[DEFAULT] # Duration (in sec) to keep banned a bad ip, reduce value if too much memory consumption watch_while = 3602 # Max tries before being banned maxtries = 3 # pf table to keep bad IP. # remember to clean the table with this command in a cron job : # /sbin/pfctl -t vilain_bruteforce -T expire 86400 vilain_table = vilain_bruteforce # vilain log file vilain_log = /var/log/daemon # duration before each checks on the different log files sleeptime = 3.0 ### Ip ignored ### [ignoreip] ip1 = 127.0.0.1 ### Guardians #[name of the guardian] #logfile = /file/to/watch #regex = regex that return the bad guy IP #maxtries = 2 #facultative [sshfail] logfile = /var/log/authlog regex = .* Failed .* from ([\S]+) .* [sshrootauth] logfile = /var/log/authlog regex = .* Disconnected from authenticating user root ([\S]+) .* maxtries = 1 [sshinvaliduser] logfile = /var/log/authlog regex = .* Invalid user \w+ from ([\S]+) .* maxtries = 1 [sshroot] logfile = /var/log/authlog regex = .* Failed .* for root from ([\S]+) .* maxtries = 1 [sshbadprotocol] logfile = /var/log/authlog regex = .*Bad protocol version identification .* from ([\S]+) .* #[http404] #logfile = /var/www/logs/access.log #regex = (?:\S+\s){1}(\S+).*\s404\s.* [http401] logfile = /var/www/logs/access.log regex = (?:\S+\s){1}(\S+).*\s401\s.* [http403] logfile = /var/www/logs/access.log regex = (?:\S+\s){1}(\S+).*\s403\s.* [smtp] logfile = /var/log/maillog regex = .* failed-command address=([\S]+) .* result=\"535 Authentication failed\" maxtries = 2 [dovecot] logfile = /var/log/maillog regex = .*auth failed.*rip=([\S]+),.* maxtries = 2 [dovecot2] logfile = /var/log/maillog regex = .*Disconnected \(no auth attempts in.*rip=([\S]+),.* maxtries = 2 [wordpress] # don't use if you have wordpress logfile = /var/www/logs/access.log regex = (?:\S+\s){1}(\S+).*wp-login.php.* maxtries = 1 # Nextcloud: login page # Nextcloud 12 brings protection against brute-force attacks # but 1/ not yet tested so far 2/ system protection is probably more efficient [nextcloud] logfile = /var/www/htdocs/datacloud/nextcloud.log regex = .*Bruteforce attempt from \\"(.*)\\" detected # Nextcloud: public shares protected by password # regex is compliant with NginX log format: # /etc/nginx/nginx.conf: # log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; [nextcloud-share] logfile = /var/www/logs/access-nextcloud.log regex = (\d+\.\d+\.\d+\.\d+) \-.*POST /s/\w+/authenticate HTTP/1.1\" 200