# HG changeset patch # User Carl Byington # Date 1412442092 25200 # Node ID d80641be405b6276acbfca395a8dd66478c43d7a # Parent a20b31625b44adc2099f15f266df8c5df254cf1d add script to build syslog2iptables.conf diff -r a20b31625b44 -r d80641be405b .hgtags --- a/.hgtags Tue Jun 10 09:13:16 2014 -0700 +++ b/.hgtags Sat Oct 04 10:01:32 2014 -0700 @@ -12,3 +12,10 @@ 206448c00b55aae7cf45294ea638000a4e8eebc1 stable-1-0-12 d6fb7fca0394954aa4adce3ed4b77f1a605d8397 stable-1-0-13 73dd2daeaf8e27964442d0eca81a94f10f6d3125 stable-1-0-13-2 +e4f11d6a891d811d8b6cb98a478a54c9dd7b4189 stable-1-0-15 +e4f11d6a891d811d8b6cb98a478a54c9dd7b4189 stable-1-0-15 +9891e1ae03fcad659af2673882f8459600b98716 stable-1-0-15 +9891e1ae03fcad659af2673882f8459600b98716 stable-1-0-15 +f42641c071e420a57c36345110547d96ddb1fe3c stable-1-0-15 +f42641c071e420a57c36345110547d96ddb1fe3c stable-1-0-15 +624f9fdd685e8ac3d3166896cfcc79cd21f0dae5 stable-1-0-15 diff -r a20b31625b44 -r d80641be405b ChangeLog --- a/ChangeLog Tue Jun 10 09:13:16 2014 -0700 +++ b/ChangeLog Sat Oct 04 10:01:32 2014 -0700 @@ -1,3 +1,6 @@ +1.15 2014-10-02 + add script to build syslog2iptables.conf + 1.14 2014-06-10 Add exponential increase in penalty for repeat offenders. diff -r a20b31625b44 -r d80641be405b Makefile.am --- a/Makefile.am Tue Jun 10 09:13:16 2014 -0700 +++ b/Makefile.am Sat Oct 04 10:01:32 2014 -0700 @@ -3,11 +3,11 @@ SUBDIRS = src man html info hackdir = $(sysconfdir) hack_SCRIPTS = syslog2iptables -sysconf_DATA = syslog2iptables.conf +sysconf_DATA = syslog2iptables.conf.make syslog2iptables.conf.top syslog2iptables.conf.bottom syslog2iptables.conf.httpd htmldir = ${datadir}/doc/@PACKAGE@-@VERSION@ html_DATA = AUTHORS COPYING ChangeLog NEWS README CLEANFILES = syslog2iptables xml/syslog2iptables xml/Makefile -EXTRA_DIST = syslog2iptables.conf syslog2iptables.spec xml/header.sgml xml/header.xml xml/Makefile.am xml/Makefile.in xml/syslog2iptables.in +EXTRA_DIST = syslog2iptables.conf.make syslog2iptables.conf.top syslog2iptables.conf.bottom syslog2iptables.conf.httpd syslog2iptables.spec xml/header.sgml xml/header.xml xml/Makefile.am xml/Makefile.in xml/syslog2iptables.in syslog2iptables: syslog2iptables.rc cat syslog2iptables.rc | \ diff -r a20b31625b44 -r d80641be405b NEWS --- a/NEWS Tue Jun 10 09:13:16 2014 -0700 +++ b/NEWS Sat Oct 04 10:01:32 2014 -0700 @@ -1,3 +1,4 @@ +1.15 2014-10-02 add script to build syslog2iptables.conf 1.14 2014-06-10 Add exponential increase in penalty for repeat offenders. 1.13 2009-01-25 Document multiple contexts. 1.12 2009-01-24 Allow multiple contexts with independent add/remove commands. diff -r a20b31625b44 -r d80641be405b configure.in --- a/configure.in Tue Jun 10 09:13:16 2014 -0700 +++ b/configure.in Sat Oct 04 10:01:32 2014 -0700 @@ -1,6 +1,6 @@ AC_PREREQ(2.59) -AC_INIT(syslog2iptables,1.14,carl@five-ten-sg.com) +AC_INIT(syslog2iptables,1.15,carl@five-ten-sg.com) AC_CONFIG_SRCDIR([config.h.in]) AC_CONFIG_HEADER([config.h]) diff -r a20b31625b44 -r d80641be405b syslog2iptables.conf --- a/syslog2iptables.conf Tue Jun 10 09:13:16 2014 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,195 +0,0 @@ -context general { - threshold 550; - - add_command "/sbin/iptables -I INPUT --src %s --jump DROP"; - remove_command "/sbin/iptables -D INPUT --src %s --jump DROP"; - - ignore { - 127.0.0.0/8; // localhost - }; - - file "/var/log/secure" { - pattern "sshd.*Failed password .* from ::ffff:(.*) port" { - index 1; // zero based - bucket 400; - message "ssh failed password"; - }; - pattern "sshd.*Failed password .* from (.*) port" { - index 1; // zero based - bucket 400; - message "ssh failed password"; - }; - pattern "sshd.*authentication failure; .* rhost=(.*) " { - index 1; // zero based - bucket 400; - message "ssh failed password"; - }; - pattern "sshd.*Did not receive identification string from (.*)" { - index 1; // zero based - bucket 400; - message "ssh failed password"; - }; - pattern "proftpd.*no such user found from (.*) \[" { - index 1; // zero based - bucket 400; - message "ftp failed password"; - }; - pattern "proftpd.* authentication failure; .* rhost=(.*) " { - index 1; // zero based - bucket 400; - message "ftp failed password"; - }; - pattern "vsftpd.* authentication failure; .* rhost=(.*) " { - index 1; // zero based - bucket 400; - message "ftp failed password"; - }; - pattern "dovecot.* authentication failure; .* rhost=::ffff:(.*) " { - index 1; // zero based - bucket 400; - message "dovecot failed password"; - }; - pattern "dovecot.* authentication failure; .* rhost=(.*) " { - index 1; // zero based - bucket 400; - message "dovecot failed password"; - }; - }; - - file "/var/log/messages" { - pattern "dovecot.* authentication failure; .* rhost=(.*) " { - index 1; // zero based - bucket 400; - message "dovecot failed password"; - }; - pattern "ipop3d.* Login failed .* \[(.*)\]" { - index 1; // zero based - bucket 400; - message "pop3 failed password"; - }; - }; - - file "/var/log/httpd/access_log" { - // of course you cannot use this if you actually use cgi-bin directories - pattern "(.*) - - .* /cgi-bin" { - index 1; // zero based - bucket 400; - message "apache cgi-bin reference"; - }; - // or if you actually have an index2.php script - pattern "(.*) - - .*/index2.php" { - index 1; // zero based - bucket 400; - message "apache index2.php reference"; - }; - // or if you have a main.php script - pattern "(.*) - - .*/main.php" { - index 1; // zero based - bucket 400; - message "apache main.php reference"; - }; - pattern "(.*) - - .*/awstats.pl" { - index 1; // zero based - bucket 400; - message "apache awstats.pl reference"; - }; - pattern "(.*) - - .*/xmlrpc" { - index 1; // zero based - bucket 400; - message "apache xmlrpc reference"; - }; - pattern "(.*) - - .*/adxmlrpc" { - index 1; // zero based - bucket 400; - message "apache adxmlrpc reference"; - }; - pattern "(.*) - - .*/includes/general.js" { - index 1; // zero based - bucket 400; - message "apache general.js reference"; - }; - pattern "(.*) - - .*/Admin/" { - index 1; // zero based - bucket 400; - message "apache phpMyAdmin reference"; - }; - pattern "(.*) - - .*/MyAdmin/" { - index 1; // zero based - bucket 400; - message "apache phpMyAdmin reference"; - }; - pattern "(.*) - - .*/phpMyAdmin/" { - index 1; // zero based - bucket 400; - message "apache phpMyAdmin reference"; - }; - pattern "(.*) - - .*/user/soapCaller" { - index 1; // zero based - bucket 400; - message "apache soapCaller reference"; - }; - pattern "(.*) - - .*POST /contact.php" { - index 1; // zero based - bucket 400; - message "apache contact.php post"; - }; - pattern "(.*) - - .*/crossdomain.xml" { - index 1; // zero based - bucket 400; - message "apache crossdomain.xml reference"; - }; - pattern "(.*) - - .*/cart/" { - index 1; // zero based - bucket 400; - message "apache cart reference"; - }; - pattern "(.*) - - .*/zen/" { - index 1; // zero based - bucket 400; - message "apache zen reference"; - }; - pattern "(.*) - - .*/zencart/" { - index 1; // zero based - bucket 400; - message "apache zencart reference"; - }; - }; - - file "/var/log/maillog" { - pattern "lost input channel from .* \[(.*)\] .* after (mail|rcpt|auth)" { - index 1; // zero based - bucket 200; - message "sendmail spammer dropping connection"; - }; - pattern " \[(.*)\]: possible SMTP attack" { - index 1; // zero based - bucket 600; - message "sendmail authentication attack"; - }; - pattern "rejecting commands from .* \[(.*)\] due to pre-greeting traffic" { - index 1; // zero based - bucket 1800; - message "sendmail pre-greeting"; - }; - pattern "dovecot.*Aborted login.*rip=(.*)," { - index 1; // zero based - bucket 100; - message "dovecot failed password"; - }; - pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," { - index 1; // zero based - bucket 100; - message "dovecot failed password"; - }; - - // make sure your upstream MX servers are listed in the - // ignore block above, otherwise you will kill them off - // when they try to forward such mail to you. - pattern "sendmail.*from=<>,.*nrcpts=0,.*\[(.*)\]" { - index 1; // zero based - bucket 200; - message "sendmail rejected bounce"; - }; - }; -}; - diff -r a20b31625b44 -r d80641be405b syslog2iptables.conf.bottom --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/syslog2iptables.conf.bottom Sat Oct 04 10:01:32 2014 -0700 @@ -0,0 +1,1 @@ +}; diff -r a20b31625b44 -r d80641be405b syslog2iptables.conf.httpd --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/syslog2iptables.conf.httpd Sat Oct 04 10:01:32 2014 -0700 @@ -0,0 +1,85 @@ + pattern "(.*) - - .* /cgi-bin" { + index 1; // zero based + bucket 400; + message "apache cgi-bin reference"; + }; + pattern "(.*) - - .*/index2.php" { + index 1; // zero based + bucket 400; + message "apache index2.php reference"; + }; + pattern "(.*) - - .*/main.php" { + index 1; // zero based + bucket 400; + message "apache main.php reference"; + }; + pattern "(.*) - - .*/awstats.pl" { + index 1; // zero based + bucket 400; + message "apache awstats.pl reference"; + }; + pattern "(.*) - - .*/xmlrpc" { + index 1; // zero based + bucket 400; + message "apache xmlrpc reference"; + }; + pattern "(.*) - - .*/adxmlrpc" { + index 1; // zero based + bucket 400; + message "apache adxmlrpc reference"; + }; + pattern "(.*) - - .*/includes/general.js" { + index 1; // zero based + bucket 400; + message "apache general.js reference"; + }; + pattern "(.*) - - .*/Admin/" { + index 1; // zero based + bucket 400; + message "apache phpMyAdmin reference"; + }; + pattern "(.*) - - .*/MyAdmin/" { + index 1; // zero based + bucket 400; + message "apache phpMyAdmin reference"; + }; + pattern "(.*) - - .*/phpMyAdmin/" { + index 1; // zero based + bucket 400; + message "apache phpMyAdmin reference"; + }; + pattern "(.*) - - .*/user/soapCaller" { + index 1; // zero based + bucket 400; + message "apache soapCaller reference"; + }; + pattern "(.*) - - .*POST /contact.php" { + index 1; // zero based + bucket 400; + message "apache contact.php post"; + }; + pattern "(.*) - - .*/crossdomain.xml" { + index 1; // zero based + bucket 400; + message "apache crossdomain.xml reference"; + }; + pattern "(.*) - - .*/cart/" { + index 1; // zero based + bucket 400; + message "apache cart reference"; + }; + pattern "(.*) - - .*/zen/" { + index 1; // zero based + bucket 400; + message "apache zen reference"; + }; + pattern "(.*) - - .*/zencart/" { + index 1; // zero based + bucket 400; + message "apache zencart reference"; + }; + pattern "(.*) - - .*\(\) *\{'" { + index 1; // zero based + bucket 400; + message "apache shellshocked attempt"; + }; \ No newline at end of file diff -r a20b31625b44 -r d80641be405b syslog2iptables.conf.make --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/syslog2iptables.conf.make Sat Oct 04 10:01:32 2014 -0700 @@ -0,0 +1,18 @@ +#!/bin/bash + +( + echo '// generated by syslog2iptables.conf.make' + echo '' + cat syslog2iptables.conf.top + + for fn in /var/log/httpd/access*log; do + if [ -f "$fn" ]; then + echo " file \"$fn\" {" + cat syslog2iptables.conf.httpd + echo " };" + fi + done + + cat syslog2iptables.conf.bottom +) >syslog2iptables.conf + diff -r a20b31625b44 -r d80641be405b syslog2iptables.conf.top --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/syslog2iptables.conf.top Sat Oct 04 10:01:32 2014 -0700 @@ -0,0 +1,113 @@ +context general { + threshold 550; + + add_command "/sbin/iptables -I INPUT --src %s --jump DROP"; + remove_command "/sbin/iptables -D INPUT --src %s --jump DROP"; + + ignore { + 127.0.0.0/8; // localhost + }; + + file "/var/log/secure" { + pattern "sshd.*Failed password .* from ::ffff:(.*) port" { + index 1; // zero based + bucket 400; + message "ssh failed password"; + }; + pattern "sshd.*Failed password .* from (.*) port" { + index 1; // zero based + bucket 400; + message "ssh failed password"; + }; + pattern "sshd.*authentication failure; .* rhost=(.*) " { + index 1; // zero based + bucket 400; + message "ssh failed password"; + }; + pattern "sshd.*Did not receive identification string from (.*)" { + index 1; // zero based + bucket 400; + message "ssh failed password"; + }; + pattern "proftpd.*no such user found from (.*) \[" { + index 1; // zero based + bucket 400; + message "ftp failed password"; + }; + pattern "proftpd.* authentication failure; .* rhost=(.*) " { + index 1; // zero based + bucket 400; + message "ftp failed password"; + }; + pattern "vsftpd.* authentication failure; .* rhost=(.*) " { + index 1; // zero based + bucket 400; + message "ftp failed password"; + }; + pattern "dovecot.* authentication failure; .* rhost=::ffff:(.*) " { + index 1; // zero based + bucket 400; + message "dovecot failed password"; + }; + pattern "dovecot.* authentication failure; .* rhost=(.*) " { + index 1; // zero based + bucket 400; + message "dovecot failed password"; + }; + }; + + file "/var/log/messages" { + pattern "dovecot.* authentication failure; .* rhost=(.*) " { + index 1; // zero based + bucket 400; + message "dovecot failed password"; + }; + pattern "kernel.*local-net-to.*SRC=(.*) DST=.*DPT=" { + index 1; // zero based + bucket 400; + message "kernel firewall blocked packet"; + }; + pattern "kernel.*outside-net-from.*SRC=(.*) DST=.*DPT=" { + index 1; // zero based + bucket 400; + message "kernel firewall blocked packet"; + }; + }; + + file "/var/log/maillog" { + pattern "\]: .* \[(.*)\] did not issue MAIL" { + index 1; // zero based + bucket 200; + message "sendmail banner probe"; + }; + pattern "lost input channel from.* \[(.*)\] .* after (mail|rcpt|auth)" { + index 1; // zero based + bucket 200; + message "sendmail spammer dropping connection"; + }; + pattern " \[(.*)\]: possible SMTP attack" { + index 1; // zero based + bucket 600; + message "sendmail authentication attack"; + }; + pattern "rejecting commands from.* \[(.*)\] due to pre-greeting traffic" { + index 1; // zero based + bucket 1800; + message "sendmail pre-greeting"; + }; + pattern "authentication failure: checkpass failed,.*\[(.*)\]" { + index 1; // zero based + bucket 600; + message "sendmail authentication attack"; + }; + pattern "dovecot.*Aborted login.*rip=(.*)," { + index 1; // zero based + bucket 100; + message "dovecot failed password"; + }; + pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," { + index 1; // zero based + bucket 100; + message "dovecot failed password"; + }; + }; diff -r a20b31625b44 -r d80641be405b syslog2iptables.spec.in --- a/syslog2iptables.spec.in Tue Jun 10 09:13:16 2014 -0700 +++ b/syslog2iptables.spec.in Sat Oct 04 10:01:32 2014 -0700 @@ -34,6 +34,7 @@ make DESTDIR=$RPM_BUILD_ROOT install mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d mv -f $RPM_BUILD_ROOT%{_sysconfdir}/%{name} $RPM_BUILD_ROOT/etc/rc.d/init.d +rm -f $RPM_BUILD_ROOT%{_sysconfdir}/%{name}.conf %clean @@ -45,6 +46,7 @@ %post /sbin/chkconfig --add %{name} +(cd %{_sysconfdir}; ./%{name}.conf.make) %preun @@ -62,11 +64,17 @@ %{_mandir}/man5/* %docdir %{_datadir}/doc/%{name}-%{version} %{_datadir}/doc/%{name}-%{version} -%config(noreplace) %{_sysconfdir}/%{name}.conf +%config(noreplace) %{_sysconfdir}/%{name}.conf.top +%config(noreplace) %{_sysconfdir}/%{name}.conf.httpd +%config(noreplace) %{_sysconfdir}/%{name}.conf.bottom +%attr(750,root,root) %{_sysconfdir}/%{name}.conf.make /etc/rc.d/init.d/%{name} %changelog +* Thu Oct 02 2014 Carl Byington - 1.15-1 +- add script to build syslog2iptables.conf + * Tue Jun 10 2014 Carl Byington - 1.14-1 - Add exponential increase in penalty for repeat offenders.