view syslog2iptables.conf.top @ 63:60f59936fabb

good authentication prevents ip blocking for awhile
author Carl Byington <carl@five-ten-sg.com>
date Sat, 19 Dec 2015 10:12:24 -0800
parents d80641be405b
children f17e6599b82c
line wrap: on
line source

context general {
    threshold 550;

    add_command    "/sbin/iptables -I INPUT --src %s --jump DROP";
    remove_command "/sbin/iptables -D INPUT --src %s --jump DROP";

    ignore {
        127.0.0.0/8;        // localhost
    };

    file "/var/log/secure" {
        pattern "manual unblock (.*)" {
            index 1;    // zero based
            bucket -5000;
            message "manual unblock";
        };
        pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
            index 1;    // zero based
            bucket 400;
            message "ssh failed password";
        };
        pattern "sshd.*Failed password .* from (.*) port" {
            index 1;    // zero based
            bucket 400;
            message "ssh failed password";
        };
        pattern "sshd.*authentication failure; .* rhost=(.*) " {
            index 1;    // zero based
            bucket 400;
            message "ssh failed password";
        };
        pattern "sshd.*Did not receive identification string from (.*)" {
            index 1;    // zero based
            bucket 400;
            message "ssh failed password";
        };
        pattern "proftpd.*no such user found from (.*) \[" {
            index 1;    // zero based
            bucket 400;
            message "ftp failed password";
        };
        pattern "proftpd.* authentication failure; .* rhost=(.*) " {
            index 1;    // zero based
            bucket 400;
            message "ftp failed password";
        };
        pattern "vsftpd.* authentication failure; .* rhost=(.*) " {
            index 1;    // zero based
            bucket 400;
            message "ftp failed password";
        };
        pattern "dovecot.* authentication failure; .* rhost=::ffff:(.*) " {
            index 1;    // zero based
            bucket 100;
            message "dovecot failed password";
        };
        pattern "dovecot.* authentication failure; .* rhost=(.*) " {
            index 1;    // zero based
            bucket 100;
            message "dovecot failed password";
        };
    };

    file "/var/log/messages" {
        pattern "dovecot.* authentication failure; .* rhost=(.*) " {
            index 1;    // zero based
            bucket 100;
            message "dovecot failed password";
        };
        pattern "kernel.*local-net-to.*SRC=(.*) DST=.*DPT=" {
            index 1;    // zero based
            bucket 400;
            message "kernel firewall blocked packet";
        };
        pattern "kernel.*outside-net-from.*SRC=(.*) DST=.*DPT=" {
            index 1;    // zero based
            bucket 400;
            message "kernel firewall blocked packet";
        };
    };

    file "/var/log/maillog" {
        pattern "lost input channel from.* \[(.*)\] .* after (mail|rcpt|auth)" {
            index 1;    // zero based
            bucket 100;
            message "sendmail spammer dropping connection";
        };
        pattern " \[(.*)\].* possible SMTP attack" {
            index 1;    // zero based
            bucket 100;
            message "sendmail authentication attack";
        };
        pattern "rejecting commands from.* \[(.*)\] due to pre-greeting traffic" {
            index 1;    // zero based
            bucket 1800;
            message "sendmail pre-greeting";
        };
        pattern "authentication failure: checkpass failed, .*\[(.*)\]" {
            index 1;    // zero based
            bucket 100;
            message "sendmail authentication failed";
        };
        pattern "dovecot.*Aborted login .* rip=(.*)," {
            index 1;    // zero based
            bucket 100;
            message "dovecot failed password";
        };
        pattern "dovecot.*Login: .* rip=(.*)," {
            index 1;    // zero based
            bucket -5000;
            message "dovecot good authentication";
        };
        pattern "sendmail.*AUTH=server, .*\[(.*)\]," {
            index 1;    // zero based
            bucket -5000;
            message "sendmail good authentication";
        };
    };