Mercurial > syslog2iptables

diff syslog2iptables.conf.top @ 63:60f59936fabb

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
good authentication prevents ip blocking for awhile
author Carl Byington <carl@five-ten-sg.com>
date Sat, 19 Dec 2015 10:12:24 -0800
parents d80641be405b
children f17e6599b82c
line wrap: on
line diff
--- a/syslog2iptables.conf.top	Sat Oct 04 10:21:40 2014 -0700
+++ b/syslog2iptables.conf.top	Sat Dec 19 10:12:24 2015 -0800
@@ -9,6 +9,11 @@
     };
 
     file "/var/log/secure" {
+        pattern "manual unblock (.*)" {
+            index 1;    // zero based
+            bucket -5000;
+            message "manual unblock";
+        };
         pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
             index 1;    // zero based
             bucket 400;
@@ -46,12 +51,12 @@
         };
         pattern "dovecot.* authentication failure; .* rhost=::ffff:(.*) " {
             index 1;    // zero based
-            bucket 400;
+            bucket 100;
             message "dovecot failed password";
         };
         pattern "dovecot.* authentication failure; .* rhost=(.*) " {
             index 1;    // zero based
-            bucket 400;
+            bucket 100;
             message "dovecot failed password";
         };
     };
@@ -59,7 +64,7 @@
     file "/var/log/messages" {
         pattern "dovecot.* authentication failure; .* rhost=(.*) " {
             index 1;    // zero based
-            bucket 400;
+            bucket 100;
             message "dovecot failed password";
         };
         pattern "kernel.*local-net-to.*SRC=(.*) DST=.*DPT=" {
@@ -75,19 +80,14 @@
     };
 
     file "/var/log/maillog" {
-        pattern "\]: .* \[(.*)\] did not issue MAIL" {
-            index 1;    // zero based
-            bucket 200;
-            message "sendmail banner probe";
-        };
         pattern "lost input channel from.* \[(.*)\] .* after (mail|rcpt|auth)" {
             index 1;    // zero based
-            bucket 200;
+            bucket 100;
             message "sendmail spammer dropping connection";
         };
-        pattern " \[(.*)\]: possible SMTP attack" {
+        pattern " \[(.*)\].* possible SMTP attack" {
             index 1;    // zero based
-            bucket 600;
+            bucket 100;
             message "sendmail authentication attack";
         };
         pattern "rejecting commands from.* \[(.*)\] due to pre-greeting traffic" {
@@ -97,17 +97,22 @@
         };
         pattern "authentication failure: checkpass failed,.*\[(.*)\]" {
             index 1;    // zero based
-            bucket 600;
-            message "sendmail authentication attack";
+            bucket 100;
+            message "sendmail authentication failed";
         };
         pattern "dovecot.*Aborted login.*rip=(.*)," {
             index 1;    // zero based
             bucket 100;
             message "dovecot failed password";
         };
-        pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," {
+        pattern "dovecot.*Login: .* rip=(.*)," {
             index 1;    // zero based
-            bucket 100;
-            message "dovecot failed password";
+            bucket -5000;
+            message "dovecot good authentication";
+        };
+        pattern "sendmail.*AUTH=server, .*\[(.*)\]," {
+            index 1;    // zero based
+            bucket -5000;
+            message "sendmail good authentication";
         };
     };