The syslog2iptables.conf configuration file is specified by this partial bnf description. The entire config file is case sensitive. All the keywords are lower case.
CONFIG = {CONTEXT ";"}+ CONTEXT = "context" NAME "{" {STATEMENT}+ "}" STATEMENT := (THRESHOLD | ADD-CMD | REM-CMD | IGNORE | FILE) ";" THRESHOLD := "threshold" THRESHOLD-INTEGER-VALUE ADD-CMD := "add_command" IPT-CMD REM-CMD := "remove_command" IPT-CMD IGNORE := "ignore" "{" IG-SINGLE+ "}" IG-SINGLE := IP-ADDRESS "/" CIDR-BITS FILE := "file" FILENAME "{" PATTERN+ "}" PATTERN := "pattern" REGULAR-EXPRESSION "{" {INDEX | BUCKET | MESSAGE}+ "};" INDEX := "index" REGEX-INTEGER ";" DELTA := "bucket" BUCKET-DELTA-INTEGER ";" MESSAGE := "message" REASON ";" REASON := string to appear in syslog messages IPT-CMD := string containing exactly one %s replacement token for the ip address
context general { threshold 550; add_command "/sbin/iptables -I INPUT --src %s --jump DROP"; remove_command "/sbin/iptables -D INPUT --src %s --jump DROP"; ignore { 127.0.0.0/8; // localhost }; file "/var/log/secure" { pattern "manual unblock (.*)" { index 1; // zero based bucket -5000; message "manual unblock"; }; pattern "sshd.*Failed password .* from ::ffff:(.*) port" { index 1; // zero based bucket 400; message "ssh failed password"; }; pattern "sshd.*Failed password .* from (.*) port" { index 1; // zero based bucket 400; message "ssh failed password"; }; pattern "sshd.*authentication failure; .* rhost=(.*) " { index 1; // zero based bucket 400; message "ssh failed password"; }; pattern "sshd.*Did not receive identification string from (.*)" { index 1; // zero based bucket 400; message "ssh failed password"; }; pattern "proftpd.*no such user found from (.*) \[" { index 1; // zero based bucket 400; message "ftp failed password"; }; pattern "proftpd.* authentication failure; .* rhost=(.*) " { index 1; // zero based bucket 400; message "ftp failed password"; }; pattern "vsftpd.* authentication failure; .* rhost=(.*) " { index 1; // zero based bucket 400; message "ftp failed password"; }; pattern "dovecot.* authentication failure; .* rhost=::ffff:(.*) " { index 1; // zero based bucket 100; message "dovecot failed password"; }; pattern "dovecot.* authentication failure; .* rhost=(.*) " { index 1; // zero based bucket 100; message "dovecot failed password"; }; }; file "/var/log/messages" { pattern "dovecot.* authentication failure; .* rhost=(.*) " { index 1; // zero based bucket 100; message "dovecot failed password"; }; pattern "kernel.*local-net-to.*SRC=(.*) DST=.*DPT=" { index 1; // zero based bucket 400; message "kernel firewall blocked packet"; }; pattern "kernel.*outside-net-from.*SRC=(.*) DST=.*DPT=" { index 1; // zero based bucket 400; message "kernel firewall blocked packet"; }; }; file "/var/log/maillog" { pattern "lost input channel from.* \[(.*)\] .* after (mail|rcpt|auth)" { index 1; // zero based bucket 100; message "sendmail spammer dropping connection"; }; pattern " \[(.*)\].* possible SMTP attack" { index 1; // zero based bucket 100; message "sendmail authentication attack"; }; pattern "rejecting commands from.* \[(.*)\] due to pre-greeting traffic" { index 1; // zero based bucket 1800; message "sendmail pre-greeting"; }; pattern "authentication failure: checkpass failed, .*\[(.*)\]" { index 1; // zero based bucket 100; message "sendmail authentication failed"; }; pattern "dovecot.*Aborted login .* rip=(.*)," { index 1; // zero based bucket 100; message "dovecot failed password"; }; pattern "dovecot.*Login: .* rip=(.*)," { index 1; // zero based bucket -5000; message "dovecot good authentication"; }; pattern "sendmail.*AUTH=server, .*\[(.*)\]," { index 1; // zero based bucket -5000; message "sendmail good authentication"; }; }; };