%%
# /etc/autoblock/autoblock.rules
#
# Rule_Name {
# info = Comment about this rule
# time = Given in sec/min/hours/days
# match = String match, use | to seperate multiple matches
# source = Default is "SRC="
# hits = Number of hits to exceed before IP is blocked
# hittime = Time limit for hits to accumulate
# }

SSH_Attack {
info = Brute force attack on SSH
time = 7days
match = sshd|: Failed password for
hits = 4
hittime = 1mins
source = from
}

NAMED_lame {
info = DNS Server abuse
time = 3days
match = : lame server resolving
hits = 4
hittime = 2mins
source = ?):
domain = lame server resolving '|'
}

NAMED_servfail {
info = DNS Server abuse
time = 2days
match = : unexpected RCODE (SERVFAIL)
hits = 3
hittime = 1mins
source = ':
domain = resolving '|/
}

NAMED_refused {
info = DNS Server abuse
time = 2days
match = : unexpected RCODE (REFUSED)
hits = 3
hittime = 1mins
source = ':
domain = resolving '|/
}

NAMED_formerr {
info = DNS Server abuse
time = 2days
match = : FORMERR resolving
hits = 3
hittime = 1mins
source = ':
domain = resolving '|/
}
%%
----
CategoryDNSBlockList