# By default, no number of offenses are tolerated # Whitelist ourself MAX_OFFENSES -1 { # Put your server's IP addresses here # IP= 1.2.3.4 IP= 127.0.0.1 # IP= dead:beef::20::32a IP= ::1 } # Allegedly legit servers MAX_OFFENSES 50 { # Google Ireland IP= 2a00:1450:4864:20::32a IP= 2a00:1450:4864:20::336 # Google EU # Attempted to break in # IP= 35.205.240.168 # Google US IP= 09.85.216.42 # Attempted to break in # IP= 130.211.246.128 IP= 209.85.166.194 IP= 209.85.166.195 IP= 209.85.208.67 IP= 209.85.214.194 IP= 209.85.215.173 IP= 209.85.215.175 IP= 209.85.215.193 IP= 209.85.216.42 IP= 2607:f8b0:4864:20::1034 IP= 2607:f8b0:4864:20::a46 # Yahoo IP= 106.10.244.139 # Outlook IP= 40.92.4.30 IP= 40.107.73.61 IP= 40.107.74.48 IP= 40.107.74.72 IP= 40.107.76.74 IP= 40.107.79.52 IP= 40.107.79.59 IP= 40.107.80.40 IP= 40.107.80.53 IP= 40.107.80.78 IP= 40.107.82.75 IP= 52.101.129.30 IP= 52.101.132.108 IP= 52.101.136.79 IP= 52.101.140.230 } # "trusted" addresses MAX_OFFENSES 200 { # me from home # IP= 1.2.3.4/20 # Customer # IP= 5.6.7.8/24 } LOGTYPE auth { # Where to find the log files DIR= /var/log PREFIX= auth.log # How to read the timestamp TIMESTAMP auth_ts { # isolates the timestamp from a line matched by a TARGET REGEX= ^(.*) srv # Passed to strptime() to intrepret the timestamp string STRPTIME= %b %d %T # These stamps do not include the year, so it is implied. FLAGS= GUESS_YEAR } TARGET imap { # Pattern to search for, isolates the IP address REGEX= imapd.*Login failed.*\[([0-9.a-f:]+)\]$ # Assign this as the severity of the offense. SEVERITY= 3 } TARGET ssh { SEVERITY= 4 REGEX= sshd.*Failed password.*from ([0-9.a-f:]+) port [0-9]+ ssh2$ REGEX= sshd.*Invalid user.*from ([0-9.a-f:]+) port } TARGET negotiate_fail { SEVERITY= 2 REGEX= Unable to negotiate with ([0-9.a-f:]+) port } TARGET dovecot { SEVERITY= 3 REGEX= dovecot.*authentication failure.*rhost=([0-9.a-f:]+) } } LOGTYPE exim4 { DIR= /var/log/exim4 PREFIX= mainlog TIMESTAMP exim4_ts { REGEX= ^([-0-9]+ [0-9:]+) STRPTIME= %F %T } TARGET smtp_auth { SEVERITY= 3 REGEX= [[:alnum:]_]+ authenticator failed for .*\[([0-9.a-f:]+)\] REGEX= \[([0-9.a-f:]+)\] [[:alnum:]_]+ authentication mechanism not supported } # smtp_auth TARGET smtp_send { SEVERITY= 9 REGEX= \[([0-9.a-f:]+)\] P=.*A=[[:alnum:]_]+_server: } # smtp_send TARGET spam { REGEX= H=.* \[([0-9.a-f:]+)\].*rejected RCPT.*Unrouteable address REGEX= : ([0-9.a-f:]+) is listed at zen.spamhaus.org REGEX= H=.* \[([0-9.a-f:]+)\].*rejected RCPT.*SPF check failed REGEX= \[([0-9.a-f:]+)\]: SMTP error.*: 451 relay REGEX= \[([0-9.a-f:]+)\] F=.*rejected RCPT.*Sender verify failed } # spam TARGET brain_damage { REGEX= H=.* \[([0-9.a-f:]+)\].*rejected after DATA: maximum allowed line length REGEX= SMTP protocol synchronization error.* rejected.* H=\[([0-9.a-f:]+)\] } # brain_damage } LOGTYPE apache2 { DIR= /var/log/apache2 PREFIX= access.log TIMESTAMP apache2_ts { REGEX= ^[0-9.a-f:]+ - - \[([^ ]+) STRPTIME= %d/%b/%Y:%T } TARGET worm { REGEX= ^([0-9.a-f:]+) .*(thinkphp|elrekt\.php|download\.php|ysyqq\.php|Login\.php|phpmyadmin|cfgss\.php|wallet\.dat|y000000000000\.cfg) } } LOGTYPE openvpn { DIR= /var/log PREFIX= openvpn.log TIMESTAMP openvpn_ts { REGEX= ^(.*) client/ STRPTIME= %a %b %d %T %Y } TARGET client { SEVERITY= 9 #Tue Dec 3 10:52:22 2019 client/184.185.212.118:38752 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA # REGEX= client/([0-9.a-f:]+):[0-9]+ Control Channel: } }