Mercurial > syslog2iptables
diff syslog2iptables.conf.top @ 61:d80641be405b stable-1-0-15
add script to build syslog2iptables.conf
| author | Carl Byington <carl@five-ten-sg.com> |
|---|---|
| date | Sat, 04 Oct 2014 10:01:32 -0700 |
| parents | |
| children | 60f59936fabb |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/syslog2iptables.conf.top Sat Oct 04 10:01:32 2014 -0700 @@ -0,0 +1,113 @@ +context general { + threshold 550; + + add_command "/sbin/iptables -I INPUT --src %s --jump DROP"; + remove_command "/sbin/iptables -D INPUT --src %s --jump DROP"; + + ignore { + 127.0.0.0/8; // localhost + }; + + file "/var/log/secure" { + pattern "sshd.*Failed password .* from ::ffff:(.*) port" { + index 1; // zero based + bucket 400; + message "ssh failed password"; + }; + pattern "sshd.*Failed password .* from (.*) port" { + index 1; // zero based + bucket 400; + message "ssh failed password"; + }; + pattern "sshd.*authentication failure; .* rhost=(.*) " { + index 1; // zero based + bucket 400; + message "ssh failed password"; + }; + pattern "sshd.*Did not receive identification string from (.*)" { + index 1; // zero based + bucket 400; + message "ssh failed password"; + }; + pattern "proftpd.*no such user found from (.*) \[" { + index 1; // zero based + bucket 400; + message "ftp failed password"; + }; + pattern "proftpd.* authentication failure; .* rhost=(.*) " { + index 1; // zero based + bucket 400; + message "ftp failed password"; + }; + pattern "vsftpd.* authentication failure; .* rhost=(.*) " { + index 1; // zero based + bucket 400; + message "ftp failed password"; + }; + pattern "dovecot.* authentication failure; .* rhost=::ffff:(.*) " { + index 1; // zero based + bucket 400; + message "dovecot failed password"; + }; + pattern "dovecot.* authentication failure; .* rhost=(.*) " { + index 1; // zero based + bucket 400; + message "dovecot failed password"; + }; + }; + + file "/var/log/messages" { + pattern "dovecot.* authentication failure; .* rhost=(.*) " { + index 1; // zero based + bucket 400; + message "dovecot failed password"; + }; + pattern "kernel.*local-net-to.*SRC=(.*) DST=.*DPT=" { + index 1; // zero based + bucket 400; + message "kernel firewall blocked packet"; + }; + pattern "kernel.*outside-net-from.*SRC=(.*) DST=.*DPT=" { + index 1; // zero based + bucket 400; + message "kernel firewall blocked packet"; + }; + }; + + file "/var/log/maillog" { + pattern "\]: .* \[(.*)\] did not issue MAIL" { + index 1; // zero based + bucket 200; + message "sendmail banner probe"; + }; + pattern "lost input channel from.* \[(.*)\] .* after (mail|rcpt|auth)" { + index 1; // zero based + bucket 200; + message "sendmail spammer dropping connection"; + }; + pattern " \[(.*)\]: possible SMTP attack" { + index 1; // zero based + bucket 600; + message "sendmail authentication attack"; + }; + pattern "rejecting commands from.* \[(.*)\] due to pre-greeting traffic" { + index 1; // zero based + bucket 1800; + message "sendmail pre-greeting"; + }; + pattern "authentication failure: checkpass failed,.*\[(.*)\]" { + index 1; // zero based + bucket 600; + message "sendmail authentication attack"; + }; + pattern "dovecot.*Aborted login.*rip=(.*)," { + index 1; // zero based + bucket 100; + message "dovecot failed password"; + }; + pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," { + index 1; // zero based + bucket 100; + message "dovecot failed password"; + }; + };