PHP Classes

File: config/hostblock.ini

Recommend this page to a friend!
  Classes of Rolands Kusins   PHP Block Host   config/hostblock.ini   Download  
File: config/hostblock.ini
Role: Auxiliary data
Content type: text/plain
Description: Main configuration file
Class: PHP Block Host
Parse logs and block suspicious hosts
Author: By
Last change: Some pattern update in config
Now multiple SSH refused format patterns can be configured also updated patterns in default configuration.
Date: 9 years ago
Size: 5,965 bytes
 

Contents

Class file image Download
; ; HostBlock configuration ; ; Timezone (list of supported: http://www.php.net/manual/en/timezones.php) timezone = "UTC" ; Datetime format for data output (statistics, hostblock.log, etc) (see http://www.php.net/manual/en/function.date.php) datetimeformat = "Y-m-d H:i:s" ; How often to check log files (seconds, default 60) logparseinterval = 60 ; How often to check if IP address is added to or removed from blacklist/whitelist and update files blacklistupdateinterval = 60 ; How many times request from a single IP address must match one of patterns to be included in blacklist suspiciousentrymatchcount = 10 ; Path to whitelist file (these IP addresses will never get in blacklist) whitelist = "/var/lib/hostblock/whitelist" ; Path to blacklist file (these IP addresses will allways get in blacklist) blacklist = "/var/lib/hostblock/blacklist" ; For how long time to keep IP in blacklist, 0 will keep forever (seconds, default 0) ; Using time since last activity, if current time minus time since last activity is over this setting then IP will no longer apear in blacklist ; 3600 - hour ; 86400 - day ; 432000 - 5 days ; 2592000 - 30 days blacklisttime = 8640000 ; Apache access log file location apacheaccesslogs[] = "/var/log/apache/access_log" ; .htaccess files that should contain blacklisted IPs htaccessfiles[] = "/var/www/htdocs/.htaccess" ;Apache access log formats, same order as apacheaccesslogs! apacheaccesslogformats[] = "%h %l %u \[%t\] \"%r\" %s %b" ; Apache access log file suspicious entry search patterns (regex), search is performed in request ("GET / HTTP/1.1") apacheaccesspaterns[] = "/cgi/i"; Some people try running PHP CGI with HTTP request apacheaccesspaterns[] = "/hnap1/i"; Dlink routers sometimes return SOAP document with this request (http://forums.dlink.com/index.php?topic=12061.0) apacheaccesspaterns[] = "/soapcaller\.bs/i"; Morpheus * Scanner apacheaccesspaterns[] = "/phppath/i" apacheaccesspaterns[] = "/(my|web|php|db|database|ldap|phppg)admin/i"; Don't have PHPMyAdmin so all requests for it are considered malicious apacheaccesspaterns[] = "/php\-my\-admin/i" apacheaccesspaterns[] = "/phpmy\-admin/i" apacheaccesspaterns[] = "/joomla\/administrator/i" apacheaccesspaterns[] = "/phpinfo/i" apacheaccesspaterns[] = "/sqlweb/i" apacheaccesspaterns[] = "/websql/i" apacheaccesspaterns[] = "/mysqldumper/i" apacheaccesspaterns[] = "/sqlitemanager/i" apacheaccesspaterns[] = "/webdb/i" apacheaccesspaterns[] = "/allow_url_include/i" apacheaccesspaterns[] = "/suhosin/i" apacheaccesspaterns[] = "/packets\.txt/i" apacheaccesspaterns[] = "/ncsi\.txt/i" apacheaccesspaterns[] = "/live_view/i" apacheaccesspaterns[] = "/passwd/i" apacheaccesspaterns[] = "/bob\-n/i" apacheaccesspaterns[] = "/\.exe/i" apacheaccesspaterns[] = "/bigmir\.net/i" apacheaccesspaterns[] = "/w00tw00t\.at\.isc\.sans\.dfind/i" apacheaccesspaterns[] = "/w00tw00t\.at\.blackhats/i" apacheaccesspaterns[] = "/xampp/i" apacheaccesspaterns[] = "/typo3/i" apacheaccesspaterns[] = "/pma/i" apacheaccesspaterns[] = "/setup\.php/i" apacheaccesspaterns[] = "/cpanelsql/i" apacheaccesspaterns[] = "/invoker/i" apacheaccesspaterns[] = "/save_zoho\.php/i" apacheaccesspaterns[] = "/zabbix/i" apacheaccesspaterns[] = "/fork/i" apacheaccesspaterns[] = "/savewordtemplate/i" apacheaccesspaterns[] = "/mysql/i" apacheaccesspaterns[] = "/console/i" apacheaccesspaterns[] = "/nosuichfile/i" apacheaccesspaterns[] = "/fdopen/i" apacheaccesspaterns[] = "/deletedataset/i" apacheaccesspaterns[] = "/axa\.php/i" apacheaccesspaterns[] = "/%63%67%69%2d%62%69%6e\/%70%68%70\?%2d%64/i"; cgi-bin\/php\?-d apacheaccesspaterns[] = "/%2d%64\+%61%6c%6c%6f%77%5f%75%72%6c%5f%69%6e%63%6c%75%64%65%3d%6f%6e/i"; -d allow_url_include=on apacheaccesspaterns[] = "/allow_url_include/i" apacheaccesspaterns[] = "/webdav/i" apacheaccesspaterns[] = "/wp\-login\.php/i"; Have seen such requests to check if wordpress is running on my server apacheaccesspaterns[] = "/fdopen\(/i" apacheaccesspaterns[] = "/muieblackcat/i" apacheaccesspaterns[] = "/admin\.php/i" apacheaccesspaterns[] = "/enter\.cfm/i" apacheaccesspaterns[] = "/w19218317418621031041543/i" apacheaccesspaterns[] = "/webalizer/i" apacheaccesspaterns[] = "/e7/i" apacheaccesspaterns[] = "/server\-status/i" apacheaccesspaterns[] = "/root/i" apacheaccesspaterns[] = "/dexter/i" apacheaccesspaterns[] = "/phpmanager/i" apacheaccesspaterns[] = "/install/i" ; SSHd log file ; Gentoo/SuSE sshlog = "/var/log/messages" ; RedHat/Fedora ;sshlog = "/var/log/secure" ; Mandrake/FreeBSD/OpenBSD ;sshlog = "/var/log/auth.log" ; hosts.deny file that should contain blacklisted IPs hostsdenyfile = "/etc/hosts.deny" ; SSHd log file format for lines "Invalid user username from ipaddress" ; Jan 19 21:55:09 hostname sshd[28248]: Invalid user test from 10.10.10.10 sshformats[] = "%d %h sshd\[%p\]: Invalid user %u from %i" ; Feb 6 07:15:31 hostname sshd[7909]: error: PAM: Authentication failure for root from 10.10.10.10 sshformats[] = "%d %h sshd\[%p\]: error: PAM: Authentication failure for %u from %i" ; Feb 12 18:30:46 hostname sshd[19313]: ROOT LOGIN REFUSED FROM 10.10.10.10 sshformats[] = "%d %h sshd\[%p\]: ROOT LOGIN REFUSED FROM %i" ;Feb 12 20:15:12 hostname sshd[19532]: SSH: Server;Ltype: Authname;Remote: 10.10.10.10-2648;Name: root [preauth] sshformats[] = "%d %h sshd\[%p\]: SSH: Server;Ltype: Authname;Remote: %i-%o;Name: root [preauth]" ;Mar 10 00:04:55 hostname sshd[10342]: Did not receive identification string from 10.10.10.10 sshformats[] = "%d %h sshd\[%p\]: Did not receive identification string from %i" ;Mar 10 09:24:23 hostname sshd[11361]: User root from 10.10.10.10 not allowed because not listed in AllowUsers sshformats[] = "%d %h sshd\[%p\]: User %u from %i not allowed because not listed in AllowUsers" ; SSHd log file format for refused connect count sshrefusedformats[] = "%d %h sshd\[%p\]: refused connect from %i %s" sshrefusedformats[] = "%d %h sshd\[%p\]: refused connect from %s \(%i\)"