# # swobspace:/root/fw/logsurfer-pf.conf # # -------------------------------------------------------------------- # Logsurfer für Paketfilter: protokollieren # mit kern.info nach /var/log/syslog/kern.info # -------------------------------------------------------------------- #' kernel: Packet log: (input|ippp0_in) (REJECT|DENY) \w+ PROTO=[0-9]+' - - - 0 # continue pipe "/home/logsurfer/logpf" # ------------------------------------------------------ # Kontexte für Paketfilter: $4 = src-ip # Target LOG muß ein passendes Prefix haben: # -j LOG --logprefix "DROP" # Nov 12 21:35:45 wob03 kernel: DROP-UDP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:ba:c4:28:b4:08:00 SRC=192.168.1.9 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=59137 PROTO=UDP SPT=137 DPT=137 LEN=58 ' kernel: (DROP.*)IN=[^ ]* OUT=[^ ]*(| MAC=[^ ]*) SRC=([0-9.]+) DST=([0-9.]+) ' - - - 0 continue open "^.{21,}$4" - 200 1800 300 report "/usr/bin/start-mail root \"Packet Filter DROP \[$4\]\"" "^.{21,}$4" ' kernel: (DROP.*)IN=[^ ]* OUT=[^ ]*(| MAC=[^ ]*) SRC=([0-9.]+) DST=([0-9.]+) ' - - - 0 continue open "^.{21,}$2" - 1000 3600 0 report "/usr/bin/start-mail root \"PF DENY hourly $2 report\"" "^.{21,}$2" # ------------------------------------------------------ # stop processing # Nov 12 21:35:45 wob03 kernel: DROP-UDP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:ba:c4:28:b4:08:00 SRC=192.168.1.9 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=59137 PROTO=UDP SPT=137 DPT=137 LEN=58 ' kernel: .*(IN=[^ ]* OUT=[^ ]*(| MAC=[^ ]*) SRC=[0-9.]+ DST=[0-9.]+) .*PROTO=(TCP|UDP) SPT=([0-9]*) DPT=([0-9]*)' - - - 0 continue rule before "$2.*PROTO=$4.*DPT=$6" - - - 3600 ignore ' kernel: .*(IN=[^ ]* OUT=[^ ]*(| MAC=[^ ]*) SRC=[0-9.]+ DST=[0-9.]+) .*PROTO=(ICMP) TYPE=([0-9]*) CODE=([0-9]*)' - - - 0 continue rule before "$2.*PROTO=$4.*TYPE=$5 CODE=$6" - - - 3600 ignore ' kernel: .*IN=[^ ]* OUT=[^ ]*(| MAC=[^ ]*) SRC=([0-9.]+) DST=([0-9.]+) .*PROTO=(TCP|UDP) SPT=([0-9]*) DPT=([0-9]*)' - - - 0 continue pipe "/usr/bin/start-mail root \"DROP from $3, Service $7/$5\"" ' kernel: .*IN=[^ ]* OUT=[^ ]*(| MAC=[^ ]*) SRC=([0-9.]+) DST=([0-9.]+) .*PROTO=(ICMP) TYPE=([0-9]*) CODE=([0-9]*)' - - - 0 continue pipe "/usr/bin/start-mail root \"DROP ICMP from $3, $6/$7\"" # -------------------------------------------------------------------- # tcp wrapper connects ' .*\[[0-9]+\]: connect from (.*@|)([^ ]*) \(([0-9.]*)' - - - 0 CONTINUE open "^.{21,}$3" - 1000 43200 0 ignore ' .*\[[0-9]+\]: connect from (.*@|)([^ ]*) \(([0-9.]*)' - - - 0 CONTINUE open "^.{21,}$4" - 1000 43200 0 ignore # tcp wrapper refused context ' .*\[[0-9]+\]: refused connect from (.*@|)([^ ]*) \(([0-9.]*)\)' - - - 0 CONTINUE open "^.{21,}refused connect.*$3" - 1000 180 120 report "/usr/bin/start-mail root refused connects" "^.{21,}refused connect.*$3" "^.{21,}$3" "^.{21,}$4" # stop repeated tries from further proceeding #' .*\[[0-9]+\]: refused connect from (.*)' - - - 0 CONTINUE # rule before ' .*\[[0-9]+\]: refused connect from $2' - - - 300 # ignore # -------------------------------------------------------------------- # sshd ' sshd\[([0-9]+)\]: log: Connection from (.*) port' - - - 0 CONTINUE open "sshd\\[$2\\]:" - 1000 43200 0 ignore ' sshd\[([0-9]+)\]: fatal: ' - - - 0 CONTINUE report "/usr/bin/start-mail root sshd security warning" "sshd\\[$2\\]:" ' sshd\[([0-9]+)\]: log: Closing connection to (.*)' - - - 0 CONTINUE delete "sshd\\[$2\\]:" - 1000 43200 0 ignore # -------------------------------------------------------------------- # login ' ([^ .]*)(.swobspace.de|) login(\[.*\]|): FAILED LOGIN ([^ ]*) FROM (/dev/[^ ]*) FOR ([^ ]*)' - - - 0 pipe "/usr/bin/start-mail root \"$2: local login ERROR: $7 on $6\"" ' ([^ .]*)(.swobspace.de|) login(\[.*\]|): FAILED LOGIN ([^ ]*) FROM ([^ ]*) FOR ([^ ]*)' - - - 0 open ' ([^ .]*)(.swobspace.de|) login(\[.*\]|): FAILED LOGIN ([^ ]*) FROM ([^ ]*) FOR ([^ ]*)' - 10 180 60 pipe "/usr/bin/start-mail root \"$2: remote login ERROR: $7 on $6\"" # -------------------------------------------------------------------- # Sonstiges #'.*' - - - 0 exec "/bin/echo $0"