[DEFAULT]
|
# 24h + 5min
|
# Time to keep banned a bad ip
|
watch_while = 86700
|
# Max tries before being banned
|
maxtries = 3
|
# pf table to keep bad IP.
|
# remember to clean the table with this command in a cron job :
|
# /sbin/pfctl -t vilain_bruteforce -T expire 86400
|
vilain_table = vilain_bruteforce
|
|
### Ip ignored ###
|
[ignoreip]
|
ip1 = 92.150.160.157
|
ip2 = 92.150.160.156
|
|
# duration before each checks on the different log files
|
sleeptime = 0.5
|
|
### Guardians
|
#[name of the guardian]
|
#logfile = /file/to/watch
|
#regex = regex that return the bad guy IP
|
#maxtries = 2 #facultative
|
|
[ssh]
|
logfile = /var/log/authlog
|
regex = .* Failed .* from ([\S]+) .*
|
|
[ssh2]
|
logfile = /var/log/authlog
|
regex = .* Connection closed by ([\S]+) .*
|
|
#[http404]
|
#logfile = /var/www/logs/access.log
|
#regex = (?:\S+\s){1}(\S+).*\s404\s.*
|
|
[http401]
|
logfile = /var/www/logs/access.log
|
regex = (?:\S+\s){1}(\S+).*\s401\s.*
|
|
[http403]
|
logfile = /var/www/logs/access.log
|
regex = (?:\S+\s){1}(\S+).*\s403\s.*
|
|
[smtp]
|
logfile = /var/log/maillog
|
regex = .* event=failed-command address=([\S]+) .*
|
|
[dovecot]
|
logfile = /var/log/maillog
|
regex = .*auth failed.*rip=([\S]+),.*
|
|
[wordpress]
|
# don't use if you have wordpress
|
logfile = /var/www/logs/access.log
|
regex = (?:\S+\s){1}(\S+).*wp-login.php.*
|
