config/: Add support for filtering out detected port scans via scanlogd.

2021-02-25 20:13:18 +01:00 · 2021-02-25 20:13:18 +01:00 · f15ed35619
parent 884cbbd6e1
commit f15ed35619
2 changed files with 20 additions and 0 deletions
--- a/config/filter.d/scanlogd.conf
+++ b/config/filter.d/scanlogd.conf
@ -0,0 +1,17 @@
+# Fail2Ban filter for port scans detected by scanlogd
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = scanlogd
+
+failregex =  ^%(__prefix_line)s<HOST>\ to\ [\.:0-9a-f]+\ ports\ [\ \.,0-9]+,\ f.......,\ TOS\ [0-9]+,\ TTL\ [0-9]+\ \@[0-9]{1,2}:[0-9]{2}:[0-9]{2}$
+
+ignoreregex =
+
+# Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
--- a/config/jail.conf
+++ b/config/jail.conf
@ -965,3 +965,6 @@ logpath = %(apache_error_log)s
 # see `filter.d/traefik-auth.conf` for details and service example.
 port    = http,https
 logpath = /var/log/traefik/access.log
+
+[scanlogd]
+logpath = %{syslog_local0}