commit | author | age
|
77f371
|
1 |
[DEFAULT] |
70950c
|
2 |
# Duration (in sec) to keep banned a bad ip, reduce value if too much memory consumption |
T |
3 |
watch_while = 3602 |
3a37e6
|
4 |
# Max tries before being banned |
77f371
|
5 |
maxtries = 3 |
T |
6 |
# pf table to keep bad IP. |
|
7 |
# remember to clean the table with this command in a cron job : |
3a37e6
|
8 |
# /sbin/pfctl -t vilain_bruteforce -T expire 86400 |
77f371
|
9 |
vilain_table = vilain_bruteforce |
54613d
|
10 |
|
T |
11 |
# vilain log file |
|
12 |
vilain_log = /var/log/daemon |
3a37e6
|
13 |
|
90bc70
|
14 |
# duration before each checks on the different log files |
T |
15 |
sleeptime = 3.0 |
|
16 |
|
3a37e6
|
17 |
### Ip ignored ### |
T |
18 |
[ignoreip] |
6bbbca
|
19 |
ip1 = 127.0.0.1 |
40cb2e
|
20 |
|
77f371
|
21 |
### Guardians |
T |
22 |
#[name of the guardian] |
|
23 |
#logfile = /file/to/watch |
|
24 |
#regex = regex that return the bad guy IP |
40cb2e
|
25 |
#maxtries = 2 #facultative |
77f371
|
26 |
|
T |
27 |
[ssh] |
|
28 |
logfile = /var/log/authlog |
|
29 |
regex = .* Failed .* from ([\S]+) .* |
|
30 |
|
|
31 |
[ssh2] |
|
32 |
logfile = /var/log/authlog |
|
33 |
regex = .* Connection closed by ([\S]+) .* |
54613d
|
34 |
|
c8affe
|
35 |
#[ssh3] |
T |
36 |
#logfile = /var/log/authlog |
|
37 |
#regex = .* Invalid user \w+ from ([\S]+) .* |
54613d
|
38 |
|
T |
39 |
[ssh4] |
|
40 |
logfile = /var/log/authlog |
|
41 |
regex = .* Disconnected from authenticating user root ([\S]+) .* |
77f371
|
42 |
|
3a37e6
|
43 |
#[http404] |
T |
44 |
#logfile = /var/www/logs/access.log |
|
45 |
#regex = (?:\S+\s){1}(\S+).*\s404\s.* |
|
46 |
|
|
47 |
[http401] |
|
48 |
logfile = /var/www/logs/access.log |
|
49 |
regex = (?:\S+\s){1}(\S+).*\s401\s.* |
|
50 |
|
|
51 |
[http403] |
|
52 |
logfile = /var/www/logs/access.log |
|
53 |
regex = (?:\S+\s){1}(\S+).*\s403\s.* |
|
54 |
|
|
55 |
[smtp] |
|
56 |
logfile = /var/log/maillog |
|
57 |
regex = .* event=failed-command address=([\S]+) .* |
6bbbca
|
58 |
maxtries = 2 |
3a37e6
|
59 |
|
T |
60 |
[dovecot] |
|
61 |
logfile = /var/log/maillog |
|
62 |
regex = .*auth failed.*rip=([\S]+),.* |
6bbbca
|
63 |
maxtries = 2 |
3a37e6
|
64 |
|
T |
65 |
[wordpress] |
|
66 |
# don't use if you have wordpress |
|
67 |
logfile = /var/www/logs/access.log |
|
68 |
regex = (?:\S+\s){1}(\S+).*wp-login.php.* |
6bbbca
|
69 |
maxtries = 1 |
3a37e6
|
70 |
|
54613d
|
71 |
# Nextcloud: login page |
T |
72 |
# Nextcloud 12 brings protection against brute-force attacks |
|
73 |
# but 1/ not yet tested so far 2/ system protection is probably more efficient |
|
74 |
[nextcloud] |
|
75 |
logfile = /var/www/htdocs/datacloud/nextcloud.log |
|
76 |
regex = .*Bruteforce attempt from \\"(.*)\\" detected |
|
77 |
|
|
78 |
# Nextcloud: public shares protected by password |
|
79 |
# regex is compliant with NginX log format: |
|
80 |
# /etc/nginx/nginx.conf: |
|
81 |
# log_format main '$remote_addr - $remote_user [$time_local] "$request" ' |
|
82 |
# '$status $body_bytes_sent "$http_referer" ' |
|
83 |
# '"$http_user_agent" "$http_x_forwarded_for"'; |
|
84 |
[nextcloud-share] |
|
85 |
logfile = /var/www/logs/access-nextcloud.log |
|
86 |
regex = (\d+\.\d+\.\d+\.\d+) \-.*POST /s/\w+/authenticate HTTP/1.1\" 200 |