | |
| 129 message "apache soapCaller reference"; | |
| 130 }; | |
| 131 pattern "(.*) - - .*POST /contact.php" { | |
| 132 index 1; // zero based | |
| 133 bucket 400; | |
| 134 message "apache contact.php post"; | |
| 135 }; | |
| 136 pattern "(.*) - - .*/crossdomain.xml" { | |
| 137 index 1; // zero based | |
| 138 bucket 400; | |
| 139 message "apache crossdomain.xml reference"; | |
| 115 }; | 140 }; |
| 116 pattern "(.*) - - .*/cart/" { | 141 pattern "(.*) - - .*/cart/" { |
| 117 index 1; // zero based | 142 index 1; // zero based |
| 118 bucket 400; | 143 bucket 400; |
| 119 message "apache cart reference"; | 144 message "apache cart reference"; |
| 141 bucket 600; | 166 bucket 600; |
| 142 message "sendmail authentication attack"; | 167 message "sendmail authentication attack"; |
| 143 }; | 168 }; |
| 144 pattern "rejecting commands from .* \[(.*)\] due to pre-greeting traffic" { | 169 pattern "rejecting commands from .* \[(.*)\] due to pre-greeting traffic" { |
| 145 index 1; // zero based | 170 index 1; // zero based |
| 146 bucket 200; | 171 bucket 1800; |
| 147 message "sendmail pre-greeting"; | 172 message "sendmail pre-greeting"; |
| 148 }; | 173 }; |
| 149 pattern "dovecot.*Aborted login.*rip=(.*)," { | 174 pattern "dovecot.*Aborted login.*rip=(.*)," { |
| 150 index 1; // zero based | 175 index 1; // zero based |
| 151 bucket 100; | 176 bucket 100; |