;
; HostBlock configuration
;
; Timezone (list of supported: http://www.php.net/manual/en/timezones.php)
timezone = "UTC"
; Datetime format for data output (statistics, hostblock.log, etc) (see http://www.php.net/manual/en/function.date.php)
datetimeformat = "Y-m-d H:i:s"
; How often to check log files (seconds, default 60)
logparseinterval = 60
; How often to check if IP address is added to or removed from blacklist/whitelist and update files
blacklistupdateinterval = 60
; How many times request from a single IP address must match one of patterns to be included in blacklist
suspiciousentrymatchcount = 10
; Path to whitelist file (these IP addresses will never get in blacklist)
whitelist = "/var/lib/hostblock/whitelist"
; Path to blacklist file (these IP addresses will allways get in blacklist)
blacklist = "/var/lib/hostblock/blacklist"
; For how long time to keep IP in blacklist, 0 will keep forever (seconds, default 0)
; Using time since last activity, if current time minus time since last activity is over this setting then IP will no longer apear in blacklist
; 3600 - hour
; 86400 - day
; 432000 - 5 days
; 2592000 - 30 days
blacklisttime = 8640000
; Apache access log file location
apacheaccesslogs[] = "/var/log/apache/access_log"
; .htaccess files that should contain blacklisted IPs
htaccessfiles[] = "/var/www/htdocs/.htaccess"
;Apache access log formats, same order as apacheaccesslogs!
apacheaccesslogformats[] = "%h %l %u \[%t\] \"%r\" %s %b"
; Apache access log file suspicious entry search patterns (regex), search is performed in request ("GET / HTTP/1.1")
apacheaccesspaterns[] = "/cgi/i"; Some people try running PHP CGI with HTTP request
apacheaccesspaterns[] = "/hnap1/i"; Dlink routers sometimes return SOAP document with this request (http://forums.dlink.com/index.php?topic=12061.0)
apacheaccesspaterns[] = "/soapcaller\.bs/i"; Morpheus * Scanner
apacheaccesspaterns[] = "/phppath/i"
apacheaccesspaterns[] = "/(my|web|php|db|database|ldap|phppg)admin/i"; Don't have PHPMyAdmin so all requests for it are considered malicious
apacheaccesspaterns[] = "/php\-my\-admin/i"
apacheaccesspaterns[] = "/phpmy\-admin/i"
apacheaccesspaterns[] = "/joomla\/administrator/i"
apacheaccesspaterns[] = "/phpinfo/i"
apacheaccesspaterns[] = "/sqlweb/i"
apacheaccesspaterns[] = "/websql/i"
apacheaccesspaterns[] = "/mysqldumper/i"
apacheaccesspaterns[] = "/sqlitemanager/i"
apacheaccesspaterns[] = "/webdb/i"
apacheaccesspaterns[] = "/allow_url_include/i"
apacheaccesspaterns[] = "/suhosin/i"
apacheaccesspaterns[] = "/packets\.txt/i"
apacheaccesspaterns[] = "/ncsi\.txt/i"
apacheaccesspaterns[] = "/live_view/i"
apacheaccesspaterns[] = "/passwd/i"
apacheaccesspaterns[] = "/bob\-n/i"
apacheaccesspaterns[] = "/\.exe/i"
apacheaccesspaterns[] = "/bigmir\.net/i"
apacheaccesspaterns[] = "/w00tw00t\.at\.isc\.sans\.dfind/i"
apacheaccesspaterns[] = "/w00tw00t\.at\.blackhats/i"
apacheaccesspaterns[] = "/xampp/i"
apacheaccesspaterns[] = "/typo3/i"
apacheaccesspaterns[] = "/pma/i"
apacheaccesspaterns[] = "/setup\.php/i"
apacheaccesspaterns[] = "/cpanelsql/i"
apacheaccesspaterns[] = "/invoker/i"
apacheaccesspaterns[] = "/save_zoho\.php/i"
apacheaccesspaterns[] = "/zabbix/i"
apacheaccesspaterns[] = "/fork/i"
apacheaccesspaterns[] = "/savewordtemplate/i"
apacheaccesspaterns[] = "/mysql/i"
apacheaccesspaterns[] = "/console/i"
apacheaccesspaterns[] = "/nosuichfile/i"
apacheaccesspaterns[] = "/fdopen/i"
apacheaccesspaterns[] = "/deletedataset/i"
apacheaccesspaterns[] = "/axa\.php/i"
apacheaccesspaterns[] = "/%63%67%69%2d%62%69%6e\/%70%68%70\?%2d%64/i"; cgi-bin\/php\?-d
apacheaccesspaterns[] = "/%2d%64\+%61%6c%6c%6f%77%5f%75%72%6c%5f%69%6e%63%6c%75%64%65%3d%6f%6e/i"; -d allow_url_include=on
apacheaccesspaterns[] = "/allow_url_include/i"
apacheaccesspaterns[] = "/webdav/i"
apacheaccesspaterns[] = "/wp\-login\.php/i"; Have seen such requests to check if wordpress is running on my server
apacheaccesspaterns[] = "/fdopen\(/i"
apacheaccesspaterns[] = "/muieblackcat/i"
apacheaccesspaterns[] = "/admin\.php/i"
apacheaccesspaterns[] = "/enter\.cfm/i"
apacheaccesspaterns[] = "/w19218317418621031041543/i"
apacheaccesspaterns[] = "/webalizer/i"
apacheaccesspaterns[] = "/e7/i"
apacheaccesspaterns[] = "/server\-status/i"
apacheaccesspaterns[] = "/root/i"
apacheaccesspaterns[] = "/dexter/i"
apacheaccesspaterns[] = "/phpmanager/i"
apacheaccesspaterns[] = "/install/i"
; SSHd log file
; Gentoo/SuSE
sshlog = "/var/log/messages"
; RedHat/Fedora
;sshlog = "/var/log/secure"
; Mandrake/FreeBSD/OpenBSD
;sshlog = "/var/log/auth.log"
; hosts.deny file that should contain blacklisted IPs
hostsdenyfile = "/etc/hosts.deny"
; SSHd log file format for lines "Invalid user username from ipaddress"
; Jan 19 21:55:09 hostname sshd[28248]: Invalid user test from 10.10.10.10
sshformats[] = "%d %h sshd\[%p\]: Invalid user %u from %i"
; Feb 6 07:15:31 hostname sshd[7909]: error: PAM: Authentication failure for root from 10.10.10.10
sshformats[] = "%d %h sshd\[%p\]: error: PAM: Authentication failure for %u from %i"
; Feb 12 18:30:46 hostname sshd[19313]: ROOT LOGIN REFUSED FROM 10.10.10.10
sshformats[] = "%d %h sshd\[%p\]: ROOT LOGIN REFUSED FROM %i"
;Feb 12 20:15:12 hostname sshd[19532]: SSH: Server;Ltype: Authname;Remote: 10.10.10.10-2648;Name: root [preauth]
sshformats[] = "%d %h sshd\[%p\]: SSH: Server;Ltype: Authname;Remote: %i-%o;Name: root [preauth]"
;Mar 10 00:04:55 hostname sshd[10342]: Did not receive identification string from 10.10.10.10
sshformats[] = "%d %h sshd\[%p\]: Did not receive identification string from %i"
;Mar 10 09:24:23 hostname sshd[11361]: User root from 10.10.10.10 not allowed because not listed in AllowUsers
sshformats[] = "%d %h sshd\[%p\]: User %u from %i not allowed because not listed in AllowUsers"
; SSHd log file format for refused connect count
sshrefusedformats[] = "%d %h sshd\[%p\]: refused connect from %i %s"
sshrefusedformats[] = "%d %h sshd\[%p\]: refused connect from %s \(%i\)"
|
Download
