[DEFAULT] # 24h + 5min # Time to keep banned a bad ip watch_while = 86700 # Max tries before being banned maxtries = 3 # pf table to keep bad IP. # remember to clean the table with this command in a cron job : # /sbin/pfctl -t vilain_bruteforce -T expire 86400 vilain_table = vilain_bruteforce # vilain log file vilain_log = /var/log/daemon # duration before each checks on the different log files sleeptime = 3.0 ### Ip ignored ### [ignoreip] ip1 = 92.150.160.157 ip2 = 92.150.160.156 ### Guardians #[name of the guardian] #logfile = /file/to/watch #regex = regex that return the bad guy IP #maxtries = 2 #facultative [ssh] logfile = /var/log/authlog regex = .* Failed .* from ([\S]+) .* [ssh2] logfile = /var/log/authlog regex = .* Connection closed by ([\S]+) .* #[http404] #logfile = /var/www/logs/access.log #regex = (?:\S+\s){1}(\S+).*\s404\s.* [http401] logfile = /var/www/logs/access.log regex = (?:\S+\s){1}(\S+).*\s401\s.* [http403] logfile = /var/www/logs/access.log regex = (?:\S+\s){1}(\S+).*\s403\s.* [smtp] logfile = /var/log/maillog regex = .* event=failed-command address=([\S]+) .* [dovecot] logfile = /var/log/maillog regex = .*auth failed.*rip=([\S]+),.* [wordpress] # don't use if you have wordpress logfile = /var/www/logs/access.log regex = (?:\S+\s){1}(\S+).*wp-login.php.* # Nextcloud: login page # Nextcloud 12 brings protection against brute-force attacks # but 1/ not yet tested so far 2/ system protection is probably more efficient [nextcloud] logfile = /var/www/htdocs/datacloud/nextcloud.log regex = .*Bruteforce attempt from \\"(.*)\\" detected # Nextcloud: public shares protected by password # regex is compliant with NginX log format: # /etc/nginx/nginx.conf: # log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; [nextcloud-share] logfile = /var/www/logs/access-nextcloud.log regex = (\d+\.\d+\.\d+\.\d+) \-.*POST /s/\w+/authenticate HTTP/1.1\" 200