view syslog2iptables.conf.top @ 82:384532d596c0 default tip

Added tag stable-1-0-19 for changeset cc01f2caff37
author Carl Byington <carl@five-ten-sg.com>
date Sun, 11 Feb 2024 12:06:36 -0800
parents cc01f2caff37
children
line wrap: on
line source

context monitor2 {
    threshold 150;
    add_command "echo 'rate limit exceeded' | mail -s 'rate limit exceeded' carl@five-ten-sg.com";
    remove_command "true";
    file "/var/log/maillog" {
        pattern "milter=dnsbl, .* reject=550 (.*) (unique|recipient) .* limit exceeded" {
            index 1;    // zero based
            bucket 100;
            message "rate limit exceeded";
        };
    };
};

context general {
    threshold 550;

    add_command    "/sbin/iptables -I INPUT --src %s --jump DROP";
    remove_command "/sbin/iptables -D INPUT --src %s --jump DROP";

    ignore {
        127.0.0.0/8;        // localhost
        192.168.0.0/16;     // internal networks
        172.102.240.82/30;  // 510sg data center
        172.102.240.42/30;  // 510sg data center
        216.86.213.0/24;    // mbmg
        104.53.80.243/32;   // davd att
        75.140.46.51/32;    // davd spectrum
        67.227.199.34/32;   // routerdog
        67.227.199.43/32;   // routerdog
        69.167.152.113/32;  // routerdog
        69.167.152.152/32;  // routerdog
        209.59.129.6/32;    // routerdog
        205.139.110.0/24;   // mimecast probing smtp banners
        207.211.31.0/24;    // mimecast probing smtp banners
        216.205.24.0/24;    // mimecast probing smtp banners
        63.128.21.0/24;     // mimecast probing smtp banners
        146.101.78.0/24;    // mimecast probing smtp banners
        207.82.80.0/24;     // mimecast probing smtp banners
    };

    file "/var/log/secure" {
        pattern "manual unblock (.*)" {
            index 1;    // zero based
            bucket -5000;
            message "manual unblock";
        };
        pattern "manual block (.*)" {
            index 1;    // zero based
            bucket 5000;
            message "manual block";
        };
        pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
            index 1;    // zero based
            bucket 400;
            message "ssh failed password";
        };
        pattern "sshd.*Failed password .* from (.*) port" {
            index 1;    // zero based
            bucket 400;
            message "ssh failed password";
        };
        pattern "sshd.*authentication failure; .* rhost=(.*) " {
            index 1;    // zero based
            bucket 400;
            message "ssh failed password";
        };
        pattern "sshd.*Did not receive identification string from (.*)" {
            index 1;    // zero based
            bucket 400;
            message "ssh failed password";
        };
        pattern "proftpd.*no such user found from (.*) \[" {
            index 1;    // zero based
            bucket 400;
            message "ftp failed password";
        };
        pattern "proftpd.* authentication failure; .* rhost=(.*) " {
            index 1;    // zero based
            bucket 400;
            message "ftp failed password";
        };
        pattern "vsftpd.* authentication failure; .* rhost=(.*) " {
            index 1;    // zero based
            bucket 400;
            message "ftp failed password";
        };
    };

    file "/var/log/messages" {
        pattern "kernel.*local-net-to.*SRC=(.*) DST=.*DPT=" {
            index 1;    // zero based
            bucket 400;
            message "kernel firewall blocked packet";
        };
        pattern "kernel.*outside-net-from.*SRC=(.*) DST=.*DPT=" {
            index 1;    // zero based
            bucket 400;
            message "kernel firewall blocked packet";
        };
        pattern "named.* (.*)#.*denied$" {
            index 1;    // zero based
            bucket 100;
            message "dns query denied";
        };
    };

    file "/var/log/maillog" {
        pattern "lost input channel from.* \[(.*)\] .* after (mail|rcpt|auth)" {
            index 1;    // zero based
            bucket 100;
            message "sendmail spammer dropping connection";
        };
        pattern " \[(.*)\].* possible SMTP attack" {
            index 1;    // zero based
            bucket 100;
            message "sendmail authentication attack";
        };
        #pattern "rejecting commands from.* \[(.*)\] due to pre-greeting traffic" {
        #    index 1;    // zero based
        #    bucket 0;   // disable - iphone setup trips this; bucket 1800;
        #    message "sendmail pre-greeting";
        #};
        pattern "authentication failure: .* failed, .*\[(.*)\]" {
            index 1;    // zero based
            bucket 100;
            message "sendmail authentication failed";
        };
        pattern "dovecot.*Aborted login .* rip=(.*), lip=" {
            index 1;    // zero based
            bucket 100;
            message "dovecot failed password";
        };
        pattern "dovecot.*Disconnected.*auth failed.* rip=(.*), lip=" {
            index 1;    // zero based
            bucket 100;
            message "dovecot failed password";
        };
        pattern "dovecot.*Login: user=.* rip=(.*), lip=" {
            index 1;    // zero based
            bucket -5000;
            message "dovecot good authentication";
        };
        pattern "sendmail.*AUTH=server, .*\[(.*)\]," {
            index 1;    // zero based
            bucket -5000;
            message "sendmail good authentication";
        };
    };