"Fossies" - the Fresh Open Source Software Archive

Member "sshdfilter-1.5.7/etc/sshdfilterrc" (7 Jun 2010, 11506 Bytes) of package /linux/privat/old/sshdfilter-1.5.7.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

A hint: This file contains one or more very long lines, so maybe it is better readable using the pure text view mode that shows the contents as wrapped lines within the browser window.


    1 # sshdfilter config, V1.5.6
    2 # Config parser is simple, so don't try anything fancy.
    3 
    4 SECTION OPTIONS
    5 # These options set the general behaviour of sshdfilter, more specific
    6 # options are set in the named sections below this OPTIONS section.
    7 
    8 # Any character matching this expression is removed from the username
    9 # before matching, to ensure odd characters aren't processed.
   10 # If sanitisation changes a username, the username is called DIRTY and 
   11 # matches the DIRTY pattern below.
   12 sanitise='[^-a-zA-Z0-9_]'
   13 
   14 # iptables command to add and remove blocks on particular IPs.
   15 # These commands are executed, the following variables are available:
   16 # $ip - IP address of the offending machine.
   17 # $chain - Chain to add this IP to (when using iptables)
   18 # $idx - the next free ipfw index number (when using ipfw).
   19 # Add a block rule:
   20 firewalladd='iptables -A $chain -p tcp -s $ip --dport 22 -j DROP'
   21 # Delete a block rule:
   22 firewalldel='iptables -D $chain -p tcp -s $ip --dport 22 -j DROP'
   23 
   24 # Add/remove commands for ipfw, see ip6toip4 below. These pair are
   25 # untested, does anybody actually use ip6?
   26 #firewalladd='iptables6 -A $chain -p tcp -s $ip --dport 22 -j DROP'
   27 #firewalldel='iptables6 -D $chain -p tcp -s $ip --dport 22 -j DROP'
   28 
   29 # Add/remove commands for ipfw, see ipfwmin/ipfwmax below.
   30 #firewalladd='ipfw add $idx drop tcp from $ip to any dst-port 22'
   31 #firewalldel='ipfw delete $idx drop tcp from $ip to any dst-port 22'
   32 
   33 # path to the firewall command (iptables, iptables6 or ipfw).
   34 # Not normally needed, $PATH is searched by default.
   35 #fwcmdpath="/some/where/unusual/"
   36 
   37 
   38 # Name of iptables chain where sshdfilter will store its rules. If you 
   39 # want to run multiple isolated instances of sshdfilter then you will
   40 # need to change this, your iptables setup and use the SSHFILTERRC 
   41 # environment variable (see INSTALL).
   42 chain='SSHD'
   43 
   44 # Email any block events. Runs this line with some more details on stdin.
   45 # Note perl executes this line, so be careful with escaping. Using the
   46 # debug option might be a good idea to get this working, as would 
   47 # logging debug level syslog events (thats /etc/syslog.conf).
   48 #mail='mail -s \"sshdfilter event for $ip, $event\" greg\@abatis.flint'
   49 
   50 # convert any IPv6 addresses to IPv4, necessary for iptables, as only
   51 # ip6tables knows about IPv6. Setting this option to 0 also enables
   52 # calling ip6tables instead of iptables, so you should generally leave it
   53 # set to 1.
   54 ip6toip4=1
   55 
   56 # Enable the use of ipfw (for BSD, Solaris, Mac) instead of iptables.
   57 # This pair specify the range of index numbers used by the rules. Pick
   58 # a range of numbers that fit into your firewall. Read INSTALL.ipfw
   59 #ipfwmin=1002
   60 #ipfwmax=1999
   61 
   62 # Where the sshd log messages come from, either from STDIN (sshd -e -D | sshdfilter),
   63 # or via syslog, in which case the messages are read from a named pipe and you need to
   64 # look at the sshdname and logpid options below.
   65 #logsource='/var/run/sshd.fifo'
   66 logsource='STDIN'
   67 
   68 # where sshd lives
   69 sshdpath='/usr/sbin/sshd'
   70 
   71 # The name of the sshd process, only needed to identify the sshd process 
   72 # from a none STDIN logsource. See also logpid below, which isn't required
   73 # if you have only one sshd daemon process.
   74 sshdname='sshd'
   75 
   76 # Assuming standard sshd behaviour, children of sshd (one sshd per
   77 # connection) log to syslog directly, so the pid reported by syslog will
   78 # change every time. The parent of the reported pid will be constant, and
   79 # that is what this value should be. Or, set to <=0, and all sshdname
   80 # processes will be interpretted as the same sshd. Can be given on the
   81 # command line, sshdfilter logpid=`cat /var/run/sshd.pid`
   82 logpid=0
   83 
   84 # debug? >0 turns on debugging, setting to 1 should help diagnose unexpected 
   85 # behaviour. 4 is the most verbose.
   86 debug=1
   87 
   88 SECTION USERPOLICY
   89 # Action policy says what happens when different users try to log in. The
   90 # right hand side of the = is a regular expression that matches either 
   91 # usernames or is a special word DEFAULT, INVALID, NOID or DIRTY.
   92 # The format is:
   93 # [number of failures],[block time] = <regular expression>
   94 # [number of failures] is the maximum number of failures (password or 
   95 # invalid usernames) before an iptables block rule is created. Here twice 
   96 # what it should be, 'sshd -e -D', likes to output failures and successes 
   97 # twice. [block time] is how long that block will last. After this time, 
   98 # the iptables rule will be removed. This is specified as <number>d, 
   99 # <number>h, <number>m or <number>s, for days, hours, minutes or seconds
  100 # respectively.
  101 # This list is read from top to bottom, the first match wins. But,
  102 # DEFAULT sets the current default values and can be used multiple times
  103 # to set the ongoing default values for following lines. INVALID works in
  104 # the same way, any options provide defaults for future matches against
  105 # users that match the given regular expression but are also invalid
  106 # user names.
  107 
  108 # On my RedHat 7.3 system, sshd message doublings (when using the sshd 
  109 # options -eD, which is sshdfilter install route 1) follow this pattern
  110 #(actual attempts at password=>log messages):
  111 # FAILVAL: 1=>2, 2=>4, 3=>6
  112 # INVALID: 0=>5, 1=>7, 2=>9, 3=>11, and repeat
  113 # INVALID: 0=>4, 1=>6, 2=>8, 3=>10, and repeat
  114 
  115 5,3d = DEFAULT   # catch all
  116 0,10d = DIRTY         # username sanitising was necessary? instant long term block
  117 0,10d = '^(nobody|test|guest|mythtv|admin|adm|sshadmin|services|setup|mine|user|nu|webmaster|demo|deploy)$'   # common brute force names, instant block for 10 days. Some attacks also try the hostname.
  118 #6 = '^greg$'        # My username, so give me more chances, block for the default 3 days.
  119 #3 = '^g[reg]{3}$'   # allow 3 guesses of greg, grge, ggre, gger, gerg, gegr,
  120                     # even if they are invalid usernames.
  121 2,5d = '^root$'     # allow two guesses of root, block for 5 days.
  122 #,1h = '^ian$'      # default of 3 guesses, only block for 1 hour.
  123 3,5d = DEFAULT   # change defaults from this point on, 3 guesses, block for 5 days.
  124 3,6d = INVALID    # Sets the dafault for Invalid user names, three chances, and a 6 day block time.
  125                   # If any of the below are Invalid and missing a value, this value, not the DEFAULT
  126                   # value is used.
  127 #4 =  '^(peter|ian)$' # peter would get 4 chances and would be blocked for 7 days. ian would have matched
  128 		   # the line above and so is redundant here.
  129 #, = '^bob$'        # If bob exists, gets 3 chances and is blocked for 5 days, all values based on last DEFAULT.
  130                    # If bob is Illegal, gets 3 chances and is blocked for 7 days, values based on last INVALID.
  131 3,7d = INVALID    # Catch all for Invalid usernames, if none of the above matched, these numbers will apply.
  132 0,10d = NOID      # Catch all No ssh id events, instant block for 10 days.
  133 
  134 
  135 SECTION IPPOLICY
  136 # Good nets(+) and bad nets(-), by regular expression matching IP addresses.
  137 # This matches the same addresses as reported in sshdfilter logs, ie, the
  138 # same IP version as used by your iptables command, which will most likely
  139 # be version 4. No hostname lookup is done, or proper subnet matching.
  140 # If you want any of that you need to be using iptables.
  141 #-'^192\.168\.7\.9$'  # drop a test #
  142 #+'^192\.168\.7\.[0-9]+$'       # always accept, never block LAN connections
  143 #+'^192\.168\.8\.[0-9]+$'       # always accept, never block LAN connections
  144 #+'^192\.168\.0\.[0-9]+$'       # always accept, never block LAN connections
  145 +'^127.0.0.1$'                # always accept loopback connections
  146 -'^207\.46\.[0-9]+.[0-9]+$'    # Block known evil domain
  147 
  148 
  149 SECTION EMAILPOLICY
  150 # When to send emails about block events. + means send email, - means don't.
  151 # Read from top to bottom, the first match is the action. Except DEFAULT, 
  152 # which only matches after none of the others have matched. But for DEFAULT,
  153 # INVALID and NOID, the surrounding '' are required.
  154 
  155 #-'^peter$'   # If peter ever fails to login, don't email.
  156 +DEFAULT     # Email in most circumstances.
  157 #+'^greg$'    # Email if the user is greg, redundant as this is the default.
  158 +INVALID     # Email all invalid users
  159 -NOID        # Don't email if there was no ssh id given.
  160 
  161 
  162 
  163 SECTION SSHDLOG
  164 # The SSHDLOG section maps sshd messages into one of several types, No Id string, Invalid User, Bad password for valid user, and Good password for valid user. Each version and distribution uses different message formats, so the exact format needs to be user configurable. These are already supplied for quite a few distributions.
  165 
  166 # Starting with sshdfilter 1.5.6, all variants of log messages are already
  167 # present in the hope that a working set will be amongst them. You can 
  168 # delete all those that aren't used on your distro, but rememeber, even 
  169 # distro updates can change sshd messages, turning a working sshdfilter 
  170 # configuration into a defunct configuration - long after you have 
  171 # disabled most logging secure in the knowledge that sshdfilter is working.
  172 # Note: DropBear (lightweight sshd) patterns are not included below, see
  173 # patterns/dbear.partconf
  174 
  175 # Illegal user (non-existant user)
  176 msg_invalid='\nIllegal user (.*) from ([0-9a-fA-F:\.]+) *$'
  177 map_invalid='push @res,$1;  push @res,$2;'
  178 msg_invalid='\nInvalid user (.*) from ([0-9a-fA-F:\.]+) *$'
  179 map_invalid='push @res,$1;  push @res,$2;'
  180 msg_invalid='\nFailed [^ ]+ for illegal user (.*) from ([0-9a-fA-F:\.]+) port [0-9]+ ssh2 *$'
  181 map_invalid='push @res,$1;  push @res,$2;'
  182 msg_invalid='\nFailed [^ ]+ for invalid user (.*) from ([0-9a-fA-F:\.]+) port [0-9]+ ssh2 *$'
  183 map_invalid='push @res,$1;  push @res,$2;'
  184 msg_invalid='\nUser (.*) from ([0-9a-fA-F:\.]+) not allowed because not listed in AllowUsers *$'
  185 map_invalid='push @res,$1;  push @res,$2;'
  186 msg_invalid='\nPostponed .* for invalid user (.*) from ([0-9a-fA-F:\.]+) port [0-9]+ ssh2 *$'
  187 map_invalid='push @res,$1;  push @res,$2;'
  188 msg_invalid='\nPostponed .* for illegal user (.*) from ([0-9a-fA-F:\.]+) port [0-9]+ ssh2 *$'
  189 map_invalid='push @res,$1;  push @res,$2;'
  190 #msg_invaled='User (.*) is unknown\ncoming from ([0-9a-fA-F:\.]+) *$'
  191 #map_invalid='push @res,$1;  push @res,$2;'
  192 
  193 # Valid user, wrong password
  194 msg_failed_valid='\nFailed [^ ]+ for (.*) from ([0-9a-fA-F:\.]+) port [0-9]+ ssh2 *$'
  195 map_failed_valid='push @res,$1;  push @res,$2;'
  196 msg_failed_valid='\nPostponed .* for (.*) from ([0-9a-fA-F:\.]+) port [0-9]+ ssh2 *$'
  197 map_failed_valid='push @res,$1;  push @res,$2;'
  198 msg_failed_valid='\nerror: PAM: Have exhasted maximum number of retries for service. for (.*) from ([^ ]*) *$'
  199 map_failed_valid='push @res,$1;  push @res,$2;'
  200 msg_failed_valid='\nerror: PAM: Authentication failure for (.*) from ([^ ]*) *$'
  201 map_failed_valid='push @res,$1;  push @res,$2;'
  202 msg_failed_valid='\nPAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=([0-9a-fA-F:\.]+) +user=(.*) *$'
  203 map_failed_valid='push @res,$2;  push @res,$1;'
  204 msg_failed_valid='\npam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=([0-9a-fA-F:\.]+) +user=(.*) *$'
  205 map_failed_valid='push @res,$2;  push @res,$1;'
  206 
  207 # Valid user, correct password
  208 msg_accepted_user='\nAccepted [^ ]* for (.*) from ([0-9a-fA-F:\.]+) port [0-9]+ ssh2 *$'
  209 map_accepted_user='push @res,$1;  push @res,$2;'
  210 
  211 # No ID
  212 msg_no_id_string='\nDid not receive identification string from ([0-9a-fA-F:\.]+) *$'
  213 map_no_id_string='push @res,$1;'
  214 msg_no_id_string='\nChild connection from ([0-9a-fA-F:\.]+):[0-9]+\nexit before auth: Failed to get remote version *$'
  215 map_no_id_string='push @res,$1;'
  216 
  217 # sshd exit
  218 msg_quit='\nReceived signal ([0-9]+); terminating. *$'
  219 map_quit='push @res,$1;'
  220 
  221 
  222