view syslog2iptables.conf @ 45:4fd5f0d51144

Added tag stable-1-10 for changeset 9e9f09cf411c
author Carl Byington <carl@five-ten-sg.com>
date Sat, 22 Mar 2008 11:01:54 -0700
parents d9ae11033b4b
children 75361069c6ef
line wrap: on
line source

threshold 550;

add_command    "/sbin/iptables -I INPUT --src %s --jump DROP";
remove_command "/sbin/iptables -D INPUT --src %s --jump DROP";

ignore {
    127.0.0.0/8;        // localhost
};

//  file "/var/log/cisco.log" {
//      pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" {
//          index 2;    // zero based
//          bucket 200;
//          message "cisco firewall blocked packet";
//      };
//  };

file "/var/log/secure" {
    pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
        index 1;    // zero based
        bucket 400;
        message "ssh failed password";
    };
    pattern "sshd.*Failed password .* from (.*) port" {
        index 1;    // zero based
        bucket 400;
        message "ssh failed password";
    };
};

file "/var/log/httpd/access_log" {
    // of course you cannot use this if you actually use cgi-bin directories
    pattern "(.*) - - .* /cgi-bin" {
        index 1;    // zero based
        bucket 400;
        message "apache cgi-bin reference";
    };
    // or if you actually have an index2.php script
    pattern "(.*) - - .*/index2.php" {
        index 1;    // zero based
        bucket 400;
        message "apache index2.php reference";
    };
    // or if you have a main.php script
    pattern "(.*) - - .*/main.php" {
        index 1;    // zero based
        bucket 400;
        message "apache main.php reference";
    };
};

file "/var/log/maillog" {
    pattern "lost input channel from .* \[(.*)\] .* after mail" {
        index 1;    // zero based
        bucket 200;
        message "sendmail spammer dropping connection";
    };

    // make sure your upstream MX servers are listed in the
    // ignore block above, otherwise you will kill them off
    // when they try to forward such mail to you.
    pattern "sendmail.*from=<>,.*nrcpts=0,.*\[(.*)\]" {
        index 1;    // zero based
        bucket 200;
        message "sendmail rejected bounce";
    };
};

//  file "/var/log/messages" {
//      pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" {
//          index 1;    // zero based
//          bucket 300;
//          message "ssh failed password";
//      };
//      pattern "sshd.pam_unix.*authentication failure.*rhost=(.*)$" {
//          index 1;    // zero based
//          bucket 300;
//          message "ssh failed password";
//      };
//  };