Mercurial > syslog2iptables
view syslog2iptables.conf @ 59:f133196b8591
fix c++11 compiler warnings
| author | Carl Byington <carl@five-ten-sg.com> |
|---|---|
| date | Tue, 10 Jun 2014 09:03:08 -0700 |
| parents | b45dddebe8fc |
| children |
line wrap: on
line source
context general { threshold 550; add_command "/sbin/iptables -I INPUT --src %s --jump DROP"; remove_command "/sbin/iptables -D INPUT --src %s --jump DROP"; ignore { 127.0.0.0/8; // localhost }; file "/var/log/secure" { pattern "sshd.*Failed password .* from ::ffff:(.*) port" { index 1; // zero based bucket 400; message "ssh failed password"; }; pattern "sshd.*Failed password .* from (.*) port" { index 1; // zero based bucket 400; message "ssh failed password"; }; pattern "sshd.*authentication failure; .* rhost=(.*) " { index 1; // zero based bucket 400; message "ssh failed password"; }; pattern "sshd.*Did not receive identification string from (.*)" { index 1; // zero based bucket 400; message "ssh failed password"; }; pattern "proftpd.*no such user found from (.*) \[" { index 1; // zero based bucket 400; message "ftp failed password"; }; pattern "proftpd.* authentication failure; .* rhost=(.*) " { index 1; // zero based bucket 400; message "ftp failed password"; }; pattern "vsftpd.* authentication failure; .* rhost=(.*) " { index 1; // zero based bucket 400; message "ftp failed password"; }; pattern "dovecot.* authentication failure; .* rhost=::ffff:(.*) " { index 1; // zero based bucket 400; message "dovecot failed password"; }; pattern "dovecot.* authentication failure; .* rhost=(.*) " { index 1; // zero based bucket 400; message "dovecot failed password"; }; }; file "/var/log/messages" { pattern "dovecot.* authentication failure; .* rhost=(.*) " { index 1; // zero based bucket 400; message "dovecot failed password"; }; pattern "ipop3d.* Login failed .* \[(.*)\]" { index 1; // zero based bucket 400; message "pop3 failed password"; }; }; file "/var/log/httpd/access_log" { // of course you cannot use this if you actually use cgi-bin directories pattern "(.*) - - .* /cgi-bin" { index 1; // zero based bucket 400; message "apache cgi-bin reference"; }; // or if you actually have an index2.php script pattern "(.*) - - .*/index2.php" { index 1; // zero based bucket 400; message "apache index2.php reference"; }; // or if you have a main.php script pattern "(.*) - - .*/main.php" { index 1; // zero based bucket 400; message "apache main.php reference"; }; pattern "(.*) - - .*/awstats.pl" { index 1; // zero based bucket 400; message "apache awstats.pl reference"; }; pattern "(.*) - - .*/xmlrpc" { index 1; // zero based bucket 400; message "apache xmlrpc reference"; }; pattern "(.*) - - .*/adxmlrpc" { index 1; // zero based bucket 400; message "apache adxmlrpc reference"; }; pattern "(.*) - - .*/includes/general.js" { index 1; // zero based bucket 400; message "apache general.js reference"; }; pattern "(.*) - - .*/Admin/" { index 1; // zero based bucket 400; message "apache phpMyAdmin reference"; }; pattern "(.*) - - .*/MyAdmin/" { index 1; // zero based bucket 400; message "apache phpMyAdmin reference"; }; pattern "(.*) - - .*/phpMyAdmin/" { index 1; // zero based bucket 400; message "apache phpMyAdmin reference"; }; pattern "(.*) - - .*/user/soapCaller" { index 1; // zero based bucket 400; message "apache soapCaller reference"; }; pattern "(.*) - - .*POST /contact.php" { index 1; // zero based bucket 400; message "apache contact.php post"; }; pattern "(.*) - - .*/crossdomain.xml" { index 1; // zero based bucket 400; message "apache crossdomain.xml reference"; }; pattern "(.*) - - .*/cart/" { index 1; // zero based bucket 400; message "apache cart reference"; }; pattern "(.*) - - .*/zen/" { index 1; // zero based bucket 400; message "apache zen reference"; }; pattern "(.*) - - .*/zencart/" { index 1; // zero based bucket 400; message "apache zencart reference"; }; }; file "/var/log/maillog" { pattern "lost input channel from .* \[(.*)\] .* after (mail|rcpt|auth)" { index 1; // zero based bucket 200; message "sendmail spammer dropping connection"; }; pattern " \[(.*)\]: possible SMTP attack" { index 1; // zero based bucket 600; message "sendmail authentication attack"; }; pattern "rejecting commands from .* \[(.*)\] due to pre-greeting traffic" { index 1; // zero based bucket 1800; message "sendmail pre-greeting"; }; pattern "dovecot.*Aborted login.*rip=(.*)," { index 1; // zero based bucket 100; message "dovecot failed password"; }; pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," { index 1; // zero based bucket 100; message "dovecot failed password"; }; // make sure your upstream MX servers are listed in the // ignore block above, otherwise you will kill them off // when they try to forward such mail to you. pattern "sendmail.*from=<>,.*nrcpts=0,.*\[(.*)\]" { index 1; // zero based bucket 200; message "sendmail rejected bounce"; }; }; };