2019-12-04 14:58:56 +00:00
|
|
|
# By default, no number of offenses are tolerated
|
|
|
|
|
|
|
|
# Whitelist ourself
|
|
|
|
MAX_OFFENSES -1 {
|
|
|
|
# Put your server's IP addresses here
|
|
|
|
# IP= 1.2.3.4
|
|
|
|
IP= 127.0.0.1
|
|
|
|
# IP= dead:beef::20::32a
|
|
|
|
IP= ::1
|
2019-11-23 03:40:23 +00:00
|
|
|
}
|
|
|
|
|
2019-12-04 14:58:56 +00:00
|
|
|
# Allegedly legit servers
|
|
|
|
MAX_OFFENSES 50 {
|
|
|
|
|
|
|
|
# Google Ireland
|
|
|
|
IP= 2a00:1450:4864:20::32a
|
|
|
|
IP= 2a00:1450:4864:20::336
|
|
|
|
|
|
|
|
# Google EU
|
|
|
|
# Attempted to break in
|
|
|
|
# IP= 35.205.240.168
|
|
|
|
|
|
|
|
# Google US
|
|
|
|
IP= 09.85.216.42
|
|
|
|
# Attempted to break in
|
|
|
|
# IP= 130.211.246.128
|
|
|
|
IP= 209.85.166.194
|
|
|
|
IP= 209.85.166.195
|
|
|
|
IP= 209.85.208.67
|
|
|
|
IP= 209.85.214.194
|
|
|
|
IP= 209.85.215.173
|
|
|
|
IP= 209.85.215.175
|
|
|
|
IP= 209.85.215.193
|
|
|
|
IP= 209.85.216.42
|
|
|
|
IP= 2607:f8b0:4864:20::1034
|
|
|
|
IP= 2607:f8b0:4864:20::a46
|
|
|
|
|
|
|
|
# Yahoo
|
|
|
|
IP= 106.10.244.139
|
|
|
|
|
|
|
|
# Outlook
|
|
|
|
IP= 40.92.4.30
|
|
|
|
IP= 40.107.73.61
|
|
|
|
IP= 40.107.74.48
|
|
|
|
IP= 40.107.74.72
|
|
|
|
IP= 40.107.76.74
|
|
|
|
IP= 40.107.79.52
|
|
|
|
IP= 40.107.79.59
|
|
|
|
IP= 40.107.80.40
|
|
|
|
IP= 40.107.80.53
|
|
|
|
IP= 40.107.80.78
|
|
|
|
IP= 40.107.82.75
|
|
|
|
IP= 52.101.129.30
|
|
|
|
IP= 52.101.132.108
|
|
|
|
IP= 52.101.136.79
|
|
|
|
IP= 52.101.140.230
|
2019-11-23 03:40:23 +00:00
|
|
|
}
|
|
|
|
|
2019-12-04 14:58:56 +00:00
|
|
|
# "trusted" addresses
|
|
|
|
MAX_OFFENSES 200 {
|
2019-11-23 03:40:23 +00:00
|
|
|
|
2019-12-04 14:58:56 +00:00
|
|
|
# me from home
|
|
|
|
# IP= 1.2.3.4/20
|
2019-11-23 03:40:23 +00:00
|
|
|
|
2019-12-04 14:58:56 +00:00
|
|
|
# Customer
|
|
|
|
# IP= 5.6.7.8/24
|
2019-11-23 03:40:23 +00:00
|
|
|
}
|
|
|
|
|
2019-12-04 14:58:56 +00:00
|
|
|
LOGTYPE auth {
|
2019-11-24 02:22:37 +00:00
|
|
|
|
2019-12-04 16:18:00 +00:00
|
|
|
# Where to find the log files
|
2019-11-24 02:22:37 +00:00
|
|
|
DIR= /var/log
|
2019-12-04 14:58:56 +00:00
|
|
|
PREFIX= auth.log
|
2019-11-24 02:22:37 +00:00
|
|
|
|
2019-12-04 16:18:00 +00:00
|
|
|
# How to read the timestamp
|
2019-12-04 14:58:56 +00:00
|
|
|
TIMESTAMP auth_ts {
|
2019-12-04 16:18:00 +00:00
|
|
|
# isolates the timestamp from a line matched by a TARGET
|
2019-12-04 14:58:56 +00:00
|
|
|
REGEX= ^(.*) srv
|
2019-12-04 16:18:00 +00:00
|
|
|
# Passed to strptime() to intrepret the timestamp string
|
2019-12-04 14:58:56 +00:00
|
|
|
STRPTIME= %b %d %T
|
2019-12-04 16:18:00 +00:00
|
|
|
# These stamps do not include the year, so it is implied.
|
2019-12-04 14:58:56 +00:00
|
|
|
FLAGS= GUESS_YEAR
|
|
|
|
}
|
|
|
|
|
|
|
|
TARGET imap {
|
2019-12-04 16:18:00 +00:00
|
|
|
# Pattern to search for, isolates the IP address
|
2019-12-04 14:58:56 +00:00
|
|
|
REGEX= imapd.*Login failed.*\[([0-9.a-f:]+)\]$
|
2019-12-04 16:18:00 +00:00
|
|
|
# Assign this as the severity of the offense.
|
2019-12-04 14:58:56 +00:00
|
|
|
SEVERITY= 3
|
|
|
|
}
|
|
|
|
|
|
|
|
TARGET ssh {
|
|
|
|
SEVERITY= 4
|
|
|
|
REGEX= sshd.*Failed password.*from ([0-9.a-f:]+) port [0-9]+ ssh2$
|
|
|
|
REGEX= sshd.*Invalid user.*from ([0-9.a-f:]+) port
|
|
|
|
}
|
|
|
|
|
|
|
|
TARGET negotiate_fail {
|
|
|
|
SEVERITY= 2
|
|
|
|
REGEX= Unable to negotiate with ([0-9.a-f:]+) port
|
|
|
|
}
|
|
|
|
|
|
|
|
TARGET dovecot {
|
|
|
|
SEVERITY= 3
|
2019-12-05 11:45:00 +00:00
|
|
|
REGEX= dovecot.*authentication failure.*rhost=([0-9.a-f:]+)
|
2019-12-04 14:58:56 +00:00
|
|
|
}
|
2019-11-24 02:22:37 +00:00
|
|
|
|
|
|
|
}
|
2019-11-23 03:40:23 +00:00
|
|
|
|
2019-12-04 14:58:56 +00:00
|
|
|
LOGTYPE exim4 {
|
2019-11-23 03:40:23 +00:00
|
|
|
|
2019-12-04 14:58:56 +00:00
|
|
|
DIR= /var/log/exim4
|
|
|
|
PREFIX= mainlog
|
2019-11-23 03:40:23 +00:00
|
|
|
|
2019-12-04 14:58:56 +00:00
|
|
|
TIMESTAMP exim4_ts {
|
|
|
|
REGEX= ^([-0-9]+ [0-9:]+)
|
|
|
|
STRPTIME= %F %T
|
|
|
|
}
|
2019-11-23 03:40:23 +00:00
|
|
|
|
2019-12-04 14:58:56 +00:00
|
|
|
TARGET smtp_auth {
|
|
|
|
SEVERITY= 3
|
|
|
|
REGEX= [[:alnum:]_]+ authenticator failed for .*\[([0-9.a-f:]+)\]
|
|
|
|
REGEX= \[([0-9.a-f:]+)\] [[:alnum:]_]+ authentication mechanism not supported
|
|
|
|
} # smtp_auth
|
2019-11-23 03:40:23 +00:00
|
|
|
|
2019-12-04 14:58:56 +00:00
|
|
|
TARGET smtp_send {
|
|
|
|
SEVERITY= 9
|
|
|
|
REGEX= \[([0-9.a-f:]+)\] P=.*A=[[:alnum:]_]+_server:
|
|
|
|
} # smtp_send
|
2019-11-23 03:40:23 +00:00
|
|
|
|
|
|
|
|
2019-12-04 14:58:56 +00:00
|
|
|
TARGET spam {
|
|
|
|
REGEX= H=.* \[([0-9.a-f:]+)\].*rejected RCPT.*Unrouteable address
|
|
|
|
|
|
|
|
REGEX= : ([0-9.a-f:]+) is listed at zen.spamhaus.org
|
|
|
|
|
|
|
|
REGEX= H=.* \[([0-9.a-f:]+)\].*rejected RCPT.*SPF check failed
|
|
|
|
|
|
|
|
REGEX= \[([0-9.a-f:]+)\]: SMTP error.*: 451 relay
|
|
|
|
|
|
|
|
REGEX= \[([0-9.a-f:]+)\] F=.*rejected RCPT.*Sender verify failed
|
|
|
|
} # spam
|
2019-11-23 03:40:23 +00:00
|
|
|
|
2019-12-04 14:58:56 +00:00
|
|
|
TARGET brain_damage {
|
|
|
|
REGEX= H=.* \[([0-9.a-f:]+)\].*rejected after DATA: maximum allowed line length
|
2019-11-23 03:40:23 +00:00
|
|
|
|
2019-12-04 14:58:56 +00:00
|
|
|
REGEX= SMTP protocol synchronization error.* rejected.* H=\[([0-9.a-f:]+)\]
|
|
|
|
} # brain_damage
|
|
|
|
}
|
|
|
|
|
|
|
|
LOGTYPE apache2 {
|
|
|
|
|
|
|
|
DIR= /var/log/apache2
|
|
|
|
PREFIX= access.log
|
2019-11-23 03:40:23 +00:00
|
|
|
|
2019-12-04 14:58:56 +00:00
|
|
|
TIMESTAMP apache2_ts {
|
|
|
|
REGEX= ^[0-9.a-f:]+ - - \[([^ ]+)
|
|
|
|
STRPTIME= %d/%b/%Y:%T
|
|
|
|
}
|
2019-11-24 02:22:37 +00:00
|
|
|
|
2019-12-04 14:58:56 +00:00
|
|
|
TARGET worm {
|
|
|
|
REGEX= ^([0-9.a-f:]+) .*(thinkphp|elrekt\.php|download\.php|ysyqq\.php|Login\.php|phpmyadmin|cfgss\.php|wallet\.dat|y000000000000\.cfg)
|
|
|
|
}
|
2019-11-23 03:40:23 +00:00
|
|
|
|
|
|
|
}
|
|
|
|
|
2019-12-04 14:58:56 +00:00
|
|
|
LOGTYPE openvpn {
|
|
|
|
DIR= /var/log
|
|
|
|
PREFIX= openvpn.log
|
|
|
|
|
|
|
|
TIMESTAMP openvpn_ts {
|
|
|
|
REGEX= ^(.*) client/
|
|
|
|
STRPTIME= %a %b %d %T %Y
|
|
|
|
}
|
|
|
|
|
|
|
|
TARGET client {
|
|
|
|
SEVERITY= 9
|
|
|
|
#Tue Dec 3 10:52:22 2019 client/184.185.212.118:38752 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
|
|
|
|
# REGEX= client/([0-9.a-f:]+):[0-9]+ Control Channel:
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|