From c2ed2b213d1affd5706a437850e6421a0c87b694 Mon Sep 17 00:00:00 2001
From: Thuban <thuban@yeuxdelibad.net>
Date: Wed, 01 Nov 2017 21:57:05 +0000
Subject: [PATCH] Merge branch 'master' of framagit.org:Thuban/vilain

---
 vilain.conf |   27 +++++++++++++++++++++++----
 1 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/vilain.conf b/vilain.conf
index 9e97fef..907460e 100644
--- a/vilain.conf
+++ b/vilain.conf
@@ -1,7 +1,7 @@
 [DEFAULT]
 # 24h + 5min
 # Time to keep banned a bad ip
-watch_while = 86700 
+watch_while = 86700
 # Max tries before being banned
 maxtries = 3
 # pf table to keep bad IP.
@@ -9,13 +9,16 @@
 #     /sbin/pfctl -t vilain_bruteforce -T expire 86400
 vilain_table = vilain_bruteforce
 
+# vilain log file
+vilain_log = /var/log/daemon
+
+# duration before each checks on the different log files
+sleeptime = 3.0
+
 ### Ip ignored ###
 [ignoreip]
 ip1 = 92.150.160.157
 ip2 = 92.150.160.156
-
-# duration before each checks on the different log files
-sleeptime = 0.5
 
 ### Guardians
 #[name of the guardian]
@@ -56,3 +59,19 @@
 logfile = /var/www/logs/access.log
 regex = (?:\S+\s){1}(\S+).*wp-login.php.*
 
+# Nextcloud: login page
+# Nextcloud 12 brings protection against brute-force attacks
+# but 1/ not yet tested so far 2/ system protection is probably more efficient
+[nextcloud]
+logfile = /var/www/htdocs/datacloud/nextcloud.log
+regex = .*Bruteforce attempt from \\"(.*)\\" detected
+
+# Nextcloud: public shares protected by password
+# regex is compliant with NginX log format:
+#     /etc/nginx/nginx.conf:
+#        log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+#                        '$status $body_bytes_sent "$http_referer" '
+#                        '"$http_user_agent" "$http_x_forwarded_for"';
+[nextcloud-share]
+logfile = /var/www/logs/access-nextcloud.log
+regex = (\d+\.\d+\.\d+\.\d+) \-.*POST /s/\w+/authenticate HTTP/1.1\" 200

--
Gitblit v1.9.3