The syslog2iptables.conf configuration file is specified by this partial bnf description. The entire config file is case sensitive. All the keywords are lower case.
CONFIG = {CONTEXT ";"}+
CONTEXT = "context" NAME "{" {STATEMENT}+ "}"
STATEMENT := (THRESHOLD | ADD-CMD | REM-CMD | IGNORE | FILE) ";"
THRESHOLD := "threshold" THRESHOLD-INTEGER-VALUE
ADD-CMD := "add_command" IPT-CMD
REM-CMD := "remove_command" IPT-CMD
IGNORE := "ignore" "{" IG-SINGLE+ "}"
IG-SINGLE := IP-ADDRESS "/" CIDR-BITS
FILE := "file" FILENAME "{" PATTERN+ "}"
PATTERN := "pattern" REGULAR-EXPRESSION "{" {INDEX | BUCKET | MESSAGE}+ "};"
INDEX := "index" REGEX-INTEGER-VALUE ";"
BUCKET := "bucket" BUCKET-ADD-INTEGER-VALUE ";"
MESSAGE := "message" REASON ";"
REASON := string to appear in syslog messages
IPT-CMD := string containing exactly one %s replacement token for
the ip address
context dns {
threshold 1100;
add_command "/sbin/iptables -I INPUT --protocol udp --destination-port 53 --src %s --jump DROP";
remove_command "/sbin/iptables -D INPUT --protocol udp --destination-port 53 --src %s --jump DROP";
ignore {
127.0.0.0/8; // localhost
};
file "/var/log/messages" {
pattern "named.*client (.*)#.*query.*cache.*denied" {
index 1; // zero based
bucket 400;
message "DNS attack";
};
};
};
context general {
threshold 550;
add_command "/sbin/iptables -I INPUT --src %s --jump DROP";
remove_command "/sbin/iptables -D INPUT --src %s --jump DROP";
ignore {
127.0.0.0/8; // localhost
};
file "/var/log/secure" {
pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
index 1; // zero based
bucket 400;
message "ssh failed password";
};
pattern "sshd.*Failed password .* from (.*) port" {
index 1; // zero based
bucket 400;
message "ssh failed password";
};
pattern "proftpd.*no such user found from (.*) \[" {
index 1; // zero based
bucket 400;
message "ftp failed password";
};
};
file "/var/log/messages" {
pattern "ipop3d.* Login failed .* \[(.*)\]" {
index 1; // zero based
bucket 400;
message "pop3 failed password";
};
};
file "/var/log/httpd/access_log" {
// of course you cannot use this if you actually use cgi-bin directories
pattern "(.*) - - .* /cgi-bin" {
index 1; // zero based
bucket 400;
message "apache cgi-bin reference";
};
// or if you actually have an index2.php script
pattern "(.*) - - .*/index2.php" {
index 1; // zero based
bucket 400;
message "apache index2.php reference";
};
// or if you have a main.php script
pattern "(.*) - - .*/main.php" {
index 1; // zero based
bucket 400;
message "apache main.php reference";
};
pattern "(.*) - - .*/awstats.pl" {
index 1; // zero based
bucket 400;
message "apache awstats.pl reference";
};
pattern "(.*) - - .*/adxmlrpc" {
index 1; // zero based
bucket 400;
message "apache adxmlrpc reference";
};
};
file "/var/log/maillog" {
pattern "lost input channel from .* \[(.*)\] .* after (mail|rcpt|auth)" {
index 1; // zero based
bucket 200;
message "sendmail spammer dropping connection";
};
pattern " \[(.*)\]: possible SMTP attack" {
index 1; // zero based
bucket 600;
message "sendmail authentication attack";
};
pattern "rejecting commands from .* \[(.*)\] due to pre-greeting traffic" {
index 1; // zero based
bucket 200;
message "sendmail pre-greeting";
};
pattern "dovecot.*Aborted login.*rip=(.*)," {
index 1; // zero based
bucket 100;
message "dovecot failed password";
};
pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," {
index 1; // zero based
bucket 100;
message "dovecot failed password";
};
// make sure your upstream MX servers are listed in the
// ignore block above, otherwise you will kill them off
// when they try to forward such mail to you.
pattern "sendmail.*from=<>,.*nrcpts=0,.*\[(.*)\]" {
index 1; // zero based
bucket 200;
message "sendmail rejected bounce";
};
};
};