Mercurial > syslog2iptables
view syslog2iptables.conf.top @ 61:d80641be405b stable-1-0-15
add script to build syslog2iptables.conf
| author | Carl Byington <carl@five-ten-sg.com> |
|---|---|
| date | Sat, 04 Oct 2014 10:01:32 -0700 |
| parents | |
| children | 60f59936fabb |
line wrap: on
line source
context general { threshold 550; add_command "/sbin/iptables -I INPUT --src %s --jump DROP"; remove_command "/sbin/iptables -D INPUT --src %s --jump DROP"; ignore { 127.0.0.0/8; // localhost }; file "/var/log/secure" { pattern "sshd.*Failed password .* from ::ffff:(.*) port" { index 1; // zero based bucket 400; message "ssh failed password"; }; pattern "sshd.*Failed password .* from (.*) port" { index 1; // zero based bucket 400; message "ssh failed password"; }; pattern "sshd.*authentication failure; .* rhost=(.*) " { index 1; // zero based bucket 400; message "ssh failed password"; }; pattern "sshd.*Did not receive identification string from (.*)" { index 1; // zero based bucket 400; message "ssh failed password"; }; pattern "proftpd.*no such user found from (.*) \[" { index 1; // zero based bucket 400; message "ftp failed password"; }; pattern "proftpd.* authentication failure; .* rhost=(.*) " { index 1; // zero based bucket 400; message "ftp failed password"; }; pattern "vsftpd.* authentication failure; .* rhost=(.*) " { index 1; // zero based bucket 400; message "ftp failed password"; }; pattern "dovecot.* authentication failure; .* rhost=::ffff:(.*) " { index 1; // zero based bucket 400; message "dovecot failed password"; }; pattern "dovecot.* authentication failure; .* rhost=(.*) " { index 1; // zero based bucket 400; message "dovecot failed password"; }; }; file "/var/log/messages" { pattern "dovecot.* authentication failure; .* rhost=(.*) " { index 1; // zero based bucket 400; message "dovecot failed password"; }; pattern "kernel.*local-net-to.*SRC=(.*) DST=.*DPT=" { index 1; // zero based bucket 400; message "kernel firewall blocked packet"; }; pattern "kernel.*outside-net-from.*SRC=(.*) DST=.*DPT=" { index 1; // zero based bucket 400; message "kernel firewall blocked packet"; }; }; file "/var/log/maillog" { pattern "\]: .* \[(.*)\] did not issue MAIL" { index 1; // zero based bucket 200; message "sendmail banner probe"; }; pattern "lost input channel from.* \[(.*)\] .* after (mail|rcpt|auth)" { index 1; // zero based bucket 200; message "sendmail spammer dropping connection"; }; pattern " \[(.*)\]: possible SMTP attack" { index 1; // zero based bucket 600; message "sendmail authentication attack"; }; pattern "rejecting commands from.* \[(.*)\] due to pre-greeting traffic" { index 1; // zero based bucket 1800; message "sendmail pre-greeting"; }; pattern "authentication failure: checkpass failed,.*\[(.*)\]" { index 1; // zero based bucket 600; message "sendmail authentication attack"; }; pattern "dovecot.*Aborted login.*rip=(.*)," { index 1; // zero based bucket 100; message "dovecot failed password"; }; pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," { index 1; // zero based bucket 100; message "dovecot failed password"; }; };