[DEFAULT] # 24h + 5min # Time to keep banned a bad ip watch_while = 86700 # Max tries before being banned maxtries = 3 # pf table to keep bad IP. # remember to clean the table with this command in a cron job : # /sbin/pfctl -t vilain_bruteforce -T expire 86400 vilain_table = vilain_bruteforce # vilain log file vilain_log = /var/log/daemon # duration before each checks on the different log files sleeptime = 3.0 ### Ip ignored ### [ignoreip] ip1 = 92.150.160.157 ip2 = 92.150.160.156 ### Guardians #[name of the guardian] #logfile = /file/to/watch #regex = regex that return the bad guy IP #maxtries = 2 #facultative [ssh] logfile = /var/log/authlog regex = .* Failed .* from ([\S]+) .* [ssh2] logfile = /var/log/authlog regex = .* Connection closed by ([\S]+) .* #[http404] #logfile = /var/www/logs/access.log #regex = (?:\S+\s){1}(\S+).*\s404\s.* [http401] logfile = /var/www/logs/access.log regex = (?:\S+\s){1}(\S+).*\s401\s.* [http403] logfile = /var/www/logs/access.log regex = (?:\S+\s){1}(\S+).*\s403\s.* [smtp] logfile = /var/log/maillog regex = .* event=failed-command address=([\S]+) .* [dovecot] logfile = /var/log/maillog regex = .*auth failed.*rip=([\S]+),.* [wordpress] # don't use if you have wordpress logfile = /var/www/logs/access.log regex = (?:\S+\s){1}(\S+).*wp-login.php.*