view syslog2iptables.conf.top @ 75:ae5e6bcc5017

sendmail auth failure detection for both login and plain methods
author Carl Byington <carl@five-ten-sg.com>
date Mon, 24 Dec 2018 08:31:27 -0800
parents 0e736950a117
children cc01f2caff37
line wrap: on
line source

context general {
    threshold 550;

    add_command    "/sbin/iptables -I INPUT --src %s --jump DROP";
    remove_command "/sbin/iptables -D INPUT --src %s --jump DROP";

    ignore {
        127.0.0.0/8;        // localhost
    };

    file "/var/log/secure" {
        pattern "manual unblock (.*)" {
            index 1;    // zero based
            bucket -5000;
            message "manual unblock";
        };
        pattern "manual block (.*)" {
            index 1;    // zero based
            bucket 5000;
            message "manual block";
        };
        pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
            index 1;    // zero based
            bucket 400;
            message "ssh failed password";
        };
        pattern "sshd.*Failed password .* from (.*) port" {
            index 1;    // zero based
            bucket 400;
            message "ssh failed password";
        };
        pattern "sshd.*authentication failure; .* rhost=(.*) " {
            index 1;    // zero based
            bucket 400;
            message "ssh failed password";
        };
        pattern "sshd.*Did not receive identification string from (.*)" {
            index 1;    // zero based
            bucket 400;
            message "ssh failed password";
        };
        pattern "proftpd.*no such user found from (.*) \[" {
            index 1;    // zero based
            bucket 400;
            message "ftp failed password";
        };
        pattern "proftpd.* authentication failure; .* rhost=(.*) " {
            index 1;    // zero based
            bucket 400;
            message "ftp failed password";
        };
        pattern "vsftpd.* authentication failure; .* rhost=(.*) " {
            index 1;    // zero based
            bucket 400;
            message "ftp failed password";
        };
    };

    file "/var/log/messages" {
        pattern "kernel.*local-net-to.*SRC=(.*) DST=.*DPT=" {
            index 1;    // zero based
            bucket 400;
            message "kernel firewall blocked packet";
        };
        pattern "kernel.*outside-net-from.*SRC=(.*) DST=.*DPT=" {
            index 1;    // zero based
            bucket 400;
            message "kernel firewall blocked packet";
        };
    };

    file "/var/log/maillog" {
        pattern "lost input channel from.* \[(.*)\] .* after (mail|rcpt|auth)" {
            index 1;    // zero based
            bucket 100;
            message "sendmail spammer dropping connection";
        };
        pattern " \[(.*)\].* possible SMTP attack" {
            index 1;    // zero based
            bucket 100;
            message "sendmail authentication attack";
        };
        #pattern "rejecting commands from.* \[(.*)\] due to pre-greeting traffic" {
        #    index 1;    // zero based
        #    bucket 0;   // disable - iphone setup trips this; bucket 1800;
        #    message "sendmail pre-greeting";
        #};
        pattern "authentication failure: .* failed, .*\[(.*)\]" {
            index 1;    // zero based
            bucket 100;
            message "sendmail authentication failed";
        };
        pattern "dovecot.*Aborted login .* rip=(.*), lip=" {
            index 1;    // zero based
            bucket 100;
            message "dovecot failed password";
        };
        pattern "dovecot.*Disconnected.*auth failed.* rip=(.*), lip=" {
            index 1;    // zero based
            bucket 100;
            message "dovecot failed password";
        };
        pattern "dovecot.*Login: user=.* rip=(.*), lip=" {
            index 1;    // zero based
            bucket -5000;
            message "dovecot good authentication";
        };
        pattern "sendmail.*AUTH=server, .*\[(.*)\]," {
            index 1;    // zero based
            bucket -5000;
            message "sendmail good authentication";
        };
    };