2005-07-06 23:10:19 +00:00
|
|
|
# Fail2Ban configuration file
|
|
|
|
#
|
2005-11-21 01:43:13 +00:00
|
|
|
# $Revision: 1.9 $
|
2005-07-06 23:10:19 +00:00
|
|
|
#
|
|
|
|
# 2005.06.21 modified for readability Iain Lea iain@bricbrac.de
|
|
|
|
|
|
|
|
[DEFAULT]
|
|
|
|
# Option: background
|
|
|
|
# Notes.: start fail2ban as a daemon. Output is redirect to logfile.
|
|
|
|
# Values: [true | false] Default: false
|
|
|
|
#
|
2005-07-06 23:10:26 +00:00
|
|
|
background = true
|
2005-07-06 23:10:19 +00:00
|
|
|
|
2005-09-29 05:26:18 +00:00
|
|
|
# Option: verbose
|
|
|
|
# Notes.: verbosity of the output.
|
|
|
|
# 0 - regular level
|
|
|
|
# 1 - INFO level
|
|
|
|
# 2 - DEBUG level (but commands get executed as opposed to
|
|
|
|
# debug option)
|
|
|
|
# Values: NUM Default: 0
|
|
|
|
#
|
|
|
|
verbose = 1
|
|
|
|
|
2006-03-19 05:35:38 +00:00
|
|
|
# Option: debug
|
|
|
|
# Notes.: enable debug mode. No real commands gets executed but only
|
|
|
|
# reported, more verbose output, bypass root user test.
|
|
|
|
# Values: [true | false] Default: false
|
|
|
|
#
|
|
|
|
debug = false
|
|
|
|
|
2005-07-23 19:15:22 +00:00
|
|
|
# Option: logtargets
|
|
|
|
# Notes.: log targets. Space separated list of logging targets.
|
2005-08-06 19:43:43 +00:00
|
|
|
# Values: STDERR SYSLOG file Default: /var/log/fail2ban.log
|
2005-07-23 19:15:22 +00:00
|
|
|
#
|
2005-08-06 19:43:43 +00:00
|
|
|
logtargets = /var/log/fail2ban.log
|
2005-07-23 19:15:22 +00:00
|
|
|
|
2005-09-20 16:37:44 +00:00
|
|
|
# Option: syslog-target
|
|
|
|
# Notes.: where to find syslog facility if logtarget SYSLOG.
|
|
|
|
# Values: SOCKET HOST HOST:PORT Default: /dev/log
|
|
|
|
#
|
2005-08-19 07:14:17 +00:00
|
|
|
syslog-target = /dev/log
|
|
|
|
|
2005-09-20 16:37:44 +00:00
|
|
|
# Option: syslog-facility
|
|
|
|
# Notes.: which syslog facility to use if logtarget SYSLOG.
|
|
|
|
# Values: NUM Default: 1
|
|
|
|
#
|
2005-08-19 07:14:17 +00:00
|
|
|
syslog-facility = 1
|
|
|
|
|
2005-07-06 23:10:19 +00:00
|
|
|
# Option: pidlock
|
|
|
|
# Notes.: path of the PID lock file (must be able to write to file).
|
|
|
|
# Values: FILE Default: /var/run/fail2ban.pid
|
|
|
|
#
|
|
|
|
pidlock = /var/run/fail2ban.pid
|
|
|
|
|
2005-09-09 21:15:41 +00:00
|
|
|
# Option: maxfailures
|
|
|
|
# Notes.: number of failures before IP gets banned.
|
|
|
|
# Values: NUM Default: 5
|
2005-07-06 23:10:19 +00:00
|
|
|
#
|
2005-09-09 21:15:41 +00:00
|
|
|
maxfailures = 5
|
2005-07-06 23:10:19 +00:00
|
|
|
|
|
|
|
# Option: bantime
|
2006-03-19 05:20:44 +00:00
|
|
|
# Notes.: number of seconds an IP will be banned. If set to a negative
|
|
|
|
# value, IP will never be unbanned (permanent banning).
|
2005-07-06 23:10:19 +00:00
|
|
|
# Values: NUM Default: 600
|
|
|
|
#
|
|
|
|
bantime = 600
|
|
|
|
|
2005-08-19 08:40:09 +00:00
|
|
|
# Option: findtime
|
|
|
|
# Notes.: lifetime in seconds of a "failed" log entry.
|
|
|
|
# Values: NUM Default: 600
|
|
|
|
#
|
|
|
|
findtime = 600
|
|
|
|
|
2005-07-06 23:10:19 +00:00
|
|
|
# Option: ignoreip
|
2005-07-13 10:01:01 +00:00
|
|
|
# Notes.: space separated list of IP's to be ignored by fail2ban.
|
|
|
|
# You can use CIDR mask in order to specify a range.
|
|
|
|
# Example: ignoreip = 192.168.0.1/24 123.45.235.65
|
2006-03-19 05:20:44 +00:00
|
|
|
# Values: IP Default:
|
2005-07-13 10:01:01 +00:00
|
|
|
#
|
2006-03-19 05:20:44 +00:00
|
|
|
ignoreip =
|
2005-07-13 10:01:01 +00:00
|
|
|
|
|
|
|
# Option: cmdstart
|
|
|
|
# Notes.: command executed once at the start of Fail2Ban
|
|
|
|
# Values: CMD Default:
|
2005-07-06 23:10:19 +00:00
|
|
|
#
|
2006-03-19 05:20:44 +00:00
|
|
|
cmdstart =
|
2005-07-06 23:10:19 +00:00
|
|
|
|
2005-07-13 10:01:01 +00:00
|
|
|
# Option: cmdend
|
2005-08-19 08:40:09 +00:00
|
|
|
# Notes.: command executed once at the end of Fail2Ban.
|
2005-07-13 10:01:01 +00:00
|
|
|
# Values: CMD Default:
|
2005-07-06 23:10:19 +00:00
|
|
|
#
|
2006-03-19 05:20:44 +00:00
|
|
|
cmdend =
|
2005-07-06 23:10:19 +00:00
|
|
|
|
|
|
|
# Option: polltime
|
|
|
|
# Notes.: number of seconds fail2ban sleeps between iterations.
|
|
|
|
# Values: NUM Default: 1
|
|
|
|
#
|
|
|
|
polltime = 1
|
|
|
|
|
2005-10-12 15:08:05 +00:00
|
|
|
# Option: reinittime
|
|
|
|
# Notes.: minimal number of seconds between the re-initialization of
|
|
|
|
# firewalls due to external changes in their rules (see fwcheck)
|
|
|
|
# Values: NUM Default: 100
|
|
|
|
#
|
|
|
|
reinittime = 10
|
|
|
|
|
|
|
|
# Option: maxreinits
|
|
|
|
# Notes.: maximal number of re-initialization of firewalls due to external
|
|
|
|
# changes. -1 stays for infinite, so only reinittime is of importance
|
|
|
|
# Values: NUM Default: -1
|
|
|
|
#
|
|
|
|
maxreinits = -1
|
|
|
|
|
2006-01-15 20:18:39 +00:00
|
|
|
# NOTE: Interpolations
|
|
|
|
#
|
2006-03-19 05:20:44 +00:00
|
|
|
# fwstart, as well as fwend, fwcheck, fwban, fwunban, use interpolations
|
|
|
|
# so %(__name__)s will be substituted by a name of each section
|
|
|
|
# (unless the option is overriden in a section).
|
|
|
|
# If you are going to use interpolations in your setup, please make
|
|
|
|
# sure that you specified options port and protocol (which also has
|
|
|
|
# an option in DEFAULT).
|
2006-01-15 20:18:39 +00:00
|
|
|
#
|
|
|
|
|
|
|
|
# Option: protocol
|
|
|
|
# Notes.: internally used by config reader for interpolations.
|
|
|
|
# Values: [ tcp | udp | icmp | all ] Default: tcp
|
|
|
|
#
|
|
|
|
protocol = tcp
|
|
|
|
|
2006-03-19 23:45:52 +00:00
|
|
|
# Option: fwchain
|
|
|
|
# Notes.: chain from which to jump into fail2ban chains
|
|
|
|
# Values: TEXT Default: INPUT
|
|
|
|
#
|
|
|
|
fwchain = INPUT
|
|
|
|
|
2006-01-15 20:18:39 +00:00
|
|
|
# Option: fwstart
|
|
|
|
# Notes.: command executed once at the start of Fail2Ban.
|
|
|
|
# Values: CMD Default:
|
|
|
|
#
|
|
|
|
fwstart = iptables -N fail2ban-%(__name__)s
|
|
|
|
iptables -A fail2ban-%(__name__)s -j RETURN
|
2006-03-19 23:45:52 +00:00
|
|
|
iptables -I %(fwchain)s -p %(protocol)s --dport %(port)s -j fail2ban-%(__name__)s
|
2006-01-15 20:18:39 +00:00
|
|
|
|
|
|
|
# Option: fwend
|
|
|
|
# Notes.: command executed once at the end of Fail2Ban
|
|
|
|
# Values: CMD Default:
|
|
|
|
#
|
2006-03-19 23:45:52 +00:00
|
|
|
fwend = iptables -D %(fwchain)s -p %(protocol)s --dport %(port)s -j fail2ban-%(__name__)s
|
2006-01-15 20:18:39 +00:00
|
|
|
iptables -F fail2ban-%(__name__)s
|
|
|
|
iptables -X fail2ban-%(__name__)s
|
|
|
|
|
|
|
|
# Option: fwcheck
|
|
|
|
# Notes.: command executed once before each fwban command
|
|
|
|
# Values: CMD Default:
|
|
|
|
#
|
2006-03-19 23:45:52 +00:00
|
|
|
fwcheck = iptables -L %(fwchain)s | grep -q fail2ban-%(__name__)s
|
2006-01-15 20:18:39 +00:00
|
|
|
|
|
|
|
# Option: fwban
|
|
|
|
# Notes.: command executed when banning an IP. Take care that the
|
|
|
|
# command is executed with Fail2Ban user rights.
|
|
|
|
# Tags: <ip> IP address
|
|
|
|
# <failures> number of failures
|
|
|
|
# <failtime> unix timestamp of the last failure
|
|
|
|
# <bantime> unix timestamp of the ban time
|
|
|
|
# Values: CMD
|
|
|
|
# Default: iptables -I INPUT 1 -s <ip> -j DROP
|
|
|
|
#
|
|
|
|
fwban = iptables -I fail2ban-%(__name__)s 1 -s <ip> -j DROP
|
|
|
|
|
|
|
|
# Option: fwunban
|
|
|
|
# Notes.: command executed when unbanning an IP. Take care that the
|
|
|
|
# command is executed with Fail2Ban user rights.
|
|
|
|
# Tags: <ip> IP address
|
|
|
|
# <bantime> unix timestamp of the ban time
|
|
|
|
# <unbantime> unix timestamp of the unban time
|
|
|
|
# Values: CMD
|
|
|
|
# Default: iptables -D INPUT -s <ip> -j DROP
|
|
|
|
#
|
|
|
|
fwunban = iptables -D fail2ban-%(__name__)s -s <ip> -j DROP
|
|
|
|
|
2005-07-13 10:01:01 +00:00
|
|
|
[MAIL]
|
|
|
|
# Option: enabled
|
|
|
|
# Notes.: enable mail notification when banning an IP address.
|
|
|
|
# Values: [true | false] Default: false
|
|
|
|
#
|
|
|
|
enabled = false
|
|
|
|
|
|
|
|
# Option: host
|
|
|
|
# Notes.: host running the mail server.
|
|
|
|
# Values: STR Default: localhost
|
|
|
|
#
|
|
|
|
host = localhost
|
|
|
|
|
|
|
|
# Option: port
|
|
|
|
# Notes.: port of the mail server.
|
|
|
|
# Values: INT Default: 25
|
|
|
|
#
|
|
|
|
port = 25
|
|
|
|
|
2006-03-19 05:20:44 +00:00
|
|
|
# Option: user
|
|
|
|
# Notes.: the username for smtp-server if authentification is required.
|
|
|
|
# if user is empty, no authentification is done.
|
|
|
|
# Values: STR Default:
|
|
|
|
#
|
|
|
|
user =
|
|
|
|
|
|
|
|
# Option: password
|
|
|
|
# Notes.: the smtp-user's password if authentification is required.
|
|
|
|
# Values: STR Default:
|
|
|
|
#
|
|
|
|
password =
|
|
|
|
|
2005-07-13 10:01:01 +00:00
|
|
|
# Option: from
|
|
|
|
# Notes.: e-mail address of the sender.
|
|
|
|
# Values: MAIL Default: fail2ban
|
|
|
|
#
|
2005-09-27 15:45:26 +00:00
|
|
|
from = fail2ban@localhost
|
2005-07-13 10:01:01 +00:00
|
|
|
|
|
|
|
# Option: to
|
2005-07-23 19:15:22 +00:00
|
|
|
# Notes.: e-mail addresses of the receiver. Addresses are space
|
|
|
|
# separated.
|
2005-07-13 10:01:01 +00:00
|
|
|
# Values: MAIL Default: root
|
|
|
|
#
|
2005-09-27 15:45:26 +00:00
|
|
|
to = root@localhost
|
2005-07-13 10:01:01 +00:00
|
|
|
|
2005-10-31 22:04:11 +00:00
|
|
|
# Option: localtime
|
|
|
|
# Notes.: report local time (including timezone) or GMT
|
|
|
|
# Values: [true | false] Default: false
|
|
|
|
#
|
|
|
|
localtime = true
|
|
|
|
|
2005-07-13 10:01:01 +00:00
|
|
|
# Option: subject
|
|
|
|
# Notes.: subject of the e-mail.
|
2005-09-27 15:45:26 +00:00
|
|
|
# Tags: <section> active section (eg ssh, apache, etc)
|
|
|
|
# <ip> IP address
|
2005-07-13 10:01:01 +00:00
|
|
|
# <failures> number of failures
|
|
|
|
# <failtime> unix timestamp of the last failure
|
2005-11-21 01:43:13 +00:00
|
|
|
# Values: TEXT Default: [Fail2Ban] <section>: Banned <ip>
|
2005-07-13 10:01:01 +00:00
|
|
|
#
|
2005-11-21 01:43:13 +00:00
|
|
|
subject = [Fail2Ban] <section>: Banned <ip>
|
2005-07-13 10:01:01 +00:00
|
|
|
|
|
|
|
# Option: message
|
|
|
|
# Notes.: message of the e-mail.
|
2005-09-27 15:45:26 +00:00
|
|
|
# Tags: <section> active section (eg ssh, apache, etc)
|
|
|
|
# <ip> IP address
|
2005-07-13 10:01:01 +00:00
|
|
|
# <failures> number of failures
|
|
|
|
# <failtime> unix timestamp of the last failure
|
|
|
|
# <br> new line
|
2005-09-09 21:15:41 +00:00
|
|
|
# Values: TEXT Default:
|
2005-07-13 10:01:01 +00:00
|
|
|
#
|
|
|
|
message = Hi,<br>
|
2005-07-23 19:15:22 +00:00
|
|
|
The IP <ip> has just been banned by Fail2Ban after
|
2005-11-21 01:43:13 +00:00
|
|
|
<failures> attempts against <section>.<br>
|
2005-07-23 19:15:22 +00:00
|
|
|
Regards,<br>
|
|
|
|
Fail2Ban
|
2005-07-13 10:01:01 +00:00
|
|
|
|
2005-07-06 23:10:19 +00:00
|
|
|
# You can define a new section for each log file to check for
|
|
|
|
# password failure. Each section has to define the following
|
2005-07-13 10:01:01 +00:00
|
|
|
# options: logfile, fwban, fwunban, timeregex, timepattern,
|
|
|
|
# failregex.
|
2005-07-06 23:10:19 +00:00
|
|
|
|
2005-11-21 01:43:13 +00:00
|
|
|
|
2005-07-06 23:10:19 +00:00
|
|
|
[Apache]
|
|
|
|
# Option: enabled
|
|
|
|
# Notes.: enable monitoring for this section.
|
|
|
|
# Values: [true | false] Default: false
|
|
|
|
#
|
|
|
|
enabled = false
|
|
|
|
|
|
|
|
# Option: logfile
|
|
|
|
# Notes.: logfile to monitor.
|
2006-02-26 01:04:17 +00:00
|
|
|
# Values: FILE Default: /var/log/apache/error.log
|
2005-07-06 23:10:19 +00:00
|
|
|
#
|
2006-02-26 01:04:17 +00:00
|
|
|
logfile = /var/log/apache/error.log
|
2005-07-06 23:10:19 +00:00
|
|
|
|
2006-03-19 05:20:44 +00:00
|
|
|
# Option: port
|
|
|
|
# Notes.: specifies port to monitor
|
|
|
|
# Values: [ NUM | STRING ] Default:
|
|
|
|
#
|
|
|
|
port = http
|
|
|
|
|
2005-07-06 23:10:19 +00:00
|
|
|
# Option: timeregex
|
2006-03-19 05:20:44 +00:00
|
|
|
# Notes.: regex to match timestamp in Apache logfile. For TAI64N format,
|
|
|
|
# use timeregex = @[0-9a-f]{24}
|
2006-02-26 01:04:17 +00:00
|
|
|
# Values: [Wed Jan 05 15:08:01 2005]
|
2005-07-13 10:01:01 +00:00
|
|
|
# Default: \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}
|
2005-07-06 23:10:19 +00:00
|
|
|
#
|
2006-02-26 01:04:17 +00:00
|
|
|
timeregex = \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}
|
2005-07-06 23:10:19 +00:00
|
|
|
|
|
|
|
# Option: timepattern
|
|
|
|
# Notes.: format used in "timeregex" fields definition. Note that '%' must be
|
2006-03-19 05:20:44 +00:00
|
|
|
# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule).
|
|
|
|
# For TAI64N format, use timepattern = tai64n
|
2005-07-06 23:10:19 +00:00
|
|
|
# Values: TEXT Default: %%a %%b %%d %%H:%%M:%%S %%Y
|
|
|
|
#
|
2006-02-26 01:04:17 +00:00
|
|
|
timepattern = %%a %%b %%d %%H:%%M:%%S %%Y
|
2005-07-06 23:10:19 +00:00
|
|
|
|
|
|
|
# Option: failregex
|
|
|
|
# Notes.: regex to match the password failure messages in the logfile.
|
2005-10-01 06:53:51 +00:00
|
|
|
# Values: TEXT Default: [[]client (?P<host>\S*)[]] user .*(?:: authentication failure|not found)
|
2005-07-06 23:10:19 +00:00
|
|
|
#
|
2005-10-01 06:53:51 +00:00
|
|
|
failregex = [[]client (?P<host>\S*)[]] user .*(?:: authentication failure|not found)
|
2005-07-06 23:10:19 +00:00
|
|
|
|
2006-01-25 14:58:52 +00:00
|
|
|
[ApacheAttacks]
|
|
|
|
# Option: enabled
|
|
|
|
# Notes.: enable monitoring for this section.
|
|
|
|
# Values: [true | false] Default: false
|
|
|
|
#
|
|
|
|
enabled = false
|
|
|
|
|
|
|
|
# Option: logfile
|
|
|
|
# Notes.: logfile to monitor.
|
|
|
|
# Values: FILE Default: /var/log/apache/access.log
|
|
|
|
#
|
|
|
|
logfile = /var/log/apache/access.log
|
|
|
|
|
2006-03-19 05:20:44 +00:00
|
|
|
# Option: port
|
|
|
|
# Notes.: specifies port to monitor
|
|
|
|
# Values: [ NUM | STRING ] Default:
|
|
|
|
#
|
|
|
|
port = http
|
|
|
|
|
2006-01-25 15:32:50 +00:00
|
|
|
# Option: maxfailures
|
|
|
|
# Notes.: number of failures before IP gets banned.
|
|
|
|
# Values: NUM Default: 5
|
|
|
|
#
|
|
|
|
maxfailures = 2
|
|
|
|
|
2006-01-25 14:58:52 +00:00
|
|
|
# Option: timeregex
|
2006-02-26 01:04:17 +00:00
|
|
|
# Notes.: regex to match timestamp in Apache access logfile.
|
|
|
|
# Values: [19/Feb/2006:08:38:18]
|
|
|
|
# Default: \d{2}/\S{3}/\d{4}:\d{2}:\d{2}:\d{2}
|
2006-01-25 14:58:52 +00:00
|
|
|
#
|
2006-02-10 18:08:01 +00:00
|
|
|
timeregex = \d{2}/\S{3}/\d{4}:\d{2}:\d{2}:\d{2}
|
2006-01-25 14:58:52 +00:00
|
|
|
|
|
|
|
# Option: timepattern
|
|
|
|
# Notes.: format used in "timeregex" fields definition. Note that '%' must be
|
|
|
|
# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule)
|
2006-02-26 01:04:17 +00:00
|
|
|
# Values: TEXT Default: %%d/%%b/%%Y:%%H:%%M:%%S
|
2006-01-25 14:58:52 +00:00
|
|
|
#
|
2006-02-10 18:08:01 +00:00
|
|
|
timepattern = %%d/%%b/%%Y:%%H:%%M:%%S
|
2006-01-25 14:58:52 +00:00
|
|
|
|
|
|
|
# Option: failregex
|
|
|
|
# Notes.: regex to match the password failure messages in the logfile.
|
|
|
|
# Values: TEXT Default: [[]client (?P<host>\S*)[]] user .*(?:: authentication failure|not found)
|
|
|
|
#
|
2006-02-16 15:43:35 +00:00
|
|
|
failregex = ^(?P<host>\S*) -.*"GET .*(?:awstats\.pl\?configdir=|index2\.php\?_REQUEST\[option\].*)\|echo.*
|
2005-11-21 01:43:13 +00:00
|
|
|
|
2006-03-19 05:20:44 +00:00
|
|
|
[VSFTPD]
|
|
|
|
# Option: enabled
|
|
|
|
# Notes.: enable monitoring for this section.
|
|
|
|
# Values: [true | false] Default: false
|
2005-07-06 23:10:19 +00:00
|
|
|
#
|
2006-03-19 05:20:44 +00:00
|
|
|
enabled = false
|
|
|
|
|
|
|
|
# Option: logfile
|
|
|
|
# Notes.: logfile to monitor.
|
|
|
|
# Values: FILE Default: /var/log/secure
|
|
|
|
#
|
|
|
|
logfile = /var/log/vsftpd.log
|
2005-07-06 23:10:19 +00:00
|
|
|
|
2006-01-15 20:18:39 +00:00
|
|
|
# Option: port
|
|
|
|
# Notes.: specifies port to monitor
|
|
|
|
# Values: [ NUM | STRING ] Default:
|
|
|
|
#
|
2006-03-19 05:20:44 +00:00
|
|
|
port = ftp
|
|
|
|
|
|
|
|
# Option: timeregex
|
|
|
|
# Notes.: regex to match timestamp in VSFTPD logfile.
|
|
|
|
# Values: [Mar 7 17:53:28]
|
|
|
|
# Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
|
|
|
|
#
|
|
|
|
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
|
|
|
|
|
|
|
|
# Option: timepattern
|
|
|
|
# Notes.: format used in "timeregex" fields definition. Note that '%' must be
|
|
|
|
# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule)
|
|
|
|
# Values: TEXT Default: %%b %%d %%H:%%M:%%S
|
|
|
|
#
|
|
|
|
timepattern = %%b %%d %%H:%%M:%%S
|
|
|
|
|
|
|
|
# Option: failregex
|
|
|
|
# Notes.: regex to match the password failures messages in the logfile.
|
|
|
|
# Values: TEXT Default: Authentication failure|Failed password|Invalid user
|
|
|
|
#
|
|
|
|
failregex = FAIL LOGIN
|
|
|
|
|
|
|
|
[SSH]
|
|
|
|
# Option: enabled
|
|
|
|
# Notes.: enable monitoring for this section.
|
|
|
|
# Values: [true | false] Default: true
|
|
|
|
#
|
|
|
|
enabled = true
|
2006-01-15 20:18:39 +00:00
|
|
|
|
2005-07-06 23:10:19 +00:00
|
|
|
# Option: logfile
|
|
|
|
# Notes.: logfile to monitor.
|
2005-07-06 23:10:26 +00:00
|
|
|
# Values: FILE Default: /var/log/auth.log
|
2005-07-06 23:10:19 +00:00
|
|
|
#
|
2005-07-06 23:10:26 +00:00
|
|
|
logfile = /var/log/auth.log
|
2005-07-06 23:10:19 +00:00
|
|
|
|
2006-03-19 05:20:44 +00:00
|
|
|
# Option: port
|
|
|
|
# Notes.: specifies port to monitor
|
|
|
|
# Values: [ NUM | STRING ] Default:
|
|
|
|
#
|
|
|
|
port = ssh
|
|
|
|
|
2005-07-06 23:10:19 +00:00
|
|
|
# Option: timeregex
|
2006-03-19 05:20:44 +00:00
|
|
|
# Notes.: regex to match timestamp in SSH logfile. For TAI64N format,
|
|
|
|
# use timeregex = @[0-9a-f]{24}
|
2005-09-09 21:15:41 +00:00
|
|
|
# Values: [Mar 7 17:53:28]
|
2005-07-13 10:01:01 +00:00
|
|
|
# Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
|
2005-07-06 23:10:19 +00:00
|
|
|
#
|
|
|
|
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
|
|
|
|
|
|
|
|
# Option: timepattern
|
|
|
|
# Notes.: format used in "timeregex" fields definition. Note that '%' must be
|
2006-03-19 05:20:44 +00:00
|
|
|
# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule).
|
|
|
|
# For TAI64N format, use timepattern = tai64n
|
2005-07-06 23:10:19 +00:00
|
|
|
# Values: TEXT Default: %%b %%d %%H:%%M:%%S
|
|
|
|
#
|
|
|
|
timepattern = %%b %%d %%H:%%M:%%S
|
|
|
|
|
|
|
|
# Option: failregex
|
|
|
|
# Notes.: regex to match the password failures messages in the logfile.
|
2005-10-01 06:53:51 +00:00
|
|
|
# Values: TEXT Default: (?:Authentication failure|Failed (?:keyboard-interactive/pam|password)) for(?: illegal user)? .* from (?:::f{4,6}:)?(?P<host>\S*)
|
2005-07-06 23:10:19 +00:00
|
|
|
#
|
2006-03-09 20:23:46 +00:00
|
|
|
failregex = : (?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) (?:::f{4,6}:)?(?P<host>\S*)
|