Protocol 2
PermitRootLogin no
PasswordAuthentication no
KbdInteractiveAuthentication no
PubkeyAuthentication yes
AllowUsers deploy ops
rule SuspiciousDownloader {
strings:
$a = "powershell -enc" nocase
$b = "Invoke-WebRequest" nocase
$c = "http://" nocase
condition:
local all postgres peer
hostssl app_production app_user 10.0.0.0/16 scram-sha-256
hostssl app_production reporting_user 10.0.1.0/24 scram-sha-256
host all all 0.0.0.0/0 reject
bind 127.0.0.1 10.0.0.15
protected-mode yes
port 6379
rename-command FLUSHALL ""
rename-command CONFIG ""
aclfile /etc/redis/users.acl
alert tcp $HOME_NET any -> $HOME_NET 445 (
msg:"Possible SMB lateral movement enumeration";
flow:to_server,established;
content:"|FF|SMB"; depth:4;
threshold:type both, track by_src, count 15, seconds 60;
sid:1000001; rev:1;
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off
SecRule ARGS|REQUEST_HEADERS|XML:/* "@detectSQLi" \
"id:1001,phase:2,deny,status:403,log,msg:'Potential SQLi detected'"
example.com. IN TXT "v=spf1 include:_spf.google.com -all"
default._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqh..."
_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; adkim=s; aspf=s"
index=auth sourcetype=linux_secure "Failed password" | stats count by src_ip, user | where count > 20
index=proxy "POST" url="*/oauth/token" | stats count by client_ip | where count > 100
index=endpoint process_name=powershell.exe command_line="*EncodedCommand*"
http.response.code >= 400
tcp.analysis.retransmission
tls.alert_message
dns.flags.response == 1 && dns.a
ip.addr == 10.10.20.15 && tcp.port == 443
table inet filter {
chain input {
type filter hook input priority 0;
policy drop;
ct state established,related accept