LMF is a flexible log monitoring framework that allows the user to match text from log files, using perl regular expressions and capturing parentheses (pattern). An optional external command (trigger) will be executed when a user-specified number of matches (threshold) is found within a user-specified period (within). In additon to the trigger, the rule can also have a message associated with it (message); when the rule is triggered, that message will be logged to the LMF log file. Each rule can also have a duration associated with it (duration); after a rule has been triggered and the duration has expired, an optional external command (release) will be run.
[SSH - Too many login failures] file = /var/log/secure pattern = Failed password for (\S+) from (\S+) threshold = 4 within = 1m duration = 10m trigger = /usr/local/lmf/actions/fw drop %2 release = /usr/local/lmf/actions/fw allow %2 message = %name for %1 from %2 - %count in %time secs (%threshold/h %within/s)
The above line will dynamically block for 10 minutes the IP address associated with a user who fails to successfully login to the server with SSH using a single username more than 4 times in one minute.
For example, let's imagine user harry tries to log in 5 times from IP address 192.168.3.220 in 45 seconds using an invalid password.
The following message would be logged to LMFS' system log file:
SSH - too many login failures for harry from 192.168.3.220 - 5 in 45 secs (4/h 60/s)
After the message is logged, the command specified in trigger will be run, which in this case would expand to be:
/usr/local/lmf/action/fw drop 192.168.3.220
After 10 minutes, the following release command would be run:
/usr/local/lmf/action/fw allow 192.168.3.220