Mercurial > syslog2iptables
diff xml/syslog2iptables.in @ 53:d6fb7fca0394 stable-1-0-13
Document multiple contexts
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Sun, 25 Jan 2009 08:37:36 -0800 |
parents | 75361069c6ef |
children | b45dddebe8fc |
line wrap: on
line diff
--- a/xml/syslog2iptables.in Sat Jan 24 17:42:53 2009 -0800 +++ b/xml/syslog2iptables.in Sun Jan 25 08:37:36 2009 -0800 @@ -19,7 +19,7 @@ <refentry id="@PACKAGE@.1"> <refentryinfo> - <date>2008-05-29</date> + <date>2009-01-25</date> </refentryinfo> <refmeta> @@ -159,7 +159,7 @@ <refentry id="@PACKAGE@.conf.5"> <refentryinfo> - <date>2008-05-29</date> + <date>2009-01-25</date> </refentryinfo> <refmeta> @@ -188,13 +188,15 @@ </para> <literallayout class="monospaced"><![CDATA[ -CONFIG := {THRESHOLD | ADD-CMD | REM-CMD | IGNORE | FILE}+ -THRESHOLD := "threshold" THRESHOLD-INTEGER-VALUE ";" -ADD-CMD := "add_command" IPT-CMD ";" -REM-CMD := "remove_command" IPT-CMD ";" -IGNORE := "ignore" "{" IG-SINGLE+ "};" -IG-SINGLE := IP-ADDRESS "/" CIDR-BITS ";" -FILE := "file" FILENAME "{" PATTERN+ "};" +CONFIG = {CONTEXT ";"}+ +CONTEXT = "context" NAME "{" {STATEMENT}+ "}" +STATEMENT := (THRESHOLD | ADD-CMD | REM-CMD | IGNORE | FILE) ";" +THRESHOLD := "threshold" THRESHOLD-INTEGER-VALUE +ADD-CMD := "add_command" IPT-CMD +REM-CMD := "remove_command" IPT-CMD +IGNORE := "ignore" "{" IG-SINGLE+ "}" +IG-SINGLE := IP-ADDRESS "/" CIDR-BITS +FILE := "file" FILENAME "{" PATTERN+ "}" PATTERN := "pattern" REGULAR-EXPRESSION "{" {INDEX | BUCKET | MESSAGE}+ "};" INDEX := "index" REGEX-INTEGER-VALUE ";" BUCKET := "bucket" BUCKET-ADD-INTEGER-VALUE ";" @@ -207,6 +209,27 @@ <refsect1 id='sample.5'> <title>Sample</title> <literallayout class="monospaced"><![CDATA[ +context dns { + threshold 1100; + + add_command "/sbin/iptables -I INPUT --protocol udp --destination-port 53 --src %s --jump DROP"; + remove_command "/sbin/iptables -D INPUT --protocol udp --destination-port 53 --src %s --jump DROP"; + + ignore { + 127.0.0.0/8; // localhost + }; + + file "/var/log/messages" { + pattern "named.*client (.*)#.*query.*cache.*denied" { + index 1; // zero based + bucket 400; + message "DNS attack"; + }; + }; +}; + + +context general { threshold 550; add_command "/sbin/iptables -I INPUT --src %s --jump DROP"; @@ -216,14 +239,6 @@ 127.0.0.0/8; // localhost }; -file "/var/log/cisco.log" { - pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" { - index 2; // zero based - bucket 200; - message "cisco firewall blocked packet"; - }; -}; - file "/var/log/secure" { pattern "sshd.*Failed password .* from ::ffff:(.*) port" { index 1; // zero based @@ -235,44 +250,87 @@ bucket 400; message "ssh failed password"; }; + pattern "proftpd.*no such user found from (.*) \[" { + index 1; // zero based + bucket 400; + message "ftp failed password"; + }; + }; + + file "/var/log/messages" { + pattern "ipop3d.* Login failed .* \[(.*)\]" { + index 1; // zero based + bucket 400; + message "pop3 failed password"; + }; }; file "/var/log/httpd/access_log" { + // of course you cannot use this if you actually use cgi-bin directories pattern "(.*) - - .* /cgi-bin" { index 1; // zero based bucket 400; message "apache cgi-bin reference"; }; + // or if you actually have an index2.php script pattern "(.*) - - .*/index2.php" { index 1; // zero based bucket 400; message "apache index2.php reference"; }; + // or if you have a main.php script pattern "(.*) - - .*/main.php" { index 1; // zero based bucket 400; message "apache main.php reference"; }; + pattern "(.*) - - .*/awstats.pl" { + index 1; // zero based + bucket 400; + message "apache awstats.pl reference"; + }; + pattern "(.*) - - .*/adxmlrpc" { + index 1; // zero based + bucket 400; + message "apache adxmlrpc reference"; + }; }; file "/var/log/maillog" { - pattern "lost input channel from .* \[(.*)\] .* after mail" { + pattern "lost input channel from .* \[(.*)\] .* after (mail|rcpt|auth)" { index 1; // zero based bucket 200; message "sendmail spammer dropping connection"; }; + pattern " \[(.*)\]: possible SMTP attack" { + index 1; // zero based + bucket 600; + message "sendmail authentication attack"; + }; + pattern "rejecting commands from .* \[(.*)\] due to pre-greeting traffic" { + index 1; // zero based + bucket 200; + message "sendmail pre-greeting"; + }; + pattern "dovecot.*Aborted login.*rip=(.*)," { + index 1; // zero based + bucket 100; + message "dovecot failed password"; + }; + pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," { + index 1; // zero based + bucket 100; + message "dovecot failed password"; }; -file "/var/log/messages" { - pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" { + // make sure your upstream MX servers are listed in the + // ignore block above, otherwise you will kill them off + // when they try to forward such mail to you. + pattern "sendmail.*from=<>,.*nrcpts=0,.*\[(.*)\]" { index 1; // zero based - bucket 300; - message "ssh failed password"; + bucket 200; + message "sendmail rejected bounce"; }; - pattern "sshd.pam_unix.*authentication failure.*rhost=(.*)$" { - index 1; // zero based - bucket 300; - message "ssh failed password"; }; };]]></literallayout> </refsect1>