view syslog2iptables.conf @ 28:6465d8640489

make add/remove commands configureable
author carl
date Sun, 12 Feb 2006 11:10:21 -0800
parents 28fec0c67646
children d2ceebcf6595
line wrap: on
line source

threshold 550;

add_command    "/sbin/iptables -I INPUT --src %s --jump DROP";
remove_command "/sbin/iptables -D INPUT --src %s --jump DROP";

ignore {
    127.0.0.0/8;        // localhost
};

//  file "/var/log/cisco.log" {
//      pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" {
//          index 2;    // zero based
//          bucket 200;
//      };
//  };

file "/var/log/secure" {
    pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
        index 1;    // zero based
        bucket 400;
    };
    pattern "sshd.*Failed password .* from (.*) port" {
        index 1;    // zero based
        bucket 400;
    };
};

file "/var/log/httpd/access_log" {
    pattern "(.*) - - .* /cgi-bin" {
        index 1;    // zero based
        bucket 400;
    };
    pattern "(.*) - - .*/index2.php" {
        index 1;    // zero based
        bucket 400;
    };
    pattern "(.*) - - .*/main.php" {
        index 1;    // zero based
        bucket 400;
    };
};

//  file "/var/log/messages" {
//      pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" {
//          index 1;    // zero based
//          bucket 300;
//      };
//      pattern "sshd.pam_unix.*authentication failure.*rhost=(.*)$" {
//          index 1;    // zero based
//          bucket 300;
//      };
//  };