forked from DigitalRuby/IPBan
-
Notifications
You must be signed in to change notification settings - Fork 0
/
app.config
382 lines (336 loc) · 14.5 KB
/
app.config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
<?xml version="1.0"?>
<configuration>
<configSections>
<section name="LogFilesToParse" type="IPBan.LogFilesToParseConfigSectionHandler, IPBan"/>
<section name="ExpressionsToBlock" type="IPBan.ExpressionsToBlockConfigSectionHandler, IPBan"/>
</configSections>
<!-- A collection of log files to parse, these are polled periodically based on PingInterval for each log file -->
<LogFilesToParse>
<LogFiles>
<!-- SSH failed logins, Ubuntu -->
<LogFile>
<!-- The file source (i.e. SSH, SMTP, etc.) -->
<Source>SSH</Source>
<!-- The folder and mask to watch for log files to parse - one entry per line -->
<PathAndMask>
/var/log/auth*.log
/var/log/secure*
</PathAndMask>
<!--
Regex for each file line to parse out the user name and ip address
It is recommended to use \s for leading and trailing spaces for the regex as those are trimmed internally at the ends of the text
-->
<!--
Example lines
Feb 21 08:35:22 localhost sshd[5774]: Failed password for root from 116.31.116.24 port 29160 ssh2
Jul 3 12:52:21 vps192513 sshd[16201]: Connection closed by 150.95.154.204 port 56032 [preauth] (no attempt to login after timeout)
-->
<Regex>
<![CDATA[
^\s*\w+\s+\w+\s+[0-9:]+\s+\w+\s+sshd.*?\s+failed\s+password\s+for(\sinvalid\suser)?\s+(?<username>.+?)\s+from\s+(?<ipaddress>.+?)\s+port\s+[0-9]+\s+ssh2?\s*$|
^\s*\w+\s+\w+\s+[0-9:]+\s+\w+\s+sshd.*?\s+connection\s+closed\s+by\s+((invalid\s+user\s+)?(?<username>.+?)\s+)?(?<ipaddress>.+?)\s+port\s+[0-9]+\s+\[preauth\]\s*$
]]>
</Regex>
<!-- Specify specific platforms here or . for all platforms (not recommended) - use Linux, MAC or Windows or Ubuntu, etc. -->
<PlatformRegex>Linux</PlatformRegex>
<!-- How often to parse and check for new files, etc. - in milliseconds -->
<PingInterval>10000</PingInterval>
<!-- 16 MB max size before deleting files and starting over -->
<MaxFileSize>16777216</MaxFileSize>
</LogFile>
</LogFiles>
</LogFilesToParse>
<!--
* WINDOWS ONLY *
Setup expressions to block for Windows event viewer
You may specify the keywords to look for as well as an array of ExpressionsToBlockGroup objects.
In each group there is xpath and a regex. Regex can be empty if not checked.
It is recommended to use \s for leading and trailing spaces for the regex as those are trimmed internally at the ends of the text
All must match in the event for it to be filtered, and at least one regex must have an ipaddress group to pull out the ip address to block.
-->
<ExpressionsToBlock>
<Groups>
<!-- This group will block audit failures from failed login attempts to Windows -->
<Group>
<Source>RDP</Source>
<Keywords>0x8010000000000000</Keywords>
<Path>Security</Path>
<Expressions>
<Expression>
<XPath>//Data[@Name='IpAddress' or @Name='Workstation']</XPath>
<Regex>
<![CDATA[
(?<ipaddress>.+)
]]>
</Regex>
</Expression>
</Expressions>
</Group>
<!-- This group will block audit failures from failed login attempts to Microsoft SQL Server -->
<!--
<EventData>
<Data>username</Data>
<Data>Reason: Could not find a login matching the name provided.</Data>
<Data>[CLIENT: 192.168.1.99]</Data>
<Binary>184800000E000000090000004E0053003500320034003400300036000000070000006D00610073007400650072000000</Binary>
</EventData>
-->
<Group>
<Source>MSSQL</Source>
<Keywords>0x90000000000000</Keywords>
<Path>Application</Path>
<Expressions>
<Expression>
<XPath>//Provider[@Name='MSSQLSERVER']</XPath>
<Regex></Regex>
</Expression>
<Expression>
<XPath>//Data</XPath>
<Regex>
<![CDATA[
^(?!(\[CLIENT\s?:|Reason\s?:))(?<username>.+)
]]>
</Regex>
</Expression>
<Expression>
<XPath>//Data</XPath>
<Regex>
<![CDATA[
\[CLIENT\s?:\s?(?<ipaddress>.*?)\]
]]>
</Regex>
</Expression>
</Expressions>
</Group>
<!-- This group will block audit failures from failed login attempts to MySQL Server -->
<Group>
<Source>MySQL</Source>
<Keywords>0x80000000000000</Keywords>
<Path>Application</Path>
<Expressions>
<Expression>
<XPath>//Provider[@Name='MySQL']</XPath>
<Regex></Regex>
</Expression>
<Expression>
<XPath>//Data</XPath>
<Regex>
<![CDATA[
Access denied for user '?(?<username>.*?)'@'(?<ipaddress>.*?)'
]]>
</Regex>
</Expression>
</Expressions>
</Group>
<!-- This group will block audit failures from MS Exchange -->
<Group>
<Source>MSExchange</Source>
<Keywords>0x80000000000000</Keywords>
<Path>System</Path>
<Expressions>
<Expression>
<XPath>//Provider[@Name='MSExchangeTransport']</XPath>
<Regex></Regex>
</Expression>
<Expression>
<XPath>//Data</XPath>
<Regex>LogonDenied</Regex>
</Expression>
<Expression>
<XPath>//Data</XPath>
<Regex>
<![CDATA[
(?<ipaddress>.+)
]]>
</Regex>
</Expression>
</Expressions>
</Group>
<!-- This group will block audit dropped packet failures from firewall drops to Windows -->
<Group>
<Source>Firewall</Source>
<Keywords>0x8010000000000001</Keywords>
<Path>Security</Path>
<Expressions>
<Expression>
<XPath>//EventID</XPath>
<Regex>^(4625|5152)$</Regex>
</Expression>
<Expression>
<XPath>//Data[@Name='SourceAddress']</XPath>
<Regex>
<![CDATA[
(?<ipaddress>.+)
]]>
</Regex>
</Expression>
</Expressions>
</Group>
<!-- This group will block audit failures from failed login attempts to phpMyAdmin Web Interface -->
<Group>
<Source>phpMyAdmin</Source>
<Keywords>0x80000000000000</Keywords>
<Path>Application</Path>
<Expressions>
<Expression>
<XPath>//Data</XPath>
<Regex>phpMyAdmin</Regex>
</Expression>
<Expression>
<XPath>//Data</XPath>
<Regex>
<![CDATA[
user denied: (?<username>.*?)\(mysql-denied\) from *(?<ipaddress>.+)
]]>
</Regex>
</Expression>
</Expressions>
</Group>
<!--
This group will block OpenSSH login failures
-->
<Group>
<Source>SSH</Source>
<Keywords>0x8000000000000000</Keywords>
<Path>OpenSSH/Admin</Path>
<Expressions>
<Expression>
<XPath>//Data[@Name='payload']</XPath>
<Regex>
<![CDATA[
maximum authentication attempts exceeded for( invalid user)? (?<username>.*?) from (?<ipaddress>.*?)\s
]]>
</Regex>
</Expression>
</Expressions>
</Group>
<Group>
<Source>SSH</Source>
<Keywords>0x4000000000000000</Keywords>
<Path>OpenSSH/Operational</Path>
<Expressions>
<Expression>
<XPath>//Data[@Name='payload']</XPath>
<Regex>
<![CDATA[
Failed password for( invalid user)? (?<username>.*?) from (?<ipaddress>.*?)\s|
Connection closed by (?<ipaddress>.*?) port [0-9]+ \[preauth\]
]]>
</Regex>
</Expression>
</Expressions>
</Group>
<!--
This group will block NTLM login failures in the Applications and Services Logs > Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational log
OpCode 14 indicates an invalid protocol, which is usually a sign of a hacker
-->
<Group>
<Source>RDP</Source>
<Keywords>0x4000000000000000</Keywords>
<Path>Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational</Path>
<Expressions>
<Expression>
<XPath>//Opcode</XPath>
<Regex>
<![CDATA[
^14$
]]>
</Regex>
</Expression>
<Expression>
<XPath>//Data[@Name='ClientIP' or @Name='IPString']</XPath>
<Regex>
<![CDATA[
(?<ipaddress>.+)
]]>
</Regex>
</Expression>
</Expressions>
</Group>
</Groups>
</ExpressionsToBlock>
<appSettings>
<!-- Number of failed logins before banning the ip address -->
<add key="FailedLoginAttemptsBeforeBan" value="5"/>
<!-- The duration of time to ban an ip address (DD:HH:MM:SS) - 00:00:00:00 for forever -->
<add key="BanTime" value="07:00:00:00"/>
<!-- True to clear and unban all the ip addresses from the firewall upon restart, false otherwise -->
<add key="ClearBannedIPAddressesOnRestart" value="false"/>
<!-- The duration after the last failed login attempt that the ip is forgotten (count reset back to 0). Set to 00:00:00:00 to never forget an ip. (DD:HH:MM:SS) -->
<add key="ExpireTime" value="01:00:00:00"/>
<!-- The time between cycles to do house-keeping such as un-banning ip addresses, reloading config, etc. (DD:HH:MM:SS) -->
<add key="CycleTime" value="00:00:00:15"/>
<!-- The minimum time between failed login attempts for an ip address to increment the ban counter -->
<add key="MinimumTimeBetweenFailedLoginAttempts" value="00:00:00:05"/>
<!--
Rule prefix name for firewall rules, must contain only A-Z, 0-9 and _
-->
<add key="FirewallRulePrefix" value="IPBan_"/>
<!-- Comma separated list of ip addresses OR DNS names that are never banned -->
<add key="Whitelist" value=""/>
<!-- Whether to create a whitelist firewall rule. This gives all whitelist ip access to all ports -->
<add key="CreateWhitelistFirewallRule" value="false"/>
<!--
Regular expression for more advanced whitelisting. Shortcut: use * to allow any piece of an ip (i.e. 128.128.128.*).
Sample regex that whitelists a few ips: ^(128\.128\.128\.*)|(99\.99\.99\.[0-9])$
More info about regex: http://www.regular-expressions.info/
-->
<add key="WhitelistRegex" value=""/>
<!-- Comma separated list of ip addresses OR DNS names OR user names to always ban and NEVER unban -->
<add key="Blacklist" value=""/>
<!--
Regular expression for more advanced blacklisting. Shortcut: use * to allow any piece of an ip, dns name or user name (i.e. 128.128.128.*).
Sample regex that blacklists a few ips: ^(128\.128\.128\.*)|(99\.99\.99\.[0-9])$
More info about regex: http://www.regular-expressions.info/
-->
<add key="BlacklistRegex" value=""/>
<!--
Comma separated list of user names that are allowed. UserNameWhiteListMinimumEditDistance is checked for user names not in the list
to determine whether a failed user name should be banned. Case is ignored. Empty user names are always allowed.
*** IMPORTANT *** This can represent an attack vector by a hacker. If they know you are using IPBan and they don't get locked out right
away, they might know they are somewhat close to the right user name. Make sure your passwords are complex enough and this shouldn't be a problem.
-->
<add key="UserNameWhitelist" value=""/>
<!--
If the edit distance (levenshtein distance) of a failed user name is greater than this distance away, the user name is immediately banned.
Set to 0 to ban all failed user names if UserNameWhitelist has entries. Case is ignored. Empty user names are always allowed.
-->
<add key="UserNameWhiteListMinimumEditDistance" value="2" />
<!-- Number of failed logins before banning the ip address if the user name is in the user name whitelist -->
<add key="FailedLoginAttemptsBeforeBanUserNameWhitelist" value="20"/>
<!--
Allows setting a type of firewall if not using the default firewall implementation. You must add this class to the code yourself and annotate with RequiredOperatingSystem and CustomName.
Prefix with OS:ClassName, example: Windows:MyWindowsFirewall,Linux:MyLinuxFirewall,OSX:MyMacFirewall
-->
<add key="FirewallType" value=""/>
<!---
Run an external process when a ban occurs. Separate the process and any arguments with a pipe (|). ###IPADDRESS### will be replaced with the actual IP which was banned. The pipe is required.
Example: c:\system files\on_ip_banned.exe|###IPADDRESS### -q
-->
<add key="ProcessToRunOnBan" value=""/>
<!--
Url to query to get the external ip address, the url should return a string which is the external ip address.
-->
<add key="ExternalIPAddressUrl" value="http://checkip.amazonaws.com/"/>
<!--
A url to get when the service updates, empty for none.
Example: http://192.168.1.2/ipban/update?ip=###IPADDRESS###&remote_ip=###REMOTE_IPADDRESS###&name=###MACHINENAME###&version=###VERSION###&guid=###GUID###&osname=###OSNAME###&osversion=###OSVERSION###
-->
<add key="GetUrlUpdate" value=""/>
<!--
A url to get when the service starts, empty for none.
Example: http://192.168.1.2/ipban/start?ip=###IPADDRESS###&remote_ip=###REMOTE_IPADDRESS###&name=###MACHINENAME###&version=###VERSION###&guid=###GUID###&osname=###OSNAME###&osversion=###OSVERSION###
-->
<add key="GetUrlStart" value=""/>
<!--
A url to get when the service stops, empty for none.
Example: http://192.168.1.2/ipban/stop?ip=###IPADDRESS###&remote_ip=###REMOTE_IPADDRESS###&name=###MACHINENAME###&version=###VERSION###&guid=###GUID###&osname=###OSNAME###&osversion=###OSVERSION###
-->
<add key="GetUrlStop" value=""/>
<!--
A url to get config file from, empty for none.
Example: http://192.168.1.2/ipban/config?guid=###GUID###
-->
<add key="GetUrlConfig" value=""/>
</appSettings>
</configuration>