From a85307b3d3c76c6742336c1ee701a76f1cc030ec Mon Sep 17 00:00:00 2001
From: mrroman <mrroman@devsite.pl>
Date: Thu, 28 Dec 2023 21:28:38 +0000
Subject: [PATCH] Use ksh instead of sh in rc script

---
 vilain.conf |   45 ++++++++++++++++++++++++++++++++-------------
 1 files changed, 32 insertions(+), 13 deletions(-)

diff --git a/vilain.conf b/vilain.conf
index c12a92e..00c3a22 100644
--- a/vilain.conf
+++ b/vilain.conf
@@ -1,7 +1,6 @@
 [DEFAULT]
-# 24h + 5min
-# Time to keep banned a bad ip
-watch_while = 86700
+# Duration (in sec) to keep banned a bad ip, reduce value if too much memory consumption
+watch_while = 3602
 # Max tries before being banned
 maxtries = 3
 # pf table to keep bad IP.
@@ -25,13 +24,28 @@
 #regex = regex that return the bad guy IP
 #maxtries = 2 #facultative
 
-[ssh]
+[sshfail]
 logfile = /var/log/authlog
 regex = .* Failed .* from ([\S]+) .*
 
-[ssh2]
+[sshrootauth]
 logfile = /var/log/authlog
-regex = .* Connection closed by ([\S]+) .*
+regex = .* Disconnected from authenticating user root ([\S]+) .*
+maxtries = 1
+
+[sshinvaliduser]
+logfile = /var/log/authlog
+regex = .* Invalid user \w+ from ([\S]+) .*
+maxtries = 1
+
+[sshroot]
+logfile = /var/log/authlog
+regex = .* Failed .* for root from ([\S]+) .*
+maxtries = 1
+
+[sshbadprotocol]
+logfile = /var/log/authlog
+regex = .*Bad protocol version identification .* from ([\S]+) .*
 
 #[http404]
 #logfile = /var/www/logs/access.log
@@ -47,12 +61,17 @@
 
 [smtp]
 logfile = /var/log/maillog
-regex = .* event=failed-command address=([\S]+) .*
+regex = .* failed-command address=([\S]+) .* result=\"535 Authentication failed\"
 maxtries = 2
 
 [dovecot]
 logfile = /var/log/maillog
 regex = .*auth failed.*rip=([\S]+),.*
+maxtries = 2
+
+[dovecot2]
+logfile = /var/log/maillog
+regex = .*no auth attempts in.*rip=([\S]+),.*failed.*
 maxtries = 2
 
 [wordpress]
@@ -64,9 +83,9 @@
 # Nextcloud: login page
 # Nextcloud 12 brings protection against brute-force attacks
 # but 1/ not yet tested so far 2/ system protection is probably more efficient
-#[nextcloud]
-#logfile = /var/www/htdocs/datacloud/nextcloud.log
-#regex = .*Bruteforce attempt from \\"(.*)\\" detected
+[nextcloud]
+logfile = /var/www/htdocs/datacloud/nextcloud.log
+regex = .*Bruteforce attempt from \\"(.*)\\" detected
 
 # Nextcloud: public shares protected by password
 # regex is compliant with NginX log format:
@@ -74,6 +93,6 @@
 #        log_format main '$remote_addr - $remote_user [$time_local] "$request" '
 #                        '$status $body_bytes_sent "$http_referer" '
 #                        '"$http_user_agent" "$http_x_forwarded_for"';
-#[nextcloud-share]
-#logfile = /var/www/logs/access-nextcloud.log
-#regex = (\d+\.\d+\.\d+\.\d+) \-.*POST /s/\w+/authenticate HTTP/1.1\" 200
+[nextcloud-share]
+logfile = /var/www/logs/access-nextcloud.log
+regex = (\d+\.\d+\.\d+\.\d+) \-.*POST /s/\w+/authenticate HTTP/1.1\" 200

--
Gitblit v1.9.3