Maltfilter is Open Source software distributed under modified ("3-clause") BSD license.
(1) Grain, usually barley, that has been allowed to sprout, used chiefly in brewing and distilling.
(2) An alcoholic beverage, such as beer or ale, brewed from malt.
Maltfilter is a daemon script written in Perl, which continuously scans various system logfiles including auth.log, Apache style common logformat and error logs, etc. for signs of malicious connections, break-in (login bruteforcing, etc.) and exploitation attempts. The originating IP addresses of these connections can be then acted upon in several different and optional ways.
Typical uses for Maltfilter include blocking of further connection attempts or even transparently redirecting (via a REDIRECT Netfilter target) those connections to somewhere else, such as specially crafted clone honeypots. Reporting features can be used for easy monitoring of current activities. Automatic evidence gathering may be useful for when further analysis of attempted XSS exploits is desired.
- Insertion (and eventual deletion or "weeding") of Netfilter rules.
- Submitting entries to DroneBL DNSBL service.
- Gathering of "evidence" about certain PHP XSS (cross site scripting) exploitation attempts into specified directory. These evidence files include the attempted exploit code (if found) and hosts which have tried to make your server run it.
- Additionally Maltfilter can generate status reports in plaintext and HTML formats. Reporting can occur either continuously in daemon mode or in run-once report-only mode. Example of such HTML report page can be found here.
- Easy to understand logfile, for following what Maltfilter has been up to.
More information about Maltfilter's possibilities can be found in the example configuration file.
- Support for hosts.deny, as an alternative to Netfilter-based blocking.
- Mail server log support (at least Postfix initially), for matching open relay scans and perhaps some spam delivery attempts.
Current release is v0.20.5. For the moment, Maltfilter is considered to be BETA quality. While I personally use it in three server environments, I cannot make any real guarantees of its applicability.
To verify the GnuPG/PGP signatures:
- gpg --keyserver wwwkeys.pgp.net --recv-keys 0x307BAAE3
- gpg --verify maltfilter-0.20.5.tar.gz.asc
Maltfilter Mercurial repository
Latest development version can always be found in the public read-only Mercurial (hg) repository.
- Browse: http://tnsp.org/hg/maltfilter/
- Get/clone via Mercurial: hg clone http://tnsp.org/hg/maltfilter/
Links and similar tools
List of some security related tools that have related or similar functionality to Maltfilter.
- Denyhosts - A proactive and reactive (via collaborative reporting) script for blocking SSH bruteforcing attempts. [Python, GPL]
- Fail2ban [Python, GPLv2]
- Blockhosts [Python, Public Domain]
Because Maltfilter is currently at early stage of maturity and development, the only support is personal contact through e-mail or IRC. At a later point a mailing list might be set up if amount of users and feedback reaches such level.
Methods of contacting the author, Matti 'ccr' Hämäläinen:
- IRC: ccr @ irc.atheme.org
- E-mail: ccr at tnsp [dot] org
Have fun. -- ccr/TNSP