-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathgerberos.toml
59 lines (55 loc) · 2.33 KB
/
gerberos.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# Backend to use, choice of ["ipset", "nft"].
backend = "ipset"
# If non-empty, ipsets will be saved when gerberos
# is terminated (unless killed by SIGKILL) and
# restored when gerberos starts. Timeouts will
# be restored as saved.
# Default: ""
#saveFilePath = "./gerberos.save"
# Log level, choice of ["debug", "info", "warn", "error"].
# Default: "info"
logLevel = "info"
[rules]
[rules.ufw]
# Required. Available sources are
# - ["file", "<path to non-directory file>"] (using tail)
# - ["systemd", "<name of systemd service>"] (using journalctl)
# - ["kernel"] (using journalctl)
# - ["process", "<name>", "[any number of...]", "[...optional arguments]"]
source = ["file", "/var/log/syslog"]
# Required. "%ip%" must appear exactly once in
# each main regexp (Golang flavor). "%ip%" will be
# replaced with the following subexpression named
# "ip" matching IPv4 and IPv6 addresses:
# (?P<ip>(\d?\d?\d\.){3}\d?\d?\d|\[?([0-9A-Fa-f]{0,4}::?)
# {1,6}[0-9A-Fa-f]{0,4}::?[0-9A-Fa-f]{0,4})\]?
regexp = ['\[UFW BLOCK\].*?MAC= SRC=%ip%.*?DPT=\d+.*SYN']
# Required. Available actions are
# - ["ban", "<value parsable by time.ParseDuration>"]
# - ["log", "<simple|extended>"]
action = ["ban", "3h"]
# Optional. In this case, the action will be
# performed once the same match has occurred 5
# times within 10 seconds, resetting the counter.
occurrences = ["3", "5m"]
# Example aggregate rule for radicale.
# Needs radicale logging -> level = info.
[rules.radicale]
source = ["systemd", "radicale"]
# If the aggregate option is used, "%id% must
# appear exactly once in each main regexp in
# addition to "%ip%". "%id%" will be replaced
# with the following subexpression named "id":
# (?P<id>(.*))
# Please note that this subexpression matches
# greedily.
regexp = ["\\] \\[%id%\\] \\[INFO\\] .*? received from '%ip%'"]
action = ["log", "simple"]
# Optional. In this case, the given action will
# only be performed if the aggregate regexp
# (multiple are allowed) is matched within 2
# minutes after one of the main regexps has been
# matched with the same ID. "%id%" must appear exactly
# once in each aggregate regexp.
aggregate = ["2m", '\] \[%id%\] \[INFO\] Failed login attempt']
occurrences = ["3", "5m"]