mcblocklog(8) FreeBSD System Manager's Manual mcblocklog(8)

NAME

mcblocklogClient of mcblockd

SYNOPSIS

mcblocklog -h mcblockd_host -r regex_file -t tableName

DESCRIPTION

mcblocklog reads log messages from stdin, matches them against regular expressions from a given file and submits 'loghit' messages to mcblockd(8) for the log messages that were matched. It is typically used to parse syslog messages from ssh, mail and web server daemons in the interest of automatically blocking IPv4 prefixes that are exhibiting nefarious behavior such as attempted logins.
The following command line options are required:
-h mcblockd_host
Specifies the mcblockd(8) host.
-r regex_file
Specifies the file containing regular expressions to be matched against the log messages.
-t tableName
Specifies the table to be affected in mcblockd(8).
Note that the data exhanged with mcblockd(8) is encrypted with AES-128, and authentication is using RSA with 2048-bit keys and ECDH for the initial key exchange.

REGULAR EXPRESSION FILE FORMAT

The regular expression file uses C++ modified ECMAScript regular expressions, which are documented at http://en.cppreference.com/w/cpp/regex/ecmascript.
 
The file must contain one regular expression per line, and each line must capture an IPv4 address as the first (and usually only) capture. This is probably best seen by example...
 
The following is a fairly typical regular expression file for matching entries from illegitimate ssh login attempts in an auth log. ssh logging is not very consistent (an understatement), so we need many lines to cover the most typical cases of nefarious activity.
maximum authentication attempts exceeded .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) 
authentication error for illegal .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) 
Invalid user .+from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) 
keyboard-interactive.+ invalid user.+ from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) 
Disconnected from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).+ \[preauth\] 
Received disconnect from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).+ \[preauth\] 
Connection closed by ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).+ \[preauth\] 
Unable to negotiate with ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).+ \[preauth\] 
Did not receive ident.+ string from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* 
Bad protocol version ident.+ from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*
Note the capture on each line: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
The mcblock package includes a few sample regular expression files.

SYSLOG EXAMPLE

The following is an example syslog.conf setup on FreeBSD for using mcblocklog(1) to monitor authentication. The first line just stores auth syslog messages in a file as usual. The second line also sends them to mcblocklog(1) which checks them against regular expressions in /etc/authlog.rgx and sends 'loghit' messages to mcblockd(8) on the host mygw for auth log entries that match one of the regular expressions.
auth.info;authpriv.info   /var/log/auth.log 
auth.info;authpriv.info   |/usr/local/sbin/mcblocklog -h mygw -t ssh_losers -r /etc/authlog.rgx

FILES

/usr/local/etc/authlog.rgx.sample
A sample regular expression file for auth log messages.
/usr/local/etc/maillog.rgx.sample
A sample regular expression file for mail log messages.
/usr/local/etc/httpd.rgx.sample
A sample regular expression file for Apache httpd log messages.
${HOME}/.dwmauth/id_rsa
The user's dwmauth private key file, created with dwmauth(1). This file should be owned by the user and have permissions 0600. It must contain the private part of a 2048-bit RSA key pair.
${HOME}/.dwmauth/id_rsa.pub
The user's dwmauth public key file, created with dwmauth(1). This file should be owned by the user and have permissions 0600. It must contain the public part of a 2048-bit RSA key pair.
${HOME}/.dwmauth/known_services
The user's dwmauth known services file. This file must contain the public key of mcblockd(8) from the mcblockd(8) host.

SEE ALSO

mcblockd(8), dwmauth(1)

COPYRIGHT

Copyright (c) 2017 Daniel W. McRobb dwm@mcplex.net
April 10, 2017 mcplex.net