diff syslog2iptables.conf.top @ 61:d80641be405b stable-1-0-15

add script to build syslog2iptables.conf
author Carl Byington <carl@five-ten-sg.com>
date Sat, 04 Oct 2014 10:01:32 -0700
parents
children 60f59936fabb
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/syslog2iptables.conf.top	Sat Oct 04 10:01:32 2014 -0700
@@ -0,0 +1,113 @@
+context general {
+    threshold 550;
+
+    add_command    "/sbin/iptables -I INPUT --src %s --jump DROP";
+    remove_command "/sbin/iptables -D INPUT --src %s --jump DROP";
+
+    ignore {
+        127.0.0.0/8;        // localhost
+    };
+
+    file "/var/log/secure" {
+        pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
+            index 1;    // zero based
+            bucket 400;
+            message "ssh failed password";
+        };
+        pattern "sshd.*Failed password .* from (.*) port" {
+            index 1;    // zero based
+            bucket 400;
+            message "ssh failed password";
+        };
+        pattern "sshd.*authentication failure; .* rhost=(.*) " {
+            index 1;    // zero based
+            bucket 400;
+            message "ssh failed password";
+        };
+        pattern "sshd.*Did not receive identification string from (.*)" {
+            index 1;    // zero based
+            bucket 400;
+            message "ssh failed password";
+        };
+        pattern "proftpd.*no such user found from (.*) \[" {
+            index 1;    // zero based
+            bucket 400;
+            message "ftp failed password";
+        };
+        pattern "proftpd.* authentication failure; .* rhost=(.*) " {
+            index 1;    // zero based
+            bucket 400;
+            message "ftp failed password";
+        };
+        pattern "vsftpd.* authentication failure; .* rhost=(.*) " {
+            index 1;    // zero based
+            bucket 400;
+            message "ftp failed password";
+        };
+        pattern "dovecot.* authentication failure; .* rhost=::ffff:(.*) " {
+            index 1;    // zero based
+            bucket 400;
+            message "dovecot failed password";
+        };
+        pattern "dovecot.* authentication failure; .* rhost=(.*) " {
+            index 1;    // zero based
+            bucket 400;
+            message "dovecot failed password";
+        };
+    };
+
+    file "/var/log/messages" {
+        pattern "dovecot.* authentication failure; .* rhost=(.*) " {
+            index 1;    // zero based
+            bucket 400;
+            message "dovecot failed password";
+        };
+        pattern "kernel.*local-net-to.*SRC=(.*) DST=.*DPT=" {
+            index 1;    // zero based
+            bucket 400;
+            message "kernel firewall blocked packet";
+        };
+        pattern "kernel.*outside-net-from.*SRC=(.*) DST=.*DPT=" {
+            index 1;    // zero based
+            bucket 400;
+            message "kernel firewall blocked packet";
+        };
+    };
+
+    file "/var/log/maillog" {
+        pattern "\]: .* \[(.*)\] did not issue MAIL" {
+            index 1;    // zero based
+            bucket 200;
+            message "sendmail banner probe";
+        };
+        pattern "lost input channel from.* \[(.*)\] .* after (mail|rcpt|auth)" {
+            index 1;    // zero based
+            bucket 200;
+            message "sendmail spammer dropping connection";
+        };
+        pattern " \[(.*)\]: possible SMTP attack" {
+            index 1;    // zero based
+            bucket 600;
+            message "sendmail authentication attack";
+        };
+        pattern "rejecting commands from.* \[(.*)\] due to pre-greeting traffic" {
+            index 1;    // zero based
+            bucket 1800;
+            message "sendmail pre-greeting";
+        };
+        pattern "authentication failure: checkpass failed,.*\[(.*)\]" {
+            index 1;    // zero based
+            bucket 600;
+            message "sendmail authentication attack";
+        };
+        pattern "dovecot.*Aborted login.*rip=(.*)," {
+            index 1;    // zero based
+            bucket 100;
+            message "dovecot failed password";
+        };
+        pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," {
+            index 1;    // zero based
+            bucket 100;
+            message "dovecot failed password";
+        };
+    };