clearlinux/tallow
2
0
Fork 0
mirror of https://github.com/clearlinux/tallow.git synced 2026-05-01 03:33:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
v21
tallow/data/sshd.json
Auke Kok 9174590b04 Convert patterns to JSON input files. 
Tallow will now read JSON files from /usr/share/tallow/ and /etc/tallow
and parse them to retrieve filters and patterns. The sshd patterns
are converted to JSON and used to test this change.

If a file exists in /etc/tallow with the same name as a file in
/usr/share/tallow, only the file in /etc/tallow will be parsed.

This change allows much more dynamic insertion of rules and people
to create custom patterns and filters and monitor the logs of other
daemons besides sshd that may be subject to brutefoce login attempts.

Potential use cases:
- IMAP/POP services
- SMTP
- HTTP services permitted they log to syslog
- DNS servers logging malformed requests
- etc.
2019-01-23 13:55:06 -08:00

58 lines
1.5 KiB
JSON
Raw Permalink Blame History

[
{
"filter": "SYSLOG_IDENTIFIER=sshd",
"items": [
{
"ban": 0,
"score": 0.2,
"pattern": "MESSAGE=Failed .* for .* from ([0-9a-z:.]+) port \\d+ ssh2"
},
{
"ban": 0,
"score": 0.2,
"pattern": "MESSAGE=error: PAM: Authentication failure for .* from ([0-9a-z:.]+)"
},
{
"ban": 10,
"score": 0.2,
"pattern": "MESSAGE=Invalid user .* from ([0-9a-z:.]+) port \\d+"
},
{
"ban": 10,
"score": 0.3,
"pattern": "MESSAGE=Did not receive identification string from ([0-9a-z:.]+) port \\d+"
},
{
"ban": 15,
"score": 0.4,
"pattern": "MESSAGE=Bad protocol version identification .* from ([0-9a-z:.]+)"
},
{
"ban": 15,
"score": 0.4,
"pattern": "MESSAGE=Connection closed by authenticating user .* ([0-9a-z:.]+) port \\d+"
},
{
"ban": 10,
"score": 0.3,
"pattern": "MESSAGE=Received disconnect from ([0-9a-z:.]+) port .*\\[preauth\\]"
},
{
"ban": 10,
"score": 0.3,
"pattern": "MESSAGE=Connection closed by ([0-9a-z:.]+) port .*\\[preauth\\]"
},
{
"ban": 30,
"score": 0.5,
"pattern": "MESSAGE=Failed .* for root from ([0-9a-z:.]+) port \\d+ ssh2"
},
{
"ban": 60,
"score": 0.6,
"pattern": "MESSAGE=Unable to negotiate with ([0-9a-z:.]+) port \\d+: no matching key exchange method found."
}
]
}
]
Reference in New Issue View Git Blame Copy Permalink