From 10195c05b943b963573569b94a1e13c5a295b255 Mon Sep 17 00:00:00 2001 From: Thuban <thuban@yeuxdelibad.net> Date: Sat, 01 Dec 2018 09:21:47 +0000 Subject: [PATCH] exemples --- vilain.conf | 33 ++++++++++++++++++++++++++++++++- 1 files changed, 32 insertions(+), 1 deletions(-) diff --git a/vilain.conf b/vilain.conf index 255438e..1e9a7e5 100644 --- a/vilain.conf +++ b/vilain.conf @@ -1,13 +1,19 @@ [DEFAULT] # 24h + 5min # Time to keep banned a bad ip -watch_while = 86700 +watch_while = 86700 # Max tries before being banned maxtries = 3 # pf table to keep bad IP. # remember to clean the table with this command in a cron job : # /sbin/pfctl -t vilain_bruteforce -T expire 86400 vilain_table = vilain_bruteforce + +# vilain log file +vilain_log = /var/log/daemon + +# duration before each checks on the different log files +sleeptime = 3.0 ### Ip ignored ### [ignoreip] @@ -18,6 +24,7 @@ #[name of the guardian] #logfile = /file/to/watch #regex = regex that return the bad guy IP +#maxtries = 2 #facultative [ssh] logfile = /var/log/authlog @@ -26,6 +33,14 @@ [ssh2] logfile = /var/log/authlog regex = .* Connection closed by ([\S]+) .* + +[ssh3] +logfile = /var/log/authlog +regex = .* Invalid user \w+ ([\S]+) .* + +[ssh4] +logfile = /var/log/authlog +regex = .* Disconnected from authenticating user root ([\S]+) .* #[http404] #logfile = /var/www/logs/access.log @@ -52,3 +67,19 @@ logfile = /var/www/logs/access.log regex = (?:\S+\s){1}(\S+).*wp-login.php.* +# Nextcloud: login page +# Nextcloud 12 brings protection against brute-force attacks +# but 1/ not yet tested so far 2/ system protection is probably more efficient +[nextcloud] +logfile = /var/www/htdocs/datacloud/nextcloud.log +regex = .*Bruteforce attempt from \\"(.*)\\" detected + +# Nextcloud: public shares protected by password +# regex is compliant with NginX log format: +# /etc/nginx/nginx.conf: +# log_format main '$remote_addr - $remote_user [$time_local] "$request" ' +# '$status $body_bytes_sent "$http_referer" ' +# '"$http_user_agent" "$http_x_forwarded_for"'; +[nextcloud-share] +logfile = /var/www/logs/access-nextcloud.log +regex = (\d+\.\d+\.\d+\.\d+) \-.*POST /s/\w+/authenticate HTTP/1.1\" 200 -- Gitblit v1.9.3