[DEFAULT]
|
# Duration (in sec) to keep banned a bad ip, reduce value if too much memory consumption
|
watch_while = 3602
|
# Max tries before being banned
|
maxtries = 3
|
# pf table to keep bad IP.
|
# remember to clean the table with this command in a cron job :
|
# /sbin/pfctl -t vilain_bruteforce -T expire 86400
|
vilain_table = vilain_bruteforce
|
|
# vilain log file
|
vilain_log = /var/log/daemon
|
|
# duration before each checks on the different log files
|
sleeptime = 3.0
|
|
### Ip ignored ###
|
[ignoreip]
|
ip1 = 127.0.0.1
|
|
### Guardians
|
#[name of the guardian]
|
#logfile = /file/to/watch
|
#regex = regex that return the bad guy IP
|
#maxtries = 2 #facultative
|
|
[sshfail]
|
logfile = /var/log/authlog
|
regex = .* Failed .* from ([\S]+) .*
|
|
[sshrootauth]
|
logfile = /var/log/authlog
|
regex = .* Disconnected from authenticating user root ([\S]+) .*
|
maxtries = 1
|
|
[sshinvaliduser]
|
logfile = /var/log/authlog
|
regex = .* Invalid user \w+ from ([\S]+) .*
|
maxtries = 1
|
|
[sshroot]
|
logfile = /var/log/authlog
|
regex = .* Failed .* for root from ([\S]+) .*
|
maxtries = 1
|
|
[sshbadprotocol]
|
logfile = /var/log/authlog
|
regex = .*Bad protocol version identification .* from ([\S]+) .*
|
|
#[http404]
|
#logfile = /var/www/logs/access.log
|
#regex = (?:\S+\s){1}(\S+).*\s404\s.*
|
|
[http401]
|
logfile = /var/www/logs/access.log
|
regex = (?:\S+\s){1}(\S+).*\s401\s.*
|
|
[http403]
|
logfile = /var/www/logs/access.log
|
regex = (?:\S+\s){1}(\S+).*\s403\s.*
|
|
[smtp]
|
logfile = /var/log/maillog
|
regex = .* failed-command address=([\S]+) .* result=\"535 Authentication failed\"
|
maxtries = 2
|
|
[dovecot]
|
logfile = /var/log/maillog
|
regex = .*auth failed.*rip=([\S]+),.*
|
maxtries = 2
|
|
[wordpress]
|
# don't use if you have wordpress
|
logfile = /var/www/logs/access.log
|
regex = (?:\S+\s){1}(\S+).*wp-login.php.*
|
maxtries = 1
|
|
# Nextcloud: login page
|
# Nextcloud 12 brings protection against brute-force attacks
|
# but 1/ not yet tested so far 2/ system protection is probably more efficient
|
[nextcloud]
|
logfile = /var/www/htdocs/datacloud/nextcloud.log
|
regex = .*Bruteforce attempt from \\"(.*)\\" detected
|
|
# Nextcloud: public shares protected by password
|
# regex is compliant with NginX log format:
|
# /etc/nginx/nginx.conf:
|
# log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
# '$status $body_bytes_sent "$http_referer" '
|
# '"$http_user_agent" "$http_x_forwarded_for"';
|
[nextcloud-share]
|
logfile = /var/www/logs/access-nextcloud.log
|
regex = (\d+\.\d+\.\d+\.\d+) \-.*POST /s/\w+/authenticate HTTP/1.1\" 200
|