-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathstoplist.tinyvz
206 lines (184 loc) · 6.94 KB
/
stoplist.tinyvz
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
# Basic stuff.
-- MARK --
^[:blank:]*$
# Cron.
CRON.*: session closed for user root
CRON.*: session opened for user root
CRON.*: session closed for user logbot
CRON.*: session opened for user logbot
CRON.*: (root) CMD (.* run-parts --report /etc/cron.hourly
CRON.*: (root) CMD (.* run-parts --report /etc/cron.daily
CRON.*: (root) CMD (.* run-parts --report /etc/cron.weekly
CRON.*: (root) CMD (.* run-parts --report /etc/cron.monthly
CRON.*: (logbot) CMD (/home/logbot/bin/ai.sh)
# eventbot cron job
09:00:0[0-2] .* CRON\[.* session opened for user eventbot
09:00:0[0-2] .* CRON\[.* (eventbot) CMD (\$HOME/ironhorse
09:[01][0-9]:[0-9][0-9] .* postfix/pickup\[.* from=<eventbot>
09:[01][0-9]:[0-9][0-9] .* postfix/qmgr\[.* from=<eventbot@eventarelli.com>
09:[01][0-9]:[0-9][0-9] .* CRON\[.* session closed for user eventbot
# Not sure why this comes out lower case sometimes.
cron.*: (root) RELOAD (crontabs/root)
#
# Commented out 12/21/2014, see how noisy they are.
#
# Don't notify when crontab changes.
# If cron runs something unexpected,
# we'll get emailed the CMD entry.
crontab.*: (root) LIST (.*)
#crontab.*: (root) BEGIN EDIT (root)
#crontab.*: (root) REPLACE (root)
#crontab.*: (root) END EDIT (root)
#crontab.*: (root) RELOAD (root)
# Swallow ansible messages.
ansible-[^:]*:
# ssh and su
sshd.*: Received disconnect from 24.*
sshd.*: Accepted publickey for root from 24.*
su.*: pam_unix(su:session): session opened for user .* by root(uid=0)
su.*: pam_unix(su:session): session closed for user .*
su.*: Successful su for .* by root
su.*: + /dev/pts/0 root:.*
# Postfix
# Really strict for now, hardly sending any mail.
postfix/anvil.*: statistics:
postfix/smtp.*: .* to=<mkbucc@gmail.com>.* status=sent (250 Great success)
postfix/qmgr.*: .*: removed
postfix/qmgr.*: .*: from=<root@eventarelli.com>.*
postfix/pickup.*: .* from=<root>
postfix/cleanup.*: .*: message-id=.*
:00:0[0-5].* postfix/pickup.* from=<logbot>
:00:0[0-5].* postfix/qmgr.* from=<logbot@eventarelli.com>,
# /var/log/udev
# There are no rules defined under /etc/udev/rules.d
# so I'm not sure why this was logged.
monitor will print the received events for:
# sshd logs this when pty > 999, per RedHat bug (from 2004!):
# https://bugzilla.redhat.com/show_bug.cgi?id=125589
syslogin_perform_logout: logout() returned an error
# dpkg
# This one is a tough one.
# The log entries are so short,
# you need to use broad regular expressions
# and then risk swallowing errors you want.
# Maybe skip package notifications entirely
# by adding dpkg.log to stopfiles
# and be happy with daemon restart messages.
# Leave in for now.
status unpacked
update-alternatives: run with .*
status half-configured
status half-installed
startup packages configure
configure .* 436-1
trigproc
status triggers-pending
startup archives unpack
update-alternatives: link
# syslog-ng
syslog-ng.*: Configuration reload request received, reloading configuration;
# tmUnblock.cgi is a binary CGI executable in some Cisco/Linksys router
# that has multiple security holes that permit various attacks on the router.
GET /tmUnblock\.cgi HTTP/1\.1" 400
# Someone made an empty request to nginx.
# Both Chrome and Firefox open more than two
# simultaneous connections to a web site.
# If one of the connections is not needed to pull data,
# then you get 400 in access_log
# and "closed prematurely" in error_log.
#
# From http://it.randomthemes.com/2012/08/24/153/:
#
# modern browsers open 2+ simultanious connections,
# but some of them frequently not used for data
# transfer, so nginx close them by timeout with
# 400 code at access.log
#
"-" 400 0 "-" "-"
"-" 400 "-" "-"
" " 400 "-" "-" -
"\\x00" 400 "-" "-" -
"" 400 "-" "-" - -
client closed prematurely connection while reading client request line
client closed prematurely connection, so upstream connection is closed too .*\.php HTTP
# Wierd letter combinations like:
#GET /anan/ana/an\.php HTTP/1\.1" 404
# Someone testing if redirects are allowed.
GET http://[^"]\+ HTTP/1\.1" \(404\|200\)
# Exploit attempts.
GET /.*/setup\.php HTTP/1\.1" 40[04]
GET /.*\.php HTTP/1.1" 404
GET /.*install/ HTTP/1\.1" 400
GET // HTTP/1.1" 400
GET //Net_work.xml HTTP/1\.1" 40[04]
GET /CFIDE/administrator/ HTTP/1\.1" 404
GET /HNAP1/ HTTP/1\.1" 40[04]
GET /actionnews/index/ HTTP/1\.1" 40[04]
# 499 is a status that is custom to Nginx.
# It signals that the client closed the connection
# before Nginx (the proxy, in my case) can respond.
# Definitely want to catch those for real pages,
# as it means the site is too slow.
# But for exploit attemps, we will ignore.
# (In this specific case, the client closed the connection
# immediately, based on the log entries.)
GET /admin/\(.*\.php\)\? HTTP/1\.[01]" \(400\|404\|499\)
GET /blog HTTP/1\.1" 40[04]
GET /cgi-bin/php.* HTTP/1\.1" 40[04]
GET /cgi-bin/test-cgi HTTP/1\.1" 40[04]
GET /css/css HTTP/1.0" 40[04]
GET /drupal HTTP/1\.1" 40[04]
GET /joomla HTTP/1\.1" 40[04]
GET /manager/html HTTP/1\.[01]" 40[04]
GET /muieblackcat HTTP/1\.1" 40[04]
GET /phpmyadmin/.* HTTP/1\.[01]" 40[04]
GET /phppath/.* HTTP/1\.[01]" 404
GET /rom-0 HTTP/1\.[01]" 40[04]
GET /user/soapCaller\.bs HTTP/1\.1" 40[04]
GET /w00tw00t[^"]\+ HTTP/1.1" 404
GET /wordpress HTTP/1\.1" 40[04]
GET /wp HTTP/1\.1" 40[04]
GET //\?wp-login.* HTTP/1\.1" 40[04]
GET //\?wp-admin.* HTTP/1\.1" 40[04]
HEAD /rom-0 HTTP/1.1" 404
POST //%63%67.*" 400
POST /cgi-bin/php[^"]\+" 40[04]
POST /login\.action HTTP/1\.1" 404
recv() failed (104: Connection reset by peer) while sending to client,.*/cgi-bin/
# Not sure, probing? No user agent.
GET / HTTP/1.1" 400 "-" "-"
# The normal website pages.
GET / HTTP/1\.[01]" \(304\|200\)
GET /api/chkdt HTTP/1.1" 400
GET /colorbrewer\.v1\.min\.js HTTP/1\.1" \(304\|200\)
GET /d3\.v3\.min\.js HTTP/1\.1" \(304\|200\)
GET /favicon\.ico HTTP/1\.1" 40[04]
GET /feedback/ HTTP/1\.1" \(304\|200\)
GET /forms\.css HTTP/1\.[01]" \(304\|200\)
GET /ma-counties\.json HTTP/1\.1" \(304\|200\)
GET /map\.js HTTP/1\.1" \(304\|200\)
GET /media_outlets/ HTTP/1\.1" \(304\|200\)
GET /reset\.css HTTP/1\.[01]" \(304\|200\)
GET /rhythm\.css HTTP/1\.[01]" \(304\|200\)
GET /[rR]obots\.txt HTTP/1\.[01]" 40[04]
GET /[Ss]ite[Mm]ap\.xml HTTP/1\.[01]" 404
GET /style\.css HTTP/1\.[01]" \(304\|200\)
GET /submit/ HTTP/1.1" \(304\|200\)
GET /surf\.jpg HTTP/1\.[01]" \(304\|200\)
GET /topojson\.v1\.min\.js HTTP/1\.1" \(304\|200\)
# Netcraft and it's ilk.
HEAD / HTTP/1\.1" 200 .* Netcraft Web Server Survey
HEAD / HTTP/1\.0" 200 .* NetcraftSurveyAgent
HEAD / HTTP/1\.1" 200 .* DomainTunoCrawler
HEAD / HTTP/1\.1" 200 .* Gimme60bot
# Wierd. Not sure, probably some kind of scan.
HEAD / HTTP/1\.[01]" 200 "-" "-"
OPTIONS / HTTP/1\.1" 501 "-" "-" -
# error_log - normal behavior.
client [0-9.]\+ closed keepalive connection
05:45:0[0-9] .* reopening logs
# read http://serverfault.com/questions/322415/securing-nginx-proxy
client timed out (110: Connection timed out) while reading client request
client sent HTTP/1.1 request without "Host" header
client sent invalid header line: "
client sent invalid method while reading client request line