The syslog2iptables.conf configuration file is specified by this partial bnf description. The entire config file is case sensitive. All the keywords are lower case.
CONFIG = {CONTEXT ";"}+
CONTEXT = "context" NAME "{" {STATEMENT}+ "}"
STATEMENT := (THRESHOLD | ADD-CMD | REM-CMD | IGNORE | FILE) ";"
THRESHOLD := "threshold" THRESHOLD-INTEGER-VALUE
ADD-CMD := "add_command" IPT-CMD
REM-CMD := "remove_command" IPT-CMD
IGNORE := "ignore" "{" IG-SINGLE+ "}"
IG-SINGLE := IP-ADDRESS "/" CIDR-BITS
FILE := "file" FILENAME "{" PATTERN+ "}"
PATTERN := "pattern" REGULAR-EXPRESSION "{" {INDEX | BUCKET | MESSAGE}+ "};"
INDEX := "index" REGEX-INTEGER ";"
DELTA := "bucket" BUCKET-DELTA-INTEGER ";"
MESSAGE := "message" REASON ";"
REASON := string to appear in syslog messages
IPT-CMD := string containing exactly one %s replacement token for
the ip address
context general {
threshold 550;
add_command "/sbin/iptables -I INPUT --src %s --jump DROP";
remove_command "/sbin/iptables -D INPUT --src %s --jump DROP";
ignore {
127.0.0.0/8; // localhost
};
file "/var/log/secure" {
pattern "manual unblock (.*)" {
index 1; // zero based
bucket -5000;
message "manual unblock";
};
pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
index 1; // zero based
bucket 400;
message "ssh failed password";
};
pattern "sshd.*Failed password .* from (.*) port" {
index 1; // zero based
bucket 400;
message "ssh failed password";
};
pattern "sshd.*authentication failure; .* rhost=(.*) " {
index 1; // zero based
bucket 400;
message "ssh failed password";
};
pattern "sshd.*Did not receive identification string from (.*)" {
index 1; // zero based
bucket 400;
message "ssh failed password";
};
pattern "proftpd.*no such user found from (.*) \[" {
index 1; // zero based
bucket 400;
message "ftp failed password";
};
pattern "proftpd.* authentication failure; .* rhost=(.*) " {
index 1; // zero based
bucket 400;
message "ftp failed password";
};
pattern "vsftpd.* authentication failure; .* rhost=(.*) " {
index 1; // zero based
bucket 400;
message "ftp failed password";
};
pattern "dovecot.* authentication failure; .* rhost=::ffff:(.*) " {
index 1; // zero based
bucket 100;
message "dovecot failed password";
};
pattern "dovecot.* authentication failure; .* rhost=(.*) " {
index 1; // zero based
bucket 100;
message "dovecot failed password";
};
};
file "/var/log/messages" {
pattern "dovecot.* authentication failure; .* rhost=(.*) " {
index 1; // zero based
bucket 100;
message "dovecot failed password";
};
pattern "kernel.*local-net-to.*SRC=(.*) DST=.*DPT=" {
index 1; // zero based
bucket 400;
message "kernel firewall blocked packet";
};
pattern "kernel.*outside-net-from.*SRC=(.*) DST=.*DPT=" {
index 1; // zero based
bucket 400;
message "kernel firewall blocked packet";
};
};
file "/var/log/maillog" {
pattern "lost input channel from.* \[(.*)\] .* after (mail|rcpt|auth)" {
index 1; // zero based
bucket 100;
message "sendmail spammer dropping connection";
};
pattern " \[(.*)\].* possible SMTP attack" {
index 1; // zero based
bucket 100;
message "sendmail authentication attack";
};
pattern "rejecting commands from.* \[(.*)\] due to pre-greeting traffic" {
index 1; // zero based
bucket 1800;
message "sendmail pre-greeting";
};
pattern "authentication failure: checkpass failed, .*\[(.*)\]" {
index 1; // zero based
bucket 100;
message "sendmail authentication failed";
};
pattern "dovecot.*Aborted login .* rip=(.*)," {
index 1; // zero based
bucket 100;
message "dovecot failed password";
};
pattern "dovecot.*Login: .* rip=(.*)," {
index 1; // zero based
bucket -5000;
message "dovecot good authentication";
};
pattern "sendmail.*AUTH=server, .*\[(.*)\]," {
index 1; // zero based
bucket -5000;
message "sendmail good authentication";
};
};
};