Mercurial > syslog2iptables
changeset 53:d6fb7fca0394 stable-1-0-13
Document multiple contexts
| author | Carl Byington <carl@five-ten-sg.com> |
|---|---|
| date | Sun, 25 Jan 2009 08:37:36 -0800 |
| parents | fcbc7b7efd14 |
| children | f22d21b52b45 |
| files | ChangeLog NEWS configure.in syslog2iptables.conf syslog2iptables.spec.in xml/syslog2iptables.in |
| diffstat | 6 files changed, 128 insertions(+), 84 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Sat Jan 24 17:42:53 2009 -0800 +++ b/ChangeLog Sun Jan 25 08:37:36 2009 -0800 @@ -1,3 +1,6 @@ +1.13 2009-01-25 + Document multiple contexts. + 1.12 2009-01-24 Allow multiple contexts with independent add/remove commands.
--- a/NEWS Sat Jan 24 17:42:53 2009 -0800 +++ b/NEWS Sun Jan 25 08:37:36 2009 -0800 @@ -1,3 +1,4 @@ +1.13 2009-01-25 Document multiple contexts. 1.12 2009-01-24 Allow multiple contexts with independent add/remove commands. 1.11 2008-05-29 Fixes to compile on Fedora 9 and for const correctness. 1.10 2008-03-22 Add fixes for Solaris from sm-archive.
--- a/configure.in Sat Jan 24 17:42:53 2009 -0800 +++ b/configure.in Sun Jan 25 08:37:36 2009 -0800 @@ -1,6 +1,6 @@ AC_PREREQ(2.59) -AC_INIT(syslog2iptables,1.12,carl@five-ten-sg.com) +AC_INIT(syslog2iptables,1.13,carl@five-ten-sg.com) AC_CONFIG_SRCDIR([config.h.in]) AC_CONFIG_HEADER([config.h])
--- a/syslog2iptables.conf Sat Jan 24 17:42:53 2009 -0800 +++ b/syslog2iptables.conf Sun Jan 25 08:37:36 2009 -0800 @@ -28,14 +28,6 @@ 127.0.0.0/8; // localhost }; - // file "/var/log/cisco.log" { - // pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" { - // index 2; // zero based - // bucket 200; - // message "cisco firewall blocked packet"; - // }; - // }; - file "/var/log/secure" { pattern "sshd.*Failed password .* from ::ffff:(.*) port" { index 1; // zero based @@ -129,18 +121,5 @@ message "sendmail rejected bounce"; }; }; - - // file "/var/log/messages" { - // pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" { - // index 1; // zero based - // bucket 300; - // message "ssh failed password"; - // }; - // pattern "sshd.pam_unix.*authentication failure.*rhost=(.*)$" { - // index 1; // zero based - // bucket 300; - // message "ssh failed password"; - // }; - // }; };
--- a/syslog2iptables.spec.in Sat Jan 24 17:42:53 2009 -0800 +++ b/syslog2iptables.spec.in Sun Jan 25 08:37:36 2009 -0800 @@ -69,6 +69,9 @@ %changelog +* Sun Jan 25 2009 Carl Byington <carl@five-ten-sg.com> - 1.13-1 +- Document multiple contexts. + * Sat Jan 24 2009 Carl Byington <carl@five-ten-sg.com> - 1.12-1 - Allow multiple contexts with independent add/remove commands.
--- a/xml/syslog2iptables.in Sat Jan 24 17:42:53 2009 -0800 +++ b/xml/syslog2iptables.in Sun Jan 25 08:37:36 2009 -0800 @@ -19,7 +19,7 @@ <refentry id="@PACKAGE@.1"> <refentryinfo> - <date>2008-05-29</date> + <date>2009-01-25</date> </refentryinfo> <refmeta> @@ -159,7 +159,7 @@ <refentry id="@PACKAGE@.conf.5"> <refentryinfo> - <date>2008-05-29</date> + <date>2009-01-25</date> </refentryinfo> <refmeta> @@ -188,13 +188,15 @@ </para> <literallayout class="monospaced"><![CDATA[ -CONFIG := {THRESHOLD | ADD-CMD | REM-CMD | IGNORE | FILE}+ -THRESHOLD := "threshold" THRESHOLD-INTEGER-VALUE ";" -ADD-CMD := "add_command" IPT-CMD ";" -REM-CMD := "remove_command" IPT-CMD ";" -IGNORE := "ignore" "{" IG-SINGLE+ "};" -IG-SINGLE := IP-ADDRESS "/" CIDR-BITS ";" -FILE := "file" FILENAME "{" PATTERN+ "};" +CONFIG = {CONTEXT ";"}+ +CONTEXT = "context" NAME "{" {STATEMENT}+ "}" +STATEMENT := (THRESHOLD | ADD-CMD | REM-CMD | IGNORE | FILE) ";" +THRESHOLD := "threshold" THRESHOLD-INTEGER-VALUE +ADD-CMD := "add_command" IPT-CMD +REM-CMD := "remove_command" IPT-CMD +IGNORE := "ignore" "{" IG-SINGLE+ "}" +IG-SINGLE := IP-ADDRESS "/" CIDR-BITS +FILE := "file" FILENAME "{" PATTERN+ "}" PATTERN := "pattern" REGULAR-EXPRESSION "{" {INDEX | BUCKET | MESSAGE}+ "};" INDEX := "index" REGEX-INTEGER-VALUE ";" BUCKET := "bucket" BUCKET-ADD-INTEGER-VALUE ";" @@ -207,6 +209,27 @@ <refsect1 id='sample.5'> <title>Sample</title> <literallayout class="monospaced"><![CDATA[ +context dns { + threshold 1100; + + add_command "/sbin/iptables -I INPUT --protocol udp --destination-port 53 --src %s --jump DROP"; + remove_command "/sbin/iptables -D INPUT --protocol udp --destination-port 53 --src %s --jump DROP"; + + ignore { + 127.0.0.0/8; // localhost + }; + + file "/var/log/messages" { + pattern "named.*client (.*)#.*query.*cache.*denied" { + index 1; // zero based + bucket 400; + message "DNS attack"; + }; + }; +}; + + +context general { threshold 550; add_command "/sbin/iptables -I INPUT --src %s --jump DROP"; @@ -216,14 +239,6 @@ 127.0.0.0/8; // localhost }; -file "/var/log/cisco.log" { - pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" { - index 2; // zero based - bucket 200; - message "cisco firewall blocked packet"; - }; -}; - file "/var/log/secure" { pattern "sshd.*Failed password .* from ::ffff:(.*) port" { index 1; // zero based @@ -235,44 +250,87 @@ bucket 400; message "ssh failed password"; }; + pattern "proftpd.*no such user found from (.*) \[" { + index 1; // zero based + bucket 400; + message "ftp failed password"; + }; + }; + + file "/var/log/messages" { + pattern "ipop3d.* Login failed .* \[(.*)\]" { + index 1; // zero based + bucket 400; + message "pop3 failed password"; + }; }; file "/var/log/httpd/access_log" { + // of course you cannot use this if you actually use cgi-bin directories pattern "(.*) - - .* /cgi-bin" { index 1; // zero based bucket 400; message "apache cgi-bin reference"; }; + // or if you actually have an index2.php script pattern "(.*) - - .*/index2.php" { index 1; // zero based bucket 400; message "apache index2.php reference"; }; + // or if you have a main.php script pattern "(.*) - - .*/main.php" { index 1; // zero based bucket 400; message "apache main.php reference"; }; + pattern "(.*) - - .*/awstats.pl" { + index 1; // zero based + bucket 400; + message "apache awstats.pl reference"; + }; + pattern "(.*) - - .*/adxmlrpc" { + index 1; // zero based + bucket 400; + message "apache adxmlrpc reference"; + }; }; file "/var/log/maillog" { - pattern "lost input channel from .* \[(.*)\] .* after mail" { + pattern "lost input channel from .* \[(.*)\] .* after (mail|rcpt|auth)" { index 1; // zero based bucket 200; message "sendmail spammer dropping connection"; }; + pattern " \[(.*)\]: possible SMTP attack" { + index 1; // zero based + bucket 600; + message "sendmail authentication attack"; + }; + pattern "rejecting commands from .* \[(.*)\] due to pre-greeting traffic" { + index 1; // zero based + bucket 200; + message "sendmail pre-greeting"; + }; + pattern "dovecot.*Aborted login.*rip=(.*)," { + index 1; // zero based + bucket 100; + message "dovecot failed password"; + }; + pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," { + index 1; // zero based + bucket 100; + message "dovecot failed password"; }; -file "/var/log/messages" { - pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" { + // make sure your upstream MX servers are listed in the + // ignore block above, otherwise you will kill them off + // when they try to forward such mail to you. + pattern "sendmail.*from=<>,.*nrcpts=0,.*\[(.*)\]" { index 1; // zero based - bucket 300; - message "ssh failed password"; + bucket 200; + message "sendmail rejected bounce"; }; - pattern "sshd.pam_unix.*authentication failure.*rhost=(.*)$" { - index 1; // zero based - bucket 300; - message "ssh failed password"; }; };]]></literallayout> </refsect1>