diff syslog2iptables.conf.top @ 65:f17e6599b82c

fix default config regular expressions for geedy matching
author Carl Byington <carl@five-ten-sg.com>
date Sat, 19 Dec 2015 11:12:08 -0800
parents 60f59936fabb
children d179292293eb
line wrap: on
line diff
--- a/syslog2iptables.conf.top	Sat Dec 19 10:25:11 2015 -0800
+++ b/syslog2iptables.conf.top	Sat Dec 19 11:12:08 2015 -0800
@@ -49,24 +49,9 @@
             bucket 400;
             message "ftp failed password";
         };
-        pattern "dovecot.* authentication failure; .* rhost=::ffff:(.*) " {
-            index 1;    // zero based
-            bucket 100;
-            message "dovecot failed password";
-        };
-        pattern "dovecot.* authentication failure; .* rhost=(.*) " {
-            index 1;    // zero based
-            bucket 100;
-            message "dovecot failed password";
-        };
     };
 
     file "/var/log/messages" {
-        pattern "dovecot.* authentication failure; .* rhost=(.*) " {
-            index 1;    // zero based
-            bucket 100;
-            message "dovecot failed password";
-        };
         pattern "kernel.*local-net-to.*SRC=(.*) DST=.*DPT=" {
             index 1;    // zero based
             bucket 400;
@@ -92,7 +77,7 @@
         };
         pattern "rejecting commands from.* \[(.*)\] due to pre-greeting traffic" {
             index 1;    // zero based
-            bucket 1800;
+            bucket 0;   // disable - iphone setup trips this; bucket 1800;
             message "sendmail pre-greeting";
         };
         pattern "authentication failure: checkpass failed, .*\[(.*)\]" {
@@ -100,12 +85,12 @@
             bucket 100;
             message "sendmail authentication failed";
         };
-        pattern "dovecot.*Aborted login .* rip=(.*)," {
+        pattern "dovecot.*Aborted login .* rip=(.*), lip=" {
             index 1;    // zero based
             bucket 100;
             message "dovecot failed password";
         };
-        pattern "dovecot.*Login: .* rip=(.*)," {
+        pattern "dovecot.*Login: .* rip=(.*), lip=" {
             index 1;    // zero based
             bucket -5000;
             message "dovecot good authentication";