Mercurial > syslog2iptables
view syslog2iptables.conf @ 45:4fd5f0d51144
Added tag stable-1-10 for changeset 9e9f09cf411c
| author | Carl Byington <carl@five-ten-sg.com> |
|---|---|
| date | Sat, 22 Mar 2008 11:01:54 -0700 |
| parents | d9ae11033b4b |
| children | 75361069c6ef |
line wrap: on
line source
threshold 550; add_command "/sbin/iptables -I INPUT --src %s --jump DROP"; remove_command "/sbin/iptables -D INPUT --src %s --jump DROP"; ignore { 127.0.0.0/8; // localhost }; // file "/var/log/cisco.log" { // pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" { // index 2; // zero based // bucket 200; // message "cisco firewall blocked packet"; // }; // }; file "/var/log/secure" { pattern "sshd.*Failed password .* from ::ffff:(.*) port" { index 1; // zero based bucket 400; message "ssh failed password"; }; pattern "sshd.*Failed password .* from (.*) port" { index 1; // zero based bucket 400; message "ssh failed password"; }; }; file "/var/log/httpd/access_log" { // of course you cannot use this if you actually use cgi-bin directories pattern "(.*) - - .* /cgi-bin" { index 1; // zero based bucket 400; message "apache cgi-bin reference"; }; // or if you actually have an index2.php script pattern "(.*) - - .*/index2.php" { index 1; // zero based bucket 400; message "apache index2.php reference"; }; // or if you have a main.php script pattern "(.*) - - .*/main.php" { index 1; // zero based bucket 400; message "apache main.php reference"; }; }; file "/var/log/maillog" { pattern "lost input channel from .* \[(.*)\] .* after mail" { index 1; // zero based bucket 200; message "sendmail spammer dropping connection"; }; // make sure your upstream MX servers are listed in the // ignore block above, otherwise you will kill them off // when they try to forward such mail to you. pattern "sendmail.*from=<>,.*nrcpts=0,.*\[(.*)\]" { index 1; // zero based bucket 200; message "sendmail rejected bounce"; }; }; // file "/var/log/messages" { // pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" { // index 1; // zero based // bucket 300; // message "ssh failed password"; // }; // pattern "sshd.pam_unix.*authentication failure.*rhost=(.*)$" { // index 1; // zero based // bucket 300; // message "ssh failed password"; // }; // };