changeset 61:d80641be405b stable-1-0-15

add script to build syslog2iptables.conf
author Carl Byington <carl@five-ten-sg.com>
date Sat, 04 Oct 2014 10:01:32 -0700
parents a20b31625b44
children c30df5975c49
files .hgtags ChangeLog Makefile.am NEWS configure.in syslog2iptables.conf syslog2iptables.conf.bottom syslog2iptables.conf.httpd syslog2iptables.conf.make syslog2iptables.conf.top syslog2iptables.spec.in
diffstat 11 files changed, 240 insertions(+), 199 deletions(-) [+]
line wrap: on
line diff
--- a/.hgtags	Tue Jun 10 09:13:16 2014 -0700
+++ b/.hgtags	Sat Oct 04 10:01:32 2014 -0700
@@ -12,3 +12,10 @@
 206448c00b55aae7cf45294ea638000a4e8eebc1 stable-1-0-12
 d6fb7fca0394954aa4adce3ed4b77f1a605d8397 stable-1-0-13
 73dd2daeaf8e27964442d0eca81a94f10f6d3125 stable-1-0-13-2
+e4f11d6a891d811d8b6cb98a478a54c9dd7b4189 stable-1-0-15
+e4f11d6a891d811d8b6cb98a478a54c9dd7b4189 stable-1-0-15
+9891e1ae03fcad659af2673882f8459600b98716 stable-1-0-15
+9891e1ae03fcad659af2673882f8459600b98716 stable-1-0-15
+f42641c071e420a57c36345110547d96ddb1fe3c stable-1-0-15
+f42641c071e420a57c36345110547d96ddb1fe3c stable-1-0-15
+624f9fdd685e8ac3d3166896cfcc79cd21f0dae5 stable-1-0-15
--- a/ChangeLog	Tue Jun 10 09:13:16 2014 -0700
+++ b/ChangeLog	Sat Oct 04 10:01:32 2014 -0700
@@ -1,3 +1,6 @@
+1.15 2014-10-02
+     add script to build syslog2iptables.conf
+
 1.14 2014-06-10
      Add exponential increase in penalty for repeat offenders.
 
--- a/Makefile.am	Tue Jun 10 09:13:16 2014 -0700
+++ b/Makefile.am	Sat Oct 04 10:01:32 2014 -0700
@@ -3,11 +3,11 @@
 SUBDIRS = src man html info
 hackdir = $(sysconfdir)
 hack_SCRIPTS = syslog2iptables
-sysconf_DATA = syslog2iptables.conf
+sysconf_DATA = syslog2iptables.conf.make syslog2iptables.conf.top syslog2iptables.conf.bottom syslog2iptables.conf.httpd
 htmldir = ${datadir}/doc/@PACKAGE@-@VERSION@
 html_DATA = AUTHORS COPYING ChangeLog NEWS README
 CLEANFILES = syslog2iptables xml/syslog2iptables xml/Makefile
-EXTRA_DIST = syslog2iptables.conf syslog2iptables.spec xml/header.sgml xml/header.xml xml/Makefile.am xml/Makefile.in xml/syslog2iptables.in
+EXTRA_DIST = syslog2iptables.conf.make syslog2iptables.conf.top syslog2iptables.conf.bottom syslog2iptables.conf.httpd syslog2iptables.spec xml/header.sgml xml/header.xml xml/Makefile.am xml/Makefile.in xml/syslog2iptables.in
 
 syslog2iptables: syslog2iptables.rc
 	   cat syslog2iptables.rc     | \
--- a/NEWS	Tue Jun 10 09:13:16 2014 -0700
+++ b/NEWS	Sat Oct 04 10:01:32 2014 -0700
@@ -1,3 +1,4 @@
+1.15 2014-10-02 add script to build syslog2iptables.conf
 1.14 2014-06-10 Add exponential increase in penalty for repeat offenders.
 1.13 2009-01-25 Document multiple contexts.
 1.12 2009-01-24 Allow multiple contexts with independent add/remove commands.
--- a/configure.in	Tue Jun 10 09:13:16 2014 -0700
+++ b/configure.in	Sat Oct 04 10:01:32 2014 -0700
@@ -1,6 +1,6 @@
 
 AC_PREREQ(2.59)
-AC_INIT(syslog2iptables,1.14,carl@five-ten-sg.com)
+AC_INIT(syslog2iptables,1.15,carl@five-ten-sg.com)
 AC_CONFIG_SRCDIR([config.h.in])
 AC_CONFIG_HEADER([config.h])
 
--- a/syslog2iptables.conf	Tue Jun 10 09:13:16 2014 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,195 +0,0 @@
-context general {
-    threshold 550;
-
-    add_command    "/sbin/iptables -I INPUT --src %s --jump DROP";
-    remove_command "/sbin/iptables -D INPUT --src %s --jump DROP";
-
-    ignore {
-        127.0.0.0/8;        // localhost
-    };
-
-    file "/var/log/secure" {
-        pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
-            index 1;    // zero based
-            bucket 400;
-            message "ssh failed password";
-        };
-        pattern "sshd.*Failed password .* from (.*) port" {
-            index 1;    // zero based
-            bucket 400;
-            message "ssh failed password";
-        };
-        pattern "sshd.*authentication failure; .* rhost=(.*) " {
-            index 1;    // zero based
-            bucket 400;
-            message "ssh failed password";
-        };
-        pattern "sshd.*Did not receive identification string from (.*)" {
-            index 1;    // zero based
-            bucket 400;
-            message "ssh failed password";
-        };
-        pattern "proftpd.*no such user found from (.*) \[" {
-            index 1;    // zero based
-            bucket 400;
-            message "ftp failed password";
-        };
-        pattern "proftpd.* authentication failure; .* rhost=(.*) " {
-            index 1;    // zero based
-            bucket 400;
-            message "ftp failed password";
-        };
-        pattern "vsftpd.* authentication failure; .* rhost=(.*) " {
-            index 1;    // zero based
-            bucket 400;
-            message "ftp failed password";
-        };
-        pattern "dovecot.* authentication failure; .* rhost=::ffff:(.*) " {
-            index 1;    // zero based
-            bucket 400;
-            message "dovecot failed password";
-        };
-        pattern "dovecot.* authentication failure; .* rhost=(.*) " {
-            index 1;    // zero based
-            bucket 400;
-            message "dovecot failed password";
-        };
-    };
-
-    file "/var/log/messages" {
-        pattern "dovecot.* authentication failure; .* rhost=(.*) " {
-            index 1;    // zero based
-            bucket 400;
-            message "dovecot failed password";
-        };
-        pattern "ipop3d.* Login failed .* \[(.*)\]" {
-            index 1;    // zero based
-            bucket 400;
-            message "pop3 failed password";
-        };
-    };
-
-    file "/var/log/httpd/access_log" {
-        // of course you cannot use this if you actually use cgi-bin directories
-        pattern "(.*) - - .* /cgi-bin" {
-            index 1;    // zero based
-            bucket 400;
-            message "apache cgi-bin reference";
-        };
-        // or if you actually have an index2.php script
-        pattern "(.*) - - .*/index2.php" {
-            index 1;    // zero based
-            bucket 400;
-            message "apache index2.php reference";
-        };
-        // or if you have a main.php script
-        pattern "(.*) - - .*/main.php" {
-            index 1;    // zero based
-            bucket 400;
-            message "apache main.php reference";
-        };
-        pattern "(.*) - - .*/awstats.pl" {
-            index 1;    // zero based
-            bucket 400;
-            message "apache awstats.pl reference";
-        };
-        pattern "(.*) - - .*/xmlrpc" {
-            index 1;    // zero based
-            bucket 400;
-            message "apache xmlrpc reference";
-        };
-        pattern "(.*) - - .*/adxmlrpc" {
-            index 1;    // zero based
-            bucket 400;
-            message "apache adxmlrpc reference";
-        };
-        pattern "(.*) - - .*/includes/general.js" {
-            index 1;    // zero based
-            bucket 400;
-            message "apache general.js reference";
-        };
-        pattern "(.*) - - .*/Admin/" {
-            index 1;    // zero based
-            bucket 400;
-            message "apache phpMyAdmin reference";
-        };
-        pattern "(.*) - - .*/MyAdmin/" {
-            index 1;    // zero based
-            bucket 400;
-            message "apache phpMyAdmin reference";
-        };
-        pattern "(.*) - - .*/phpMyAdmin/" {
-            index 1;    // zero based
-            bucket 400;
-            message "apache phpMyAdmin reference";
-        };
-        pattern "(.*) - - .*/user/soapCaller" {
-            index 1;    // zero based
-            bucket 400;
-            message "apache soapCaller reference";
-        };
-        pattern "(.*) - - .*POST /contact.php" {
-            index 1;    // zero based
-            bucket 400;
-            message "apache contact.php post";
-        };
-        pattern "(.*) - - .*/crossdomain.xml" {
-            index 1;    // zero based
-            bucket 400;
-            message "apache crossdomain.xml reference";
-        };
-        pattern "(.*) - - .*/cart/" {
-            index 1;    // zero based
-            bucket 400;
-            message "apache cart reference";
-        };
-        pattern "(.*) - - .*/zen/" {
-            index 1;    // zero based
-            bucket 400;
-            message "apache zen reference";
-        };
-        pattern "(.*) - - .*/zencart/" {
-            index 1;    // zero based
-            bucket 400;
-            message "apache zencart reference";
-        };
-    };
-
-    file "/var/log/maillog" {
-        pattern "lost input channel from .* \[(.*)\] .* after (mail|rcpt|auth)" {
-            index 1;    // zero based
-            bucket 200;
-            message "sendmail spammer dropping connection";
-        };
-        pattern " \[(.*)\]: possible SMTP attack" {
-            index 1;    // zero based
-            bucket 600;
-            message "sendmail authentication attack";
-        };
-        pattern "rejecting commands from .* \[(.*)\] due to pre-greeting traffic" {
-            index 1;    // zero based
-            bucket 1800;
-            message "sendmail pre-greeting";
-        };
-        pattern "dovecot.*Aborted login.*rip=(.*)," {
-            index 1;    // zero based
-            bucket 100;
-            message "dovecot failed password";
-        };
-        pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," {
-            index 1;    // zero based
-            bucket 100;
-            message "dovecot failed password";
-        };
-
-        // make sure your upstream MX servers are listed in the
-        // ignore block above, otherwise you will kill them off
-        // when they try to forward such mail to you.
-        pattern "sendmail.*from=<>,.*nrcpts=0,.*\[(.*)\]" {
-            index 1;    // zero based
-            bucket 200;
-            message "sendmail rejected bounce";
-        };
-    };
-};
-
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/syslog2iptables.conf.bottom	Sat Oct 04 10:01:32 2014 -0700
@@ -0,0 +1,1 @@
+};
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/syslog2iptables.conf.httpd	Sat Oct 04 10:01:32 2014 -0700
@@ -0,0 +1,85 @@
+        pattern "(.*) - - .* /cgi-bin" {
+            index 1;    // zero based
+            bucket 400;
+            message "apache cgi-bin reference";
+        };
+        pattern "(.*) - - .*/index2.php" {
+            index 1;    // zero based
+            bucket 400;
+            message "apache index2.php reference";
+        };
+        pattern "(.*) - - .*/main.php" {
+            index 1;    // zero based
+            bucket 400;
+            message "apache main.php reference";
+        };
+        pattern "(.*) - - .*/awstats.pl" {
+            index 1;    // zero based
+            bucket 400;
+            message "apache awstats.pl reference";
+        };
+        pattern "(.*) - - .*/xmlrpc" {
+            index 1;    // zero based
+            bucket 400;
+            message "apache xmlrpc reference";
+        };
+        pattern "(.*) - - .*/adxmlrpc" {
+            index 1;    // zero based
+            bucket 400;
+            message "apache adxmlrpc reference";
+        };
+        pattern "(.*) - - .*/includes/general.js" {
+            index 1;    // zero based
+            bucket 400;
+            message "apache general.js reference";
+        };
+        pattern "(.*) - - .*/Admin/" {
+            index 1;    // zero based
+            bucket 400;
+            message "apache phpMyAdmin reference";
+        };
+        pattern "(.*) - - .*/MyAdmin/" {
+            index 1;    // zero based
+            bucket 400;
+            message "apache phpMyAdmin reference";
+        };
+        pattern "(.*) - - .*/phpMyAdmin/" {
+            index 1;    // zero based
+            bucket 400;
+            message "apache phpMyAdmin reference";
+        };
+        pattern "(.*) - - .*/user/soapCaller" {
+            index 1;    // zero based
+            bucket 400;
+            message "apache soapCaller reference";
+        };
+        pattern "(.*) - - .*POST /contact.php" {
+            index 1;    // zero based
+            bucket 400;
+            message "apache contact.php post";
+        };
+        pattern "(.*) - - .*/crossdomain.xml" {
+            index 1;    // zero based
+            bucket 400;
+            message "apache crossdomain.xml reference";
+        };
+        pattern "(.*) - - .*/cart/" {
+            index 1;    // zero based
+            bucket 400;
+            message "apache cart reference";
+        };
+        pattern "(.*) - - .*/zen/" {
+            index 1;    // zero based
+            bucket 400;
+            message "apache zen reference";
+        };
+        pattern "(.*) - - .*/zencart/" {
+            index 1;    // zero based
+            bucket 400;
+            message "apache zencart reference";
+        };
+        pattern "(.*) - - .*\(\) *\{'" {
+            index 1;    // zero based
+            bucket 400;
+            message "apache shellshocked attempt";
+        };
\ No newline at end of file
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/syslog2iptables.conf.make	Sat Oct 04 10:01:32 2014 -0700
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+(
+    echo '// generated by syslog2iptables.conf.make'
+    echo ''
+    cat syslog2iptables.conf.top
+
+    for fn in /var/log/httpd/access*log; do
+        if [ -f "$fn" ]; then
+            echo "    file \"$fn\" {"
+            cat syslog2iptables.conf.httpd
+            echo "    };"
+        fi
+    done
+
+    cat syslog2iptables.conf.bottom
+) >syslog2iptables.conf
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/syslog2iptables.conf.top	Sat Oct 04 10:01:32 2014 -0700
@@ -0,0 +1,113 @@
+context general {
+    threshold 550;
+
+    add_command    "/sbin/iptables -I INPUT --src %s --jump DROP";
+    remove_command "/sbin/iptables -D INPUT --src %s --jump DROP";
+
+    ignore {
+        127.0.0.0/8;        // localhost
+    };
+
+    file "/var/log/secure" {
+        pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
+            index 1;    // zero based
+            bucket 400;
+            message "ssh failed password";
+        };
+        pattern "sshd.*Failed password .* from (.*) port" {
+            index 1;    // zero based
+            bucket 400;
+            message "ssh failed password";
+        };
+        pattern "sshd.*authentication failure; .* rhost=(.*) " {
+            index 1;    // zero based
+            bucket 400;
+            message "ssh failed password";
+        };
+        pattern "sshd.*Did not receive identification string from (.*)" {
+            index 1;    // zero based
+            bucket 400;
+            message "ssh failed password";
+        };
+        pattern "proftpd.*no such user found from (.*) \[" {
+            index 1;    // zero based
+            bucket 400;
+            message "ftp failed password";
+        };
+        pattern "proftpd.* authentication failure; .* rhost=(.*) " {
+            index 1;    // zero based
+            bucket 400;
+            message "ftp failed password";
+        };
+        pattern "vsftpd.* authentication failure; .* rhost=(.*) " {
+            index 1;    // zero based
+            bucket 400;
+            message "ftp failed password";
+        };
+        pattern "dovecot.* authentication failure; .* rhost=::ffff:(.*) " {
+            index 1;    // zero based
+            bucket 400;
+            message "dovecot failed password";
+        };
+        pattern "dovecot.* authentication failure; .* rhost=(.*) " {
+            index 1;    // zero based
+            bucket 400;
+            message "dovecot failed password";
+        };
+    };
+
+    file "/var/log/messages" {
+        pattern "dovecot.* authentication failure; .* rhost=(.*) " {
+            index 1;    // zero based
+            bucket 400;
+            message "dovecot failed password";
+        };
+        pattern "kernel.*local-net-to.*SRC=(.*) DST=.*DPT=" {
+            index 1;    // zero based
+            bucket 400;
+            message "kernel firewall blocked packet";
+        };
+        pattern "kernel.*outside-net-from.*SRC=(.*) DST=.*DPT=" {
+            index 1;    // zero based
+            bucket 400;
+            message "kernel firewall blocked packet";
+        };
+    };
+
+    file "/var/log/maillog" {
+        pattern "\]: .* \[(.*)\] did not issue MAIL" {
+            index 1;    // zero based
+            bucket 200;
+            message "sendmail banner probe";
+        };
+        pattern "lost input channel from.* \[(.*)\] .* after (mail|rcpt|auth)" {
+            index 1;    // zero based
+            bucket 200;
+            message "sendmail spammer dropping connection";
+        };
+        pattern " \[(.*)\]: possible SMTP attack" {
+            index 1;    // zero based
+            bucket 600;
+            message "sendmail authentication attack";
+        };
+        pattern "rejecting commands from.* \[(.*)\] due to pre-greeting traffic" {
+            index 1;    // zero based
+            bucket 1800;
+            message "sendmail pre-greeting";
+        };
+        pattern "authentication failure: checkpass failed,.*\[(.*)\]" {
+            index 1;    // zero based
+            bucket 600;
+            message "sendmail authentication attack";
+        };
+        pattern "dovecot.*Aborted login.*rip=(.*)," {
+            index 1;    // zero based
+            bucket 100;
+            message "dovecot failed password";
+        };
+        pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," {
+            index 1;    // zero based
+            bucket 100;
+            message "dovecot failed password";
+        };
+    };
--- a/syslog2iptables.spec.in	Tue Jun 10 09:13:16 2014 -0700
+++ b/syslog2iptables.spec.in	Sat Oct 04 10:01:32 2014 -0700
@@ -34,6 +34,7 @@
 make DESTDIR=$RPM_BUILD_ROOT install
 mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d
 mv -f $RPM_BUILD_ROOT%{_sysconfdir}/%{name}        $RPM_BUILD_ROOT/etc/rc.d/init.d
+rm -f $RPM_BUILD_ROOT%{_sysconfdir}/%{name}.conf
 
 
 %clean
@@ -45,6 +46,7 @@
 
 %post
 /sbin/chkconfig --add %{name}
+(cd %{_sysconfdir}; ./%{name}.conf.make)
 
 
 %preun
@@ -62,11 +64,17 @@
 %{_mandir}/man5/*
 %docdir %{_datadir}/doc/%{name}-%{version}
 %{_datadir}/doc/%{name}-%{version}
-%config(noreplace) %{_sysconfdir}/%{name}.conf
+%config(noreplace) %{_sysconfdir}/%{name}.conf.top
+%config(noreplace) %{_sysconfdir}/%{name}.conf.httpd
+%config(noreplace) %{_sysconfdir}/%{name}.conf.bottom
+%attr(750,root,root) %{_sysconfdir}/%{name}.conf.make
 /etc/rc.d/init.d/%{name}
 
 
 %changelog
+* Thu Oct 02 2014 Carl Byington <carl@five-ten-sg.com> - 1.15-1
+- add script to build syslog2iptables.conf
+
 * Tue Jun 10 2014 Carl Byington <carl@five-ten-sg.com> - 1.14-1
 - Add exponential increase in penalty for repeat offenders.