Mercurial > syslog2iptables
diff syslog2iptables.conf @ 58:b45dddebe8fc
Add exponential increase in penalty for repeat offenders
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Tue, 10 Jun 2014 08:48:53 -0700 |
parents | 73dd2daeaf8e |
children |
line wrap: on
line diff
--- a/syslog2iptables.conf Wed Aug 17 10:16:17 2011 -0700 +++ b/syslog2iptables.conf Tue Jun 10 08:48:53 2014 -0700 @@ -1,23 +1,3 @@ -context dns { - threshold 1100; - - add_command "/sbin/iptables -I INPUT --protocol udp --destination-port 53 --src %s --jump DROP"; - remove_command "/sbin/iptables -D INPUT --protocol udp --destination-port 53 --src %s --jump DROP"; - - ignore { - 127.0.0.0/8; // localhost - }; - - file "/var/log/messages" { - pattern "named.*client (.*)#.*query.*cache.*'\./NS/IN'.*denied" { - index 1; // zero based - bucket 400; - message "DNS attack"; - }; - }; -}; - - context general { threshold 550; @@ -39,11 +19,26 @@ bucket 400; message "ssh failed password"; }; + pattern "sshd.*authentication failure; .* rhost=(.*) " { + index 1; // zero based + bucket 400; + message "ssh failed password"; + }; + pattern "sshd.*Did not receive identification string from (.*)" { + index 1; // zero based + bucket 400; + message "ssh failed password"; + }; pattern "proftpd.*no such user found from (.*) \[" { index 1; // zero based bucket 400; message "ftp failed password"; }; + pattern "proftpd.* authentication failure; .* rhost=(.*) " { + index 1; // zero based + bucket 400; + message "ftp failed password"; + }; pattern "vsftpd.* authentication failure; .* rhost=(.*) " { index 1; // zero based bucket 400; @@ -98,6 +93,11 @@ bucket 400; message "apache awstats.pl reference"; }; + pattern "(.*) - - .*/xmlrpc" { + index 1; // zero based + bucket 400; + message "apache xmlrpc reference"; + }; pattern "(.*) - - .*/adxmlrpc" { index 1; // zero based bucket 400; @@ -108,11 +108,36 @@ bucket 400; message "apache general.js reference"; }; + pattern "(.*) - - .*/Admin/" { + index 1; // zero based + bucket 400; + message "apache phpMyAdmin reference"; + }; + pattern "(.*) - - .*/MyAdmin/" { + index 1; // zero based + bucket 400; + message "apache phpMyAdmin reference"; + }; pattern "(.*) - - .*/phpMyAdmin/" { index 1; // zero based bucket 400; message "apache phpMyAdmin reference"; }; + pattern "(.*) - - .*/user/soapCaller" { + index 1; // zero based + bucket 400; + message "apache soapCaller reference"; + }; + pattern "(.*) - - .*POST /contact.php" { + index 1; // zero based + bucket 400; + message "apache contact.php post"; + }; + pattern "(.*) - - .*/crossdomain.xml" { + index 1; // zero based + bucket 400; + message "apache crossdomain.xml reference"; + }; pattern "(.*) - - .*/cart/" { index 1; // zero based bucket 400; @@ -143,7 +168,7 @@ }; pattern "rejecting commands from .* \[(.*)\] due to pre-greeting traffic" { index 1; // zero based - bucket 200; + bucket 1800; message "sendmail pre-greeting"; }; pattern "dovecot.*Aborted login.*rip=(.*)," {