commit | author | age
|
77f371
|
1 |
[DEFAULT] |
70950c
|
2 |
# Duration (in sec) to keep banned a bad ip, reduce value if too much memory consumption |
T |
3 |
watch_while = 3602 |
3a37e6
|
4 |
# Max tries before being banned |
77f371
|
5 |
maxtries = 3 |
T |
6 |
# pf table to keep bad IP. |
|
7 |
# remember to clean the table with this command in a cron job : |
3a37e6
|
8 |
# /sbin/pfctl -t vilain_bruteforce -T expire 86400 |
77f371
|
9 |
vilain_table = vilain_bruteforce |
54613d
|
10 |
|
T |
11 |
# vilain log file |
|
12 |
vilain_log = /var/log/daemon |
3a37e6
|
13 |
|
90bc70
|
14 |
# duration before each checks on the different log files |
T |
15 |
sleeptime = 3.0 |
|
16 |
|
3a37e6
|
17 |
### Ip ignored ### |
T |
18 |
[ignoreip] |
6bbbca
|
19 |
ip1 = 127.0.0.1 |
40cb2e
|
20 |
|
77f371
|
21 |
### Guardians |
T |
22 |
#[name of the guardian] |
|
23 |
#logfile = /file/to/watch |
|
24 |
#regex = regex that return the bad guy IP |
40cb2e
|
25 |
#maxtries = 2 #facultative |
77f371
|
26 |
|
c97518
|
27 |
[sshfail] |
77f371
|
28 |
logfile = /var/log/authlog |
T |
29 |
regex = .* Failed .* from ([\S]+) .* |
|
30 |
|
c97518
|
31 |
[sshrootauth] |
54613d
|
32 |
logfile = /var/log/authlog |
T |
33 |
regex = .* Disconnected from authenticating user root ([\S]+) .* |
c97518
|
34 |
maxtries = 1 |
T |
35 |
|
|
36 |
[sshinvaliduser] |
|
37 |
logfile = /var/log/authlog |
|
38 |
regex = .* Invalid user \w+ from ([\S]+) .* |
|
39 |
maxtries = 1 |
|
40 |
|
|
41 |
[sshroot] |
|
42 |
logfile = /var/log/authlog |
|
43 |
regex = .* Failed .* for root from ([\S]+) .* |
|
44 |
maxtries = 1 |
|
45 |
|
|
46 |
[sshbadprotocol] |
|
47 |
logfile = /var/log/authlog |
|
48 |
regex = .*Bad protocol version identification .* from ([\S]+) .* |
77f371
|
49 |
|
3a37e6
|
50 |
#[http404] |
T |
51 |
#logfile = /var/www/logs/access.log |
|
52 |
#regex = (?:\S+\s){1}(\S+).*\s404\s.* |
|
53 |
|
|
54 |
[http401] |
|
55 |
logfile = /var/www/logs/access.log |
|
56 |
regex = (?:\S+\s){1}(\S+).*\s401\s.* |
|
57 |
|
|
58 |
[http403] |
|
59 |
logfile = /var/www/logs/access.log |
|
60 |
regex = (?:\S+\s){1}(\S+).*\s403\s.* |
|
61 |
|
|
62 |
[smtp] |
|
63 |
logfile = /var/log/maillog |
c97518
|
64 |
regex = .* failed-command address=([\S]+) .* result=\"535 Authentication failed\" |
6bbbca
|
65 |
maxtries = 2 |
3a37e6
|
66 |
|
T |
67 |
[dovecot] |
|
68 |
logfile = /var/log/maillog |
|
69 |
regex = .*auth failed.*rip=([\S]+),.* |
6bbbca
|
70 |
maxtries = 2 |
3a37e6
|
71 |
|
2fa8c5
|
72 |
[dovecot2] |
T |
73 |
logfile = /var/log/maillog |
e57a7b
|
74 |
regex = .*no auth attempts in.*rip=([\S]+),.*failed.* |
2fa8c5
|
75 |
maxtries = 2 |
T |
76 |
|
3a37e6
|
77 |
[wordpress] |
T |
78 |
# don't use if you have wordpress |
|
79 |
logfile = /var/www/logs/access.log |
|
80 |
regex = (?:\S+\s){1}(\S+).*wp-login.php.* |
6bbbca
|
81 |
maxtries = 1 |
3a37e6
|
82 |
|
54613d
|
83 |
# Nextcloud: login page |
T |
84 |
# Nextcloud 12 brings protection against brute-force attacks |
|
85 |
# but 1/ not yet tested so far 2/ system protection is probably more efficient |
|
86 |
[nextcloud] |
|
87 |
logfile = /var/www/htdocs/datacloud/nextcloud.log |
|
88 |
regex = .*Bruteforce attempt from \\"(.*)\\" detected |
|
89 |
|
|
90 |
# Nextcloud: public shares protected by password |
|
91 |
# regex is compliant with NginX log format: |
|
92 |
# /etc/nginx/nginx.conf: |
|
93 |
# log_format main '$remote_addr - $remote_user [$time_local] "$request" ' |
|
94 |
# '$status $body_bytes_sent "$http_referer" ' |
|
95 |
# '"$http_user_agent" "$http_x_forwarded_for"'; |
|
96 |
[nextcloud-share] |
|
97 |
logfile = /var/www/logs/access-nextcloud.log |
|
98 |
regex = (\d+\.\d+\.\d+\.\d+) \-.*POST /s/\w+/authenticate HTTP/1.1\" 200 |