Mercurial > syslog2iptables
diff xml/syslog2iptables.in @ 63:60f59936fabb
good authentication prevents ip blocking for awhile
| author | Carl Byington <carl@five-ten-sg.com> |
|---|---|
| date | Sat, 19 Dec 2015 10:12:24 -0800 |
| parents | b45dddebe8fc |
| children | 45e53c44c46c |
line wrap: on
line diff
--- a/xml/syslog2iptables.in Sat Oct 04 10:21:40 2014 -0700 +++ b/xml/syslog2iptables.in Sat Dec 19 10:12:24 2015 -0800 @@ -19,7 +19,7 @@ <refentry id="@PACKAGE@.1"> <refentryinfo> - <date>2009-01-25</date> + <date>2015-12-18</date> <author> <firstname>Carl</firstname> <surname>Byington</surname> @@ -61,20 +61,30 @@ or ip address can be used as input to this package.</para> <para>The <citerefentry> <refentrytitle>@PACKAGE@.conf</refentrytitle> - <manvolnum>5</manvolnum> </citerefentry> file specifies the syslog files - to be monitored, and the regular expressions (<citerefentry> + <manvolnum>5</manvolnum> </citerefentry> file specifies the syslog + files to be monitored, and the regular expressions (<citerefentry> <refentrytitle>regex</refentrytitle> <manvolnum>7</manvolnum> </citerefentry>) to be applied to new lines in those files. Each - regular expression needs an index to specify the matching substring that - contains either an ip address or host name, and a bucket count which is - added to the leaky bucket for that ip address when a matching line is - read from that syslog file.</para> + regular expression needs an INDEX to specify the matching substring + that contains either an ip address or host name, and a DELTA which is + used to modify the leaky bucket count for that ip address when a + matching line is read from that syslog file. </para> + + <para>If the DELTA is negative, the leaky bucket count is set to that + DELTA value, any existing blocking for that ip address is removed, and + new blocking is prevented until that bucket leaks upward to zero. + </para> + + <para>If the DELTA is positive and the current leaky bucket count is + not negative, that DELTA value is added to the leaky bucket count for + that ip address. Once the bucket contains more than a configurable + THRESHOLD number of tokens, that ip address is added to the INPUT + chain with a DROP target.</para> <para>Each ip address has an associated leaky bucket, which leaks one - token per second. Once the bucket contains more than a configurable - threshold number of tokens, that ip address is added to the INPUT chain - with a DROP target. When the bucket is drained to zero, that ip address - is removed from the INPUT chain.</para> + token per second so the count moves toward zero. When the bucket is + drained to zero, that ip address is removed from the INPUT + chain.</para> <para>The discussion has focused on syslog files, but any ascii text file can be used, so long as some other process appends lines to that @@ -85,6 +95,11 @@ via logrotate. <command>@PACKAGE@</command> properly detects and handles this case by closing the old file, and reopening the newly created file.</para> + + <para>With the default config file, you can manually unblock an ip + address with <command>logger -p authpriv.info "manual unblock + 1.2.3.4"</command> </para> + </refsect1> <refsect1 id='options.1'> @@ -166,7 +181,7 @@ <refentry id="@PACKAGE@.conf.5"> <refentryinfo> - <date>2009-01-25</date> + <date>2015-12-18</date> </refentryinfo> <refmeta> @@ -205,8 +220,8 @@ IG-SINGLE := IP-ADDRESS "/" CIDR-BITS FILE := "file" FILENAME "{" PATTERN+ "}" PATTERN := "pattern" REGULAR-EXPRESSION "{" {INDEX | BUCKET | MESSAGE}+ "};" -INDEX := "index" REGEX-INTEGER-VALUE ";" -BUCKET := "bucket" BUCKET-ADD-INTEGER-VALUE ";" +INDEX := "index" REGEX-INTEGER ";" +DELTA := "bucket" BUCKET-DELTA-INTEGER ";" MESSAGE := "message" REASON ";" REASON := string to appear in syslog messages IPT-CMD := string containing exactly one %s replacement token for @@ -216,26 +231,6 @@ <refsect1 id='sample.5'> <title>Sample</title> <literallayout class="monospaced"><![CDATA[ -context dns { - threshold 1100; - - add_command "/sbin/iptables -I INPUT --protocol udp --destination-port 53 --src %s --jump DROP"; - remove_command "/sbin/iptables -D INPUT --protocol udp --destination-port 53 --src %s --jump DROP"; - - ignore { - 127.0.0.0/8; // localhost - }; - - file "/var/log/messages" { - pattern "named.*client (.*)#.*query.*cache.*denied" { - index 1; // zero based - bucket 400; - message "DNS attack"; - }; - }; -}; - - context general { threshold 550; @@ -247,6 +242,11 @@ }; file "/var/log/secure" { + pattern "manual unblock (.*)" { + index 1; // zero based + bucket -5000; + message "manual unblock"; + }; pattern "sshd.*Failed password .* from ::ffff:(.*) port" { index 1; // zero based bucket 400; @@ -257,86 +257,96 @@ bucket 400; message "ssh failed password"; }; + pattern "sshd.*authentication failure; .* rhost=(.*) " { + index 1; // zero based + bucket 400; + message "ssh failed password"; + }; + pattern "sshd.*Did not receive identification string from (.*)" { + index 1; // zero based + bucket 400; + message "ssh failed password"; + }; pattern "proftpd.*no such user found from (.*) \[" { index 1; // zero based bucket 400; message "ftp failed password"; }; + pattern "proftpd.* authentication failure; .* rhost=(.*) " { + index 1; // zero based + bucket 400; + message "ftp failed password"; }; - - file "/var/log/messages" { - pattern "ipop3d.* Login failed .* \[(.*)\]" { + pattern "vsftpd.* authentication failure; .* rhost=(.*) " { index 1; // zero based bucket 400; - message "pop3 failed password"; + message "ftp failed password"; + }; + pattern "dovecot.* authentication failure; .* rhost=::ffff:(.*) " { + index 1; // zero based + bucket 100; + message "dovecot failed password"; + }; + pattern "dovecot.* authentication failure; .* rhost=(.*) " { + index 1; // zero based + bucket 100; + message "dovecot failed password"; }; }; - file "/var/log/httpd/access_log" { - // of course you cannot use this if you actually use cgi-bin directories - pattern "(.*) - - .* /cgi-bin" { + file "/var/log/messages" { + pattern "dovecot.* authentication failure; .* rhost=(.*) " { index 1; // zero based - bucket 400; - message "apache cgi-bin reference"; + bucket 100; + message "dovecot failed password"; }; - // or if you actually have an index2.php script - pattern "(.*) - - .*/index2.php" { + pattern "kernel.*local-net-to.*SRC=(.*) DST=.*DPT=" { index 1; // zero based bucket 400; - message "apache index2.php reference"; + message "kernel firewall blocked packet"; }; - // or if you have a main.php script - pattern "(.*) - - .*/main.php" { + pattern "kernel.*outside-net-from.*SRC=(.*) DST=.*DPT=" { index 1; // zero based bucket 400; - message "apache main.php reference"; - }; - pattern "(.*) - - .*/awstats.pl" { - index 1; // zero based - bucket 400; - message "apache awstats.pl reference"; - }; - pattern "(.*) - - .*/adxmlrpc" { - index 1; // zero based - bucket 400; - message "apache adxmlrpc reference"; + message "kernel firewall blocked packet"; }; }; file "/var/log/maillog" { pattern "lost input channel from .* \[(.*)\] .* after (mail|rcpt|auth)" { index 1; // zero based - bucket 200; + bucket 100; message "sendmail spammer dropping connection"; }; - pattern " \[(.*)\]: possible SMTP attack" { + pattern " \[(.*)\].* possible SMTP attack" { index 1; // zero based - bucket 600; + bucket 100; message "sendmail authentication attack"; }; pattern "rejecting commands from .* \[(.*)\] due to pre-greeting traffic" { index 1; // zero based - bucket 200; + bucket 1800; message "sendmail pre-greeting"; }; + pattern "authentication failure: checkpass failed, .*\[(.*)\]" { + index 1; // zero based + bucket 100; + message "sendmail authentication failed"; + }; pattern "dovecot.*Aborted login.*rip=(.*)," { index 1; // zero based bucket 100; message "dovecot failed password"; }; - pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," { + pattern "dovecot.*Login: .* rip=(.*)," { index 1; // zero based - bucket 100; - message "dovecot failed password"; + bucket -5000; + message "dovecot good authentication"; }; - - // make sure your upstream MX servers are listed in the - // ignore block above, otherwise you will kill them off - // when they try to forward such mail to you. - pattern "sendmail.*from=<>,.*nrcpts=0,.*\[(.*)\]" { + pattern "sendmail.*AUTH=server, .*\[(.*)\]," { index 1; // zero based - bucket 200; - message "sendmail rejected bounce"; + bucket -5000; + message "sendmail good authentication"; }; }; };]]></literallayout>