mirror of https://github.com/jrbrtsn/ban2fail
Bring example config up to date
This commit is contained in:
parent
115c92855a
commit
7fddfb7a16
204
ban2fail.cfg
204
ban2fail.cfg
|
@ -1,63 +1,103 @@
|
|||
# By default, no number of offenses are allowable
|
||||
# By default, no number of offenses are tolerated
|
||||
|
||||
# Lighten up a little for home boys
|
||||
MAX_OFFENSES 5 {
|
||||
COUNTRY= US
|
||||
# Whitelist ourself
|
||||
MAX_OFFENSES -1 {
|
||||
# Put your server's IP addresses here
|
||||
# IP= 1.2.3.4
|
||||
IP= 127.0.0.1
|
||||
# IP= dead:beef::20::32a
|
||||
IP= ::1
|
||||
}
|
||||
|
||||
# GeoIP doesn't know the location of every IP address
|
||||
MAX_OFFENSES 3 {
|
||||
COUNTRY= unknown
|
||||
IP= 46.20.2.158
|
||||
# Allegedly legit servers
|
||||
MAX_OFFENSES 50 {
|
||||
|
||||
# Google Ireland
|
||||
IP= 2a00:1450:4864:20::32a
|
||||
IP= 2a00:1450:4864:20::336
|
||||
|
||||
# Google EU
|
||||
# Attempted to break in
|
||||
# IP= 35.205.240.168
|
||||
|
||||
# Google US
|
||||
IP= 09.85.216.42
|
||||
# Attempted to break in
|
||||
# IP= 130.211.246.128
|
||||
IP= 209.85.166.194
|
||||
IP= 209.85.166.195
|
||||
IP= 209.85.208.67
|
||||
IP= 209.85.214.194
|
||||
IP= 209.85.215.173
|
||||
IP= 209.85.215.175
|
||||
IP= 209.85.215.193
|
||||
IP= 209.85.216.42
|
||||
IP= 2607:f8b0:4864:20::1034
|
||||
IP= 2607:f8b0:4864:20::a46
|
||||
|
||||
# Yahoo
|
||||
IP= 106.10.244.139
|
||||
|
||||
# Outlook
|
||||
IP= 40.92.4.30
|
||||
IP= 40.107.73.61
|
||||
IP= 40.107.74.48
|
||||
IP= 40.107.74.72
|
||||
IP= 40.107.76.74
|
||||
IP= 40.107.79.52
|
||||
IP= 40.107.79.59
|
||||
IP= 40.107.80.40
|
||||
IP= 40.107.80.53
|
||||
IP= 40.107.80.78
|
||||
IP= 40.107.82.75
|
||||
IP= 52.101.129.30
|
||||
IP= 52.101.132.108
|
||||
IP= 52.101.136.79
|
||||
IP= 52.101.140.230
|
||||
}
|
||||
|
||||
# This is effectively your whitelist
|
||||
MAX_OFFENSES 1000 {
|
||||
# "trusted" addresses
|
||||
MAX_OFFENSES 200 {
|
||||
|
||||
# me from home, CIDR notation
|
||||
IP= 35.133.139.132/20
|
||||
# me from home
|
||||
# IP= 1.2.3.4/20
|
||||
|
||||
# Some user
|
||||
IP= 173.236.196.36
|
||||
}
|
||||
|
||||
LOGTYPE syslog {
|
||||
|
||||
DIR= /var/log
|
||||
PREFIX= syslog
|
||||
|
||||
#Nov 23 10:08:03 srv auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=john rhost=35.133.128.47 user=john
|
||||
# REGEX= pam_unix\(dovecot:auth\): authentication failure;.*rhost=([0-9.]+)
|
||||
REGEX= pam_unix\(dovecot:auth\): authentication failure;.*rhost=([0-9.a-f:]+)
|
||||
|
||||
# Nov 23 16:16:12 srv dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 0 secs): user=<dfloyd>, rip=69.64.58.110, lip=50.116.38.131, session=<5nY6CgqYFdVFQDpu>
|
||||
# REGEX= pop3-login: Aborted.*, rip=([0-9.]+)
|
||||
REGEX= pop3-login: Aborted.*, rip=([0-9.a-f:]+)
|
||||
|
||||
# Nov 23 16:33:53 srv dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=71.6.135.131, lip=50.116.38.131, session=<DXWCSQqYjopHBoeD>
|
||||
# REGEX= pop3-login: Disconnected.*, rip=([0-9.]+)
|
||||
REGEX= pop3-login: Disconnected.*, rip=([0-9.a-f:]+)
|
||||
# Customer
|
||||
# IP= 5.6.7.8/24
|
||||
}
|
||||
|
||||
LOGTYPE auth {
|
||||
|
||||
DIR= /var/log
|
||||
PREFIX= auth.log
|
||||
|
||||
# imapd[20193]= Login failed user=hollingsworth@robertsonoptical.com auth=hollingsworth@robertsonoptical.com host=[186.179.170.12]
|
||||
# REGEX= imapd.*Login failed.*\[([0-9.]+)\]$
|
||||
REGEX= imapd.*Login failed.*\[([0-9.a-f:]+)\]$
|
||||
TIMESTAMP auth_ts {
|
||||
REGEX= ^(.*) srv
|
||||
STRPTIME= %b %d %T
|
||||
FLAGS= GUESS_YEAR
|
||||
}
|
||||
|
||||
# sshd[6165]= Failed password for invalid user user from 185.224.137.201 port 44865 ssh2
|
||||
# REGEX= sshd.*Failed password.*from ([0-9.]+) port [0-9]+ ssh2$
|
||||
REGEX= sshd.*Failed password.*from ([0-9.a-f:]+) port [0-9]+ ssh2$
|
||||
TARGET imap {
|
||||
REGEX= imapd.*Login failed.*\[([0-9.a-f:]+)\]$
|
||||
SEVERITY= 3
|
||||
}
|
||||
|
||||
# Unable to negotiate with 193.188.22.188 port ...
|
||||
# REGEX= Unable to negotiate with ([0-9.]+) port
|
||||
REGEX= Unable to negotiate with ([0-9.a-f:]+) port
|
||||
TARGET ssh {
|
||||
SEVERITY= 4
|
||||
REGEX= sshd.*Failed password.*from ([0-9.a-f:]+) port [0-9]+ ssh2$
|
||||
REGEX= sshd.*Invalid user.*from ([0-9.a-f:]+) port
|
||||
}
|
||||
|
||||
TARGET negotiate_fail {
|
||||
SEVERITY= 2
|
||||
REGEX= Unable to negotiate with ([0-9.a-f:]+) port
|
||||
}
|
||||
|
||||
TARGET dovecot {
|
||||
SEVERITY= 3
|
||||
REGEX= dovecot.*authentication failure.*rhost=([0-9.]+)
|
||||
}
|
||||
|
||||
# in.qpopper[14962]= pam_unix(qpopper=auth)= authentication failure; logname= uid=0 euid=0 tty=96.89.83.1
|
||||
# TODO: this can be retired around 2019-12-10
|
||||
REGEX= in\.qpopper.*authentication failure.*tty=([0-9.]+)
|
||||
}
|
||||
|
||||
LOGTYPE exim4 {
|
||||
|
@ -65,23 +105,71 @@ LOGTYPE exim4 {
|
|||
DIR= /var/log/exim4
|
||||
PREFIX= mainlog
|
||||
|
||||
# cram_md5_server authenticator failed for ([78.128.113.121]) [78.128.113.121]
|
||||
# cram_md5_server authenticator failed for (swim.diverseenvironment.com.) [185.211.245.198]
|
||||
# REGEX= [[:alnum:]_]+ authenticator failed for .*\[([0-9.]+)\]
|
||||
REGEX= [[:alnum:]_]+ authenticator failed for .*\[([0-9.a-f:]+)\]
|
||||
TIMESTAMP exim4_ts {
|
||||
REGEX= ^([-0-9]+ [0-9:]+)
|
||||
STRPTIME= %F %T
|
||||
}
|
||||
|
||||
# 2019-11-15 00:08:25 SMTP protocol error in "AUTH LOGIN" H=(User) [193.56.28.176] LOGIN authentication mechanism not supported
|
||||
# REGEX= \[([0-9.]+)\] [[:alnum:]_]+ authentication mechanism not supported
|
||||
REGEX= \[([0-9.a-f:]+)\] [[:alnum:]_]+ authentication mechanism not supported
|
||||
TARGET smtp_auth {
|
||||
SEVERITY= 3
|
||||
REGEX= [[:alnum:]_]+ authenticator failed for .*\[([0-9.a-f:]+)\]
|
||||
REGEX= \[([0-9.a-f:]+)\] [[:alnum:]_]+ authentication mechanism not supported
|
||||
} # smtp_auth
|
||||
|
||||
# 2019-11-20 03:44:51 1iXLbX-0000ZX-F8 <= kirsten@rrci.com H=(rrci.com) [171.244.140.160] P=esmtpa A=cram_md5_server:kirsten S=2742 id=9857581066.20191120084450@rrci.com
|
||||
# 2019-11-20 18:21:15 1iXZHe-0002fZ-W8 <= kirsten@rrci.com H=035-133-139-132.res.spectrum.com ([192.168.1.29]) [35.133.139.132] P=esmtpsa X=TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128 CV=no A=plain_server:kirsten S=703 id=e8478681-4fc5-75d8-7328-52f534956d65@rrci.com
|
||||
# REGEX= \[([0-9.]+)\].*A=[[:alnum:]_]+_server:
|
||||
REGEX= \[([0-9.a-f:]+)\].*A=[[:alnum:]_]+_server:
|
||||
TARGET smtp_send {
|
||||
SEVERITY= 9
|
||||
REGEX= \[([0-9.a-f:]+)\] P=.*A=[[:alnum:]_]+_server:
|
||||
} # smtp_send
|
||||
|
||||
# [185.234.217.241] (gnutls_handshake): No supported cipher suites have been found.
|
||||
# REGEX= \[([0-9.]+)\].*No supported cipher suites have been found
|
||||
REGEX= \[([0-9.a-f:]+)\].*No supported cipher suites have been found
|
||||
|
||||
TARGET spam {
|
||||
REGEX= H=.* \[([0-9.a-f:]+)\].*rejected RCPT.*Unrouteable address
|
||||
|
||||
REGEX= : ([0-9.a-f:]+) is listed at zen.spamhaus.org
|
||||
|
||||
REGEX= H=.* \[([0-9.a-f:]+)\].*rejected RCPT.*SPF check failed
|
||||
|
||||
REGEX= \[([0-9.a-f:]+)\]: SMTP error.*: 451 relay
|
||||
|
||||
REGEX= \[([0-9.a-f:]+)\] F=.*rejected RCPT.*Sender verify failed
|
||||
} # spam
|
||||
|
||||
TARGET brain_damage {
|
||||
REGEX= H=.* \[([0-9.a-f:]+)\].*rejected after DATA: maximum allowed line length
|
||||
|
||||
REGEX= SMTP protocol synchronization error.* rejected.* H=\[([0-9.a-f:]+)\]
|
||||
} # brain_damage
|
||||
}
|
||||
|
||||
LOGTYPE apache2 {
|
||||
|
||||
DIR= /var/log/apache2
|
||||
PREFIX= access.log
|
||||
|
||||
TIMESTAMP apache2_ts {
|
||||
REGEX= ^[0-9.a-f:]+ - - \[([^ ]+)
|
||||
STRPTIME= %d/%b/%Y:%T
|
||||
}
|
||||
|
||||
TARGET worm {
|
||||
REGEX= ^([0-9.a-f:]+) .*(thinkphp|elrekt\.php|download\.php|ysyqq\.php|Login\.php|phpmyadmin|cfgss\.php|wallet\.dat|y000000000000\.cfg)
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
LOGTYPE openvpn {
|
||||
DIR= /var/log
|
||||
PREFIX= openvpn.log
|
||||
|
||||
TIMESTAMP openvpn_ts {
|
||||
REGEX= ^(.*) client/
|
||||
STRPTIME= %a %b %d %T %Y
|
||||
}
|
||||
|
||||
TARGET client {
|
||||
SEVERITY= 9
|
||||
#Tue Dec 3 10:52:22 2019 client/184.185.212.118:38752 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
|
||||
# REGEX= client/([0-9.a-f:]+):[0-9]+ Control Channel:
|
||||
}
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue