vilain.git - Gitblit

			@@ -1,13 +1,19 @@
			[DEFAULT]
			# 24h + 5min
			# Time to keep banned a bad ip
			watch_while = 86700
			watch_while = 86700
			# Max tries before being banned
			maxtries = 3
			# pf table to keep bad IP.
			# remember to clean the table with this command in a cron job :
			# /sbin/pfctl -t vilain_bruteforce -T expire 86400
			vilain_table = vilain_bruteforce

			# vilain log file
			vilain_log = /var/log/daemon

			# duration before each checks on the different log files
			sleeptime = 3.0

			### Ip ignored ###
			[ignoreip]
			@@ -18,6 +24,7 @@
			#[name of the guardian]
			#logfile = /file/to/watch
			#regex = regex that return the bad guy IP
			#maxtries = 2 #facultative

			[ssh]
			logfile = /var/log/authlog
			@@ -26,6 +33,14 @@
			[ssh2]
			logfile = /var/log/authlog
			regex = .* Connection closed by ([\S]+) .*

			[ssh3]
			logfile = /var/log/authlog
			regex = .* Invalid user \w+ ([\S]+) .*

			[ssh4]
			logfile = /var/log/authlog
			regex = .* Disconnected from authenticating user root ([\S]+) .*

			#[http404]
			#logfile = /var/www/logs/access.log
			@@ -52,3 +67,19 @@
			logfile = /var/www/logs/access.log
			regex = (?:\S+\s){1}(\S+).wp-login.php.

			# Nextcloud: login page
			# Nextcloud 12 brings protection against brute-force attacks
			# but 1/ not yet tested so far 2/ system protection is probably more efficient
			[nextcloud]
			logfile = /var/www/htdocs/datacloud/nextcloud.log
			regex = .Bruteforce attempt from \\"(.)\\" detected

			# Nextcloud: public shares protected by password
			# regex is compliant with NginX log format:
			# /etc/nginx/nginx.conf:
			# log_format main '$remote_addr - $remote_user [$time_local] "$request" '
			# '$status $body_bytes_sent "$http_referer" '
			# '"$http_user_agent" "$http_x_forwarded_for"';
			[nextcloud-share]
			logfile = /var/www/logs/access-nextcloud.log
			regex = (\d+\.\d+\.\d+\.\d+) \-.*POST /s/\w+/authenticate HTTP/1.1\" 200