192 lines
4.4 KiB
INI
192 lines
4.4 KiB
INI
# ============================================
|
|
# LogMon Configuration File
|
|
# ============================================
|
|
|
|
[general]
|
|
# Tryb debug - wyświetla szczegółowe informacje
|
|
debug = false
|
|
|
|
# Ścieżka do pliku z logami LogMon
|
|
log_file = /var/log/logmon.log
|
|
|
|
# Plik PID demona
|
|
pid_file = /var/run/logmon.pid
|
|
|
|
# Backend firewall: csf, nftables, iptables, ufw
|
|
backend = csf
|
|
|
|
|
|
# ============================================
|
|
# Konfiguracja backendów firewall
|
|
# ============================================
|
|
|
|
[backend_csf]
|
|
# Ścieżka do wykonywania CSF
|
|
csf_path = /usr/sbin/csf
|
|
|
|
[backend_nftables]
|
|
# Nazwa tabeli i chain dla nftables
|
|
table_name = inet
|
|
chain_name = logmon_block
|
|
|
|
[backend_iptables]
|
|
# Nazwa chain dla iptables
|
|
chain_name = LOGMON_BLOCK
|
|
|
|
[backend_ufw]
|
|
# UFW nie wymaga dodatkowych parametrów
|
|
|
|
|
|
# ============================================
|
|
# Moduł Postfix - SMTP Server
|
|
# ============================================
|
|
|
|
[module_postfix]
|
|
# Włącz/wyłącz moduł
|
|
enabled = true
|
|
|
|
# Ścieżka do logu Postfix
|
|
log_file = /var/log/mail.log
|
|
|
|
# Alternatywnie dla systemd journald:
|
|
# use_journald = true
|
|
# journald_unit = postfix.service
|
|
|
|
# Maksymalna liczba niepowodzeń przed banem
|
|
max_failures = 5
|
|
|
|
# Okno czasowe w sekundach (domyślnie 60s = 1 minuta)
|
|
time_window = 60
|
|
|
|
# Czas bana w sekundach (domyślnie 86400s = 24 godziny)
|
|
ban_duration = 86400
|
|
|
|
# Lista wzorców do wykrywania (oddzielone przecinkami)
|
|
patterns = postfix_auth_failed,postfix_sasl_failed
|
|
|
|
|
|
# ============================================
|
|
# Moduł Dovecot - IMAP/POP3 Server
|
|
# ============================================
|
|
|
|
[module_dovecot]
|
|
# Włącz/wyłącz moduł
|
|
enabled = true
|
|
|
|
# Ścieżka do logu Dovecot
|
|
log_file = /var/log/dovecot-info.log
|
|
|
|
# Maksymalna liczba niepowodzeń przed banem
|
|
max_failures = 5
|
|
|
|
# Okno czasowe w sekundach (domyślnie 120s = 2 minuty)
|
|
time_window = 120
|
|
|
|
# Czas bana w sekundach (domyślnie 86400s = 24 godziny)
|
|
ban_duration = 86400
|
|
|
|
# Ignoruj błędy SSL/TLS (często są to skanery, nie ataki brute-force)
|
|
ignore_ssl_errors = true
|
|
|
|
# Ignoruj połączenia z localhost (127.0.0.1)
|
|
ignore_localhost = true
|
|
|
|
# Lista wzorców do wykrywania
|
|
patterns = dovecot_auth_failed,dovecot_auth_failed_multi
|
|
|
|
|
|
# ============================================
|
|
# Wzorce dla Postfix
|
|
# ============================================
|
|
|
|
[pattern_postfix_auth_failed]
|
|
# Wykrywa: "authentication failed"
|
|
regex = authentication failed
|
|
score = 1
|
|
|
|
[pattern_postfix_sasl_failed]
|
|
# Wykrywa: "SASL LOGIN authentication failed" i podobne
|
|
regex = SASL [A-Z\-\d]+ authentication failed
|
|
score = 2
|
|
|
|
|
|
# ============================================
|
|
# Wzorce dla Dovecot
|
|
# ============================================
|
|
|
|
[pattern_dovecot_auth_failed]
|
|
# Wykrywa: "auth failed, 1 attempts"
|
|
regex = auth failed, 1 attempts
|
|
score = 2
|
|
|
|
[pattern_dovecot_auth_failed_multi]
|
|
# Wykrywa: "auth failed, 2 attempts" lub więcej (2-9+)
|
|
regex = auth failed, [2-9]+ attempts
|
|
score = 5
|
|
|
|
|
|
# ============================================
|
|
# Dodatkowe moduły (przygotowane do rozbudowy)
|
|
# ============================================
|
|
|
|
# [module_ssh]
|
|
# enabled = false
|
|
# log_file = /var/log/auth.log
|
|
# max_failures = 5
|
|
# time_window = 300
|
|
# ban_duration = 3600
|
|
# patterns = ssh_failed_password,ssh_invalid_user
|
|
|
|
# [pattern_ssh_failed_password]
|
|
# regex = Failed password for .+ from
|
|
# score = 2
|
|
|
|
# [pattern_ssh_invalid_user]
|
|
# regex = Invalid user .+ from
|
|
# score = 3
|
|
|
|
|
|
# [module_nginx]
|
|
# enabled = false
|
|
# log_file = /var/log/nginx/error.log
|
|
# max_failures = 10
|
|
# time_window = 60
|
|
# ban_duration = 3600
|
|
# patterns = nginx_404_flood,nginx_403_scan
|
|
|
|
# [pattern_nginx_404_flood]
|
|
# regex = \[error\].*GET .* HTTP/
|
|
# score = 1
|
|
|
|
# [pattern_nginx_403_scan]
|
|
# regex = 403.*GET
|
|
# score = 2
|
|
|
|
|
|
# ============================================
|
|
# Whitelist IP (przygotowane do implementacji)
|
|
# ============================================
|
|
|
|
# [whitelist]
|
|
# # Lista IP które nigdy nie będą banowane (oddzielone przecinkami)
|
|
# ips = 127.0.0.1,192.168.1.0/24,10.0.0.0/8
|
|
#
|
|
# # Lub z pliku:
|
|
# # file = /etc/logmon/whitelist.txt
|
|
|
|
|
|
# ============================================
|
|
# Zaawansowane opcje
|
|
# ============================================
|
|
|
|
# [advanced]
|
|
# # Maksymalna liczba jednocześnie śledzonych IP
|
|
# max_tracked_ips = 10000
|
|
#
|
|
# # Jak często sprawdzać wygasłe bany (w sekundach)
|
|
# check_expired_interval = 10
|
|
#
|
|
# # Persystencja - zapisz stan banów do pliku
|
|
# persist_state = true
|
|
# persist_file = /var/lib/logmon/state.json
|