Mercurial > syslog2iptables

comparison syslog2iptables.conf.top @ 61:d80641be405b stable-1-0-15

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
add script to build syslog2iptables.conf
author Carl Byington <carl@five-ten-sg.com>
date Sat, 04 Oct 2014 10:01:32 -0700
parents
children 60f59936fabb
comparison
equal deleted inserted replaced
60:a20b31625b44 61:d80641be405b
1 context general {
2 threshold 550;
3
4 add_command "/sbin/iptables -I INPUT --src %s --jump DROP";
5 remove_command "/sbin/iptables -D INPUT --src %s --jump DROP";
6
7 ignore {
8 127.0.0.0/8; // localhost
9 };
10
11 file "/var/log/secure" {
12 pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
13 index 1; // zero based
14 bucket 400;
15 message "ssh failed password";
16 };
17 pattern "sshd.*Failed password .* from (.*) port" {
18 index 1; // zero based
19 bucket 400;
20 message "ssh failed password";
21 };
22 pattern "sshd.*authentication failure; .* rhost=(.*) " {
23 index 1; // zero based
24 bucket 400;
25 message "ssh failed password";
26 };
27 pattern "sshd.*Did not receive identification string from (.*)" {
28 index 1; // zero based
29 bucket 400;
30 message "ssh failed password";
31 };
32 pattern "proftpd.*no such user found from (.*) \[" {
33 index 1; // zero based
34 bucket 400;
35 message "ftp failed password";
36 };
37 pattern "proftpd.* authentication failure; .* rhost=(.*) " {
38 index 1; // zero based
39 bucket 400;
40 message "ftp failed password";
41 };
42 pattern "vsftpd.* authentication failure; .* rhost=(.*) " {
43 index 1; // zero based
44 bucket 400;
45 message "ftp failed password";
46 };
47 pattern "dovecot.* authentication failure; .* rhost=::ffff:(.*) " {
48 index 1; // zero based
49 bucket 400;
50 message "dovecot failed password";
51 };
52 pattern "dovecot.* authentication failure; .* rhost=(.*) " {
53 index 1; // zero based
54 bucket 400;
55 message "dovecot failed password";
56 };
57 };
58
59 file "/var/log/messages" {
60 pattern "dovecot.* authentication failure; .* rhost=(.*) " {
61 index 1; // zero based
62 bucket 400;
63 message "dovecot failed password";
64 };
65 pattern "kernel.*local-net-to.*SRC=(.*) DST=.*DPT=" {
66 index 1; // zero based
67 bucket 400;
68 message "kernel firewall blocked packet";
69 };
70 pattern "kernel.*outside-net-from.*SRC=(.*) DST=.*DPT=" {
71 index 1; // zero based
72 bucket 400;
73 message "kernel firewall blocked packet";
74 };
75 };
76
77 file "/var/log/maillog" {
78 pattern "\]: .* \[(.*)\] did not issue MAIL" {
79 index 1; // zero based
80 bucket 200;
81 message "sendmail banner probe";
82 };
83 pattern "lost input channel from.* \[(.*)\] .* after (mail|rcpt|auth)" {
84 index 1; // zero based
85 bucket 200;
86 message "sendmail spammer dropping connection";
87 };
88 pattern " \[(.*)\]: possible SMTP attack" {
89 index 1; // zero based
90 bucket 600;
91 message "sendmail authentication attack";
92 };
93 pattern "rejecting commands from.* \[(.*)\] due to pre-greeting traffic" {
94 index 1; // zero based
95 bucket 1800;
96 message "sendmail pre-greeting";
97 };
98 pattern "authentication failure: checkpass failed,.*\[(.*)\]" {
99 index 1; // zero based
100 bucket 600;
101 message "sendmail authentication attack";
102 };
103 pattern "dovecot.*Aborted login.*rip=(.*)," {
104 index 1; // zero based
105 bucket 100;
106 message "dovecot failed password";
107 };
108 pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," {
109 index 1; // zero based
110 bucket 100;
111 message "dovecot failed password";
112 };
113 };