| commit | author | age | ||
| 77f371 | 1 | [DEFAULT] |
| T | 2 | # 24h + 5min |
| 3 | # Time to keep banned a bad ip | |
| 4 | watch_while = 86700 | |
| 3a37e6 | 5 | # Max tries before being banned |
| 77f371 | 6 | maxtries = 3 |
| T | 7 | # pf table to keep bad IP. |
| 8 | # remember to clean the table with this command in a cron job : | |
| 3a37e6 | 9 | # /sbin/pfctl -t vilain_bruteforce -T expire 86400 |
| 77f371 | 10 | vilain_table = vilain_bruteforce |
| 3a37e6 | 11 | |
| T | 12 | ### Ip ignored ### |
| 13 | [ignoreip] | |
| 14 | ip1 = 92.150.160.157 | |
| 15 | ip2 = 92.150.160.156 | |
| 77f371 | 16 | |
| T | 17 | ### Guardians |
| 18 | #[name of the guardian] | |
| 19 | #logfile = /file/to/watch | |
| 20 | #regex = regex that return the bad guy IP | |
| 21 | ||
| 22 | [ssh] | |
| 23 | logfile = /var/log/authlog | |
| 24 | regex = .* Failed .* from ([\S]+) .* | |
| 25 | ||
| 26 | [ssh2] | |
| 27 | logfile = /var/log/authlog | |
| 28 | regex = .* Connection closed by ([\S]+) .* | |
| 29 | ||
| 3a37e6 | 30 | #[http404] |
| T | 31 | #logfile = /var/www/logs/access.log |
| 32 | #regex = (?:\S+\s){1}(\S+).*\s404\s.* | |
| 33 | ||
| 34 | [http401] | |
| 35 | logfile = /var/www/logs/access.log | |
| 36 | regex = (?:\S+\s){1}(\S+).*\s401\s.* | |
| 37 | ||
| 38 | [http403] | |
| 39 | logfile = /var/www/logs/access.log | |
| 40 | regex = (?:\S+\s){1}(\S+).*\s403\s.* | |
| 41 | ||
| 42 | [smtp] | |
| 43 | logfile = /var/log/maillog | |
| 44 | regex = .* event=failed-command address=([\S]+) .* | |
| 45 | ||
| 46 | [dovecot] | |
| 47 | logfile = /var/log/maillog | |
| 48 | regex = .*auth failed.*rip=([\S]+),.* | |
| 49 | ||
| 50 | [wordpress] | |
| 51 | # don't use if you have wordpress | |
| 52 | logfile = /var/www/logs/access.log | |
| 53 | regex = (?:\S+\s){1}(\S+).*wp-login.php.* | |
| 54 | ||
