# HG changeset patch # User Carl Byington # Date 1707681853 28800 # Node ID cc01f2caff3791a780915ea79ea01658362ec667 # Parent 858aec84fe13f49217a96f4baedac35c1af0df39 add error_log to the httpd files diff -r 858aec84fe13 -r cc01f2caff37 ChangeLog --- a/ChangeLog Wed Jul 15 14:29:47 2020 -0700 +++ b/ChangeLog Sun Feb 11 12:04:13 2024 -0800 @@ -1,3 +1,6 @@ +1.19 2024-02-11 + add error_log to the httpd files + 1.18 2020-07-15 add more logging when blocked addresses move to higher scale values diff -r 858aec84fe13 -r cc01f2caff37 NEWS --- a/NEWS Wed Jul 15 14:29:47 2020 -0700 +++ b/NEWS Sun Feb 11 12:04:13 2024 -0800 @@ -1,3 +1,4 @@ +1.19 2024-02-11 add error_log to the httpd files 1.18 2020-07-15 add more logging when blocked addresses move to higher scale values 1.17 2017-02-09 RHEL7 systemd and /var/run on tmpfs 1.16 2015-12-19 good authentication prevents ip blocking for awhile diff -r 858aec84fe13 -r cc01f2caff37 configure.ac --- a/configure.ac Wed Jul 15 14:29:47 2020 -0700 +++ b/configure.ac Sun Feb 11 12:04:13 2024 -0800 @@ -1,6 +1,6 @@ AC_PREREQ(2.59) -AC_INIT(syslog2iptables,1.18,carl@five-ten-sg.com) +AC_INIT(syslog2iptables,1.19,carl@five-ten-sg.com) AC_CONFIG_SRCDIR([config.h.in]) AC_CONFIG_HEADER([config.h]) AC_CONFIG_MACRO_DIRS([m4]) diff -r 858aec84fe13 -r cc01f2caff37 syslog2iptables.conf.httpd --- a/syslog2iptables.conf.httpd Wed Jul 15 14:29:47 2020 -0700 +++ b/syslog2iptables.conf.httpd Sun Feb 11 12:04:13 2024 -0800 @@ -82,4 +82,10 @@ index 1; // zero based bucket 400; message "apache shellshocked attempt"; - }; \ No newline at end of file + }; + pattern ":error.*client (.*):.*\.php' not found" { + index 1; // zero based + bucket 400; + message "apache domainrenter php attempts"; + }; + diff -r 858aec84fe13 -r cc01f2caff37 syslog2iptables.conf.make --- a/syslog2iptables.conf.make Wed Jul 15 14:29:47 2020 -0700 +++ b/syslog2iptables.conf.make Sun Feb 11 12:04:13 2024 -0800 @@ -5,7 +5,7 @@ echo '' cat syslog2iptables.conf.top - for fn in /var/log/httpd/access*log; do + for fn in /var/log/httpd/error_log /var/log/httpd/access*log; do if [ -f "$fn" ]; then echo " file \"$fn\" {" cat syslog2iptables.conf.httpd diff -r 858aec84fe13 -r cc01f2caff37 syslog2iptables.conf.top --- a/syslog2iptables.conf.top Wed Jul 15 14:29:47 2020 -0700 +++ b/syslog2iptables.conf.top Sun Feb 11 12:04:13 2024 -0800 @@ -1,3 +1,16 @@ +context monitor2 { + threshold 150; + add_command "echo 'rate limit exceeded' | mail -s 'rate limit exceeded' carl@five-ten-sg.com"; + remove_command "true"; + file "/var/log/maillog" { + pattern "milter=dnsbl, .* reject=550 (.*) (unique|recipient) .* limit exceeded" { + index 1; // zero based + bucket 100; + message "rate limit exceeded"; + }; + }; +}; + context general { threshold 550; @@ -6,6 +19,23 @@ ignore { 127.0.0.0/8; // localhost + 192.168.0.0/16; // internal networks + 172.102.240.82/30; // 510sg data center + 172.102.240.42/30; // 510sg data center + 216.86.213.0/24; // mbmg + 104.53.80.243/32; // davd att + 75.140.46.51/32; // davd spectrum + 67.227.199.34/32; // routerdog + 67.227.199.43/32; // routerdog + 69.167.152.113/32; // routerdog + 69.167.152.152/32; // routerdog + 209.59.129.6/32; // routerdog + 205.139.110.0/24; // mimecast probing smtp banners + 207.211.31.0/24; // mimecast probing smtp banners + 216.205.24.0/24; // mimecast probing smtp banners + 63.128.21.0/24; // mimecast probing smtp banners + 146.101.78.0/24; // mimecast probing smtp banners + 207.82.80.0/24; // mimecast probing smtp banners }; file "/var/log/secure" { @@ -67,6 +97,11 @@ bucket 400; message "kernel firewall blocked packet"; }; + pattern "named.* (.*)#.*denied$" { + index 1; // zero based + bucket 100; + message "dns query denied"; + }; }; file "/var/log/maillog" { diff -r 858aec84fe13 -r cc01f2caff37 syslog2iptables.spec.in --- a/syslog2iptables.spec.in Wed Jul 15 14:29:47 2020 -0700 +++ b/syslog2iptables.spec.in Sun Feb 11 12:04:13 2024 -0800 @@ -84,6 +84,9 @@ %changelog +* Sun Feb 11 2024 Carl Byington - 1.19-1 +- add error_log to the httpd files + * Wed Jul 15 2020 Carl Byington - 1.18-1 - add more logging when blocked addresses move to higher scale values