| | |
|---|
| | | [DEFAULT] |
|---|
| | | # 24h + 5min |
|---|
| | | # Time to keep banned a bad ip |
|---|
| | | watch_while = 86700 |
|---|
| | | # Duration (in sec) to keep banned a bad ip, reduce value if too much memory consumption |
|---|
| | | watch_while = 3602 |
|---|
| | | # Max tries before being banned |
|---|
| | | maxtries = 3 |
|---|
| | | # pf table to keep bad IP. |
|---|
| | |
|---|
| | | # /sbin/pfctl -t vilain_bruteforce -T expire 86400 |
|---|
| | | vilain_table = vilain_bruteforce |
|---|
| | | |
|---|
| | | ### Ip ignored ### |
|---|
| | | [ignoreip] |
|---|
| | | ip1 = 92.150.160.157 |
|---|
| | | ip2 = 92.150.160.156 |
|---|
| | | # vilain log file |
|---|
| | | vilain_log = /var/log/daemon |
|---|
| | | |
|---|
| | | # duration before each checks on the different log files |
|---|
| | | sleeptime = 0.5 |
|---|
| | | sleeptime = 3.0 |
|---|
| | | |
|---|
| | | ### Ip ignored ### |
|---|
| | | [ignoreip] |
|---|
| | | ip1 = 127.0.0.1 |
|---|
| | | |
|---|
| | | ### Guardians |
|---|
| | | #[name of the guardian] |
|---|
| | |
|---|
| | | #regex = regex that return the bad guy IP |
|---|
| | | #maxtries = 2 #facultative |
|---|
| | | |
|---|
| | | [ssh] |
|---|
| | | [sshfail] |
|---|
| | | logfile = /var/log/authlog |
|---|
| | | regex = .* Failed .* from ([\S]+) .* |
|---|
| | | |
|---|
| | | [ssh2] |
|---|
| | | [sshrootauth] |
|---|
| | | logfile = /var/log/authlog |
|---|
| | | regex = .* Connection closed by ([\S]+) .* |
|---|
| | | regex = .* Disconnected from authenticating user root ([\S]+) .* |
|---|
| | | maxtries = 1 |
|---|
| | | |
|---|
| | | [sshinvaliduser] |
|---|
| | | logfile = /var/log/authlog |
|---|
| | | regex = .* Invalid user \w+ from ([\S]+) .* |
|---|
| | | maxtries = 1 |
|---|
| | | |
|---|
| | | [sshroot] |
|---|
| | | logfile = /var/log/authlog |
|---|
| | | regex = .* Failed .* for root from ([\S]+) .* |
|---|
| | | maxtries = 1 |
|---|
| | | |
|---|
| | | [sshbadprotocol] |
|---|
| | | logfile = /var/log/authlog |
|---|
| | | regex = .*Bad protocol version identification .* from ([\S]+) .* |
|---|
| | | |
|---|
| | | #[http404] |
|---|
| | | #logfile = /var/www/logs/access.log |
|---|
| | |
|---|
| | | |
|---|
| | | [smtp] |
|---|
| | | logfile = /var/log/maillog |
|---|
| | | regex = .* event=failed-command address=([\S]+) .* |
|---|
| | | regex = .* failed-command address=([\S]+) .* result=\"535 Authentication failed\" |
|---|
| | | maxtries = 2 |
|---|
| | | |
|---|
| | | [dovecot] |
|---|
| | | logfile = /var/log/maillog |
|---|
| | | regex = .*auth failed.*rip=([\S]+),.* |
|---|
| | | maxtries = 2 |
|---|
| | | |
|---|
| | | [wordpress] |
|---|
| | | # don't use if you have wordpress |
|---|
| | | logfile = /var/www/logs/access.log |
|---|
| | | regex = (?:\S+\s){1}(\S+).*wp-login.php.* |
|---|
| | | maxtries = 1 |
|---|
| | | |
|---|
| | | # Nextcloud: login page |
|---|
| | | # Nextcloud 12 brings protection against brute-force attacks |
|---|
| | | # but 1/ not yet tested so far 2/ system protection is probably more efficient |
|---|
| | | [nextcloud] |
|---|
| | | logfile = /var/www/htdocs/datacloud/nextcloud.log |
|---|
| | | regex = .*Bruteforce attempt from \\"(.*)\\" detected |
|---|
| | | |
|---|
| | | # Nextcloud: public shares protected by password |
|---|
| | | # regex is compliant with NginX log format: |
|---|
| | | # /etc/nginx/nginx.conf: |
|---|
| | | # log_format main '$remote_addr - $remote_user [$time_local] "$request" ' |
|---|
| | | # '$status $body_bytes_sent "$http_referer" ' |
|---|
| | | # '"$http_user_agent" "$http_x_forwarded_for"'; |
|---|
| | | [nextcloud-share] |
|---|
| | | logfile = /var/www/logs/access-nextcloud.log |
|---|
| | | regex = (\d+\.\d+\.\d+\.\d+) \-.*POST /s/\w+/authenticate HTTP/1.1\" 200 |
|---|
