From e57a7b2c21f4f06c8deae99b1db89bbe0a8eb81d Mon Sep 17 00:00:00 2001
From: Thuban <thuban@yeuxdelibad.net>
Date: Sun, 28 Apr 2019 10:57:45 +0000
Subject: [PATCH] update regex, thx mimoza

---
 vilain.conf |   90 +++++++++++++++++++++++++++++++++++++++++----
 1 files changed, 82 insertions(+), 8 deletions(-)

diff --git a/vilain.conf b/vilain.conf
index 8fe5ffb..00c3a22 100644
--- a/vilain.conf
+++ b/vilain.conf
@@ -1,24 +1,98 @@
 [DEFAULT]
-# 24h + 5min
-# Time to keep banned a bad ip
-watch_while = 86700 
-# Max tries before being bannes
+# Duration (in sec) to keep banned a bad ip, reduce value if too much memory consumption
+watch_while = 3602
+# Max tries before being banned
 maxtries = 3
 # pf table to keep bad IP.
 # remember to clean the table with this command in a cron job :
-#     pfctl -t vilain_bruteforce -T expire 86400
+#     /sbin/pfctl -t vilain_bruteforce -T expire 86400
 vilain_table = vilain_bruteforce
+
+# vilain log file
+vilain_log = /var/log/daemon
+
+# duration before each checks on the different log files
+sleeptime = 3.0
+
+### Ip ignored ###
+[ignoreip]
+ip1 = 127.0.0.1
 
 ### Guardians
 #[name of the guardian]
 #logfile = /file/to/watch
 #regex = regex that return the bad guy IP
+#maxtries = 2 #facultative
 
-[ssh]
+[sshfail]
 logfile = /var/log/authlog
 regex = .* Failed .* from ([\S]+) .*
 
-[ssh2]
+[sshrootauth]
 logfile = /var/log/authlog
-regex = .* Connection closed by ([\S]+) .*
+regex = .* Disconnected from authenticating user root ([\S]+) .*
+maxtries = 1
 
+[sshinvaliduser]
+logfile = /var/log/authlog
+regex = .* Invalid user \w+ from ([\S]+) .*
+maxtries = 1
+
+[sshroot]
+logfile = /var/log/authlog
+regex = .* Failed .* for root from ([\S]+) .*
+maxtries = 1
+
+[sshbadprotocol]
+logfile = /var/log/authlog
+regex = .*Bad protocol version identification .* from ([\S]+) .*
+
+#[http404]
+#logfile = /var/www/logs/access.log
+#regex = (?:\S+\s){1}(\S+).*\s404\s.*
+
+[http401]
+logfile = /var/www/logs/access.log
+regex = (?:\S+\s){1}(\S+).*\s401\s.*
+
+[http403]
+logfile = /var/www/logs/access.log
+regex = (?:\S+\s){1}(\S+).*\s403\s.*
+
+[smtp]
+logfile = /var/log/maillog
+regex = .* failed-command address=([\S]+) .* result=\"535 Authentication failed\"
+maxtries = 2
+
+[dovecot]
+logfile = /var/log/maillog
+regex = .*auth failed.*rip=([\S]+),.*
+maxtries = 2
+
+[dovecot2]
+logfile = /var/log/maillog
+regex = .*no auth attempts in.*rip=([\S]+),.*failed.*
+maxtries = 2
+
+[wordpress]
+# don't use if you have wordpress
+logfile = /var/www/logs/access.log
+regex = (?:\S+\s){1}(\S+).*wp-login.php.*
+maxtries = 1
+
+# Nextcloud: login page
+# Nextcloud 12 brings protection against brute-force attacks
+# but 1/ not yet tested so far 2/ system protection is probably more efficient
+[nextcloud]
+logfile = /var/www/htdocs/datacloud/nextcloud.log
+regex = .*Bruteforce attempt from \\"(.*)\\" detected
+
+# Nextcloud: public shares protected by password
+# regex is compliant with NginX log format:
+#     /etc/nginx/nginx.conf:
+#        log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+#                        '$status $body_bytes_sent "$http_referer" '
+#                        '"$http_user_agent" "$http_x_forwarded_for"';
+[nextcloud-share]
+logfile = /var/www/logs/access-nextcloud.log
+regex = (\d+\.\d+\.\d+\.\d+) \-.*POST /s/\w+/authenticate HTTP/1.1\" 200

--
Gitblit v1.9.3