| commit | author | age | ||
| 77f371 | 1 | [DEFAULT] |
| T | 2 | # 24h + 5min |
| 3 | # Time to keep banned a bad ip | |
| 8f00aa | 4 | watch_while = 86700 |
| 3a37e6 | 5 | # Max tries before being banned |
| 77f371 | 6 | maxtries = 3 |
| T | 7 | # pf table to keep bad IP. |
| 8 | # remember to clean the table with this command in a cron job : | |
| 3a37e6 | 9 | # /sbin/pfctl -t vilain_bruteforce -T expire 86400 |
| 77f371 | 10 | vilain_table = vilain_bruteforce |
| 8f00aa | 11 | |
| Y | 12 | # vilain log file |
| 13 | vilain_log = /var/log/daemon | |
| 3a37e6 | 14 | |
| 90bc70 | 15 | # duration before each checks on the different log files |
| T | 16 | sleeptime = 3.0 |
| 17 | ||
| 3a37e6 | 18 | ### Ip ignored ### |
| T | 19 | [ignoreip] |
| 6bbbca | 20 | ip1 = 127.0.0.1 |
| 40cb2e | 21 | |
| 77f371 | 22 | ### Guardians |
| T | 23 | #[name of the guardian] |
| 24 | #logfile = /file/to/watch | |
| 25 | #regex = regex that return the bad guy IP | |
| 40cb2e | 26 | #maxtries = 2 #facultative |
| 77f371 | 27 | |
| T | 28 | [ssh] |
| 29 | logfile = /var/log/authlog | |
| 30 | regex = .* Failed .* from ([\S]+) .* | |
| 31 | ||
| 32 | [ssh2] | |
| 33 | logfile = /var/log/authlog | |
| 34 | regex = .* Connection closed by ([\S]+) .* | |
| 35 | ||
| 3a37e6 | 36 | #[http404] |
| T | 37 | #logfile = /var/www/logs/access.log |
| 38 | #regex = (?:\S+\s){1}(\S+).*\s404\s.* | |
| 39 | ||
| 40 | [http401] | |
| 41 | logfile = /var/www/logs/access.log | |
| 42 | regex = (?:\S+\s){1}(\S+).*\s401\s.* | |
| 43 | ||
| 44 | [http403] | |
| 45 | logfile = /var/www/logs/access.log | |
| 46 | regex = (?:\S+\s){1}(\S+).*\s403\s.* | |
| 47 | ||
| 48 | [smtp] | |
| 49 | logfile = /var/log/maillog | |
| 50 | regex = .* event=failed-command address=([\S]+) .* | |
| 6bbbca | 51 | maxtries = 2 |
| 3a37e6 | 52 | |
| T | 53 | [dovecot] |
| 54 | logfile = /var/log/maillog | |
| 55 | regex = .*auth failed.*rip=([\S]+),.* | |
| 6bbbca | 56 | maxtries = 2 |
| 3a37e6 | 57 | |
| T | 58 | [wordpress] |
| 59 | # don't use if you have wordpress | |
| 60 | logfile = /var/www/logs/access.log | |
| 61 | regex = (?:\S+\s){1}(\S+).*wp-login.php.* | |
| 6bbbca | 62 | maxtries = 1 |
| 913947 | 63 | |
| Y | 64 | # Nextcloud: login page |
| 65 | # Nextcloud 12 brings protection against brute-force attacks | |
| 66 | # but 1/ not yet tested so far 2/ system protection is probably more efficient | |
| 6bbbca | 67 | #[nextcloud] |
| T | 68 | #logfile = /var/www/htdocs/datacloud/nextcloud.log |
| 69 | #regex = .*Bruteforce attempt from \\"(.*)\\" detected | |
| 913947 | 70 | |
| Y | 71 | # Nextcloud: public shares protected by password |
| 72 | # regex is compliant with NginX log format: | |
| 73 | # /etc/nginx/nginx.conf: | |
| 74 | # log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | |
| 75 | # '$status $body_bytes_sent "$http_referer" ' | |
| 76 | # '"$http_user_agent" "$http_x_forwarded_for"'; | |
| 6bbbca | 77 | #[nextcloud-share] |
| T | 78 | #logfile = /var/www/logs/access-nextcloud.log |
| 79 | #regex = (\d+\.\d+\.\d+\.\d+) \-.*POST /s/\w+/authenticate HTTP/1.1\" 200 | |
