| commit | author | age | ||
| 77f371 | 1 | [DEFAULT] |
| 70950c | 2 | # Duration (in sec) to keep banned a bad ip, reduce value if too much memory consumption |
| T | 3 | watch_while = 3602 |
| 3a37e6 | 4 | # Max tries before being banned |
| 77f371 | 5 | maxtries = 3 |
| T | 6 | # pf table to keep bad IP. |
| 7 | # remember to clean the table with this command in a cron job : | |
| 3a37e6 | 8 | # /sbin/pfctl -t vilain_bruteforce -T expire 86400 |
| 77f371 | 9 | vilain_table = vilain_bruteforce |
| 54613d | 10 | |
| T | 11 | # vilain log file |
| 12 | vilain_log = /var/log/daemon | |
| 3a37e6 | 13 | |
| 90bc70 | 14 | # duration before each checks on the different log files |
| T | 15 | sleeptime = 3.0 |
| 16 | ||
| 3a37e6 | 17 | ### Ip ignored ### |
| T | 18 | [ignoreip] |
| 6bbbca | 19 | ip1 = 127.0.0.1 |
| 40cb2e | 20 | |
| 77f371 | 21 | ### Guardians |
| T | 22 | #[name of the guardian] |
| 23 | #logfile = /file/to/watch | |
| 24 | #regex = regex that return the bad guy IP | |
| 40cb2e | 25 | #maxtries = 2 #facultative |
| 77f371 | 26 | |
| c97518 | 27 | [sshfail] |
| 77f371 | 28 | logfile = /var/log/authlog |
| T | 29 | regex = .* Failed .* from ([\S]+) .* |
| 30 | ||
| c97518 | 31 | [sshrootauth] |
| 54613d | 32 | logfile = /var/log/authlog |
| T | 33 | regex = .* Disconnected from authenticating user root ([\S]+) .* |
| c97518 | 34 | maxtries = 1 |
| T | 35 | |
| 36 | [sshinvaliduser] | |
| 37 | logfile = /var/log/authlog | |
| 38 | regex = .* Invalid user \w+ from ([\S]+) .* | |
| 39 | maxtries = 1 | |
| 40 | ||
| 41 | [sshroot] | |
| 42 | logfile = /var/log/authlog | |
| 43 | regex = .* Failed .* for root from ([\S]+) .* | |
| 44 | maxtries = 1 | |
| 45 | ||
| 46 | [sshbadprotocol] | |
| 47 | logfile = /var/log/authlog | |
| 48 | regex = .*Bad protocol version identification .* from ([\S]+) .* | |
| 77f371 | 49 | |
| 3a37e6 | 50 | #[http404] |
| T | 51 | #logfile = /var/www/logs/access.log |
| 52 | #regex = (?:\S+\s){1}(\S+).*\s404\s.* | |
| 53 | ||
| 54 | [http401] | |
| 55 | logfile = /var/www/logs/access.log | |
| 56 | regex = (?:\S+\s){1}(\S+).*\s401\s.* | |
| 57 | ||
| 58 | [http403] | |
| 59 | logfile = /var/www/logs/access.log | |
| 60 | regex = (?:\S+\s){1}(\S+).*\s403\s.* | |
| 61 | ||
| 62 | [smtp] | |
| 63 | logfile = /var/log/maillog | |
| c97518 | 64 | regex = .* failed-command address=([\S]+) .* result=\"535 Authentication failed\" |
| 6bbbca | 65 | maxtries = 2 |
| 3a37e6 | 66 | |
| T | 67 | [dovecot] |
| 68 | logfile = /var/log/maillog | |
| 69 | regex = .*auth failed.*rip=([\S]+),.* | |
| 6bbbca | 70 | maxtries = 2 |
| 3a37e6 | 71 | |
| 2fa8c5 | 72 | [dovecot2] |
| T | 73 | logfile = /var/log/maillog |
| e57a7b | 74 | regex = .*no auth attempts in.*rip=([\S]+),.*failed.* |
| 2fa8c5 | 75 | maxtries = 2 |
| T | 76 | |
| 3a37e6 | 77 | [wordpress] |
| T | 78 | # don't use if you have wordpress |
| 79 | logfile = /var/www/logs/access.log | |
| 80 | regex = (?:\S+\s){1}(\S+).*wp-login.php.* | |
| 6bbbca | 81 | maxtries = 1 |
| 3a37e6 | 82 | |
| 54613d | 83 | # Nextcloud: login page |
| T | 84 | # Nextcloud 12 brings protection against brute-force attacks |
| 85 | # but 1/ not yet tested so far 2/ system protection is probably more efficient | |
| 86 | [nextcloud] | |
| 87 | logfile = /var/www/htdocs/datacloud/nextcloud.log | |
| 88 | regex = .*Bruteforce attempt from \\"(.*)\\" detected | |
| 89 | ||
| 90 | # Nextcloud: public shares protected by password | |
| 91 | # regex is compliant with NginX log format: | |
| 92 | # /etc/nginx/nginx.conf: | |
| 93 | # log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | |
| 94 | # '$status $body_bytes_sent "$http_referer" ' | |
| 95 | # '"$http_user_agent" "$http_x_forwarded_for"'; | |
| 96 | [nextcloud-share] | |
| 97 | logfile = /var/www/logs/access-nextcloud.log | |
| 98 | regex = (\d+\.\d+\.\d+\.\d+) \-.*POST /s/\w+/authenticate HTTP/1.1\" 200 | |
