Mercurial > hg > maltfilter
annotate example.conf @ 102:1cbefe9c26c1
Swap defaults for filter and dronebl threshold values.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Tue, 01 Sep 2009 18:48:47 +0300 |
parents | d8d8cd36e201 |
children | d38b77d1e6c8 |
rev | line source |
---|---|
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
1 ############################################################################# |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
2 ### Maltfilter configuration file. |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
3 ### PLEASE READ THROUGH THIS FILE VERY CAREFULLY! |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
4 ############################################################################# |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
5 |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
6 ############################################################################# |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
7 ### General settings |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
8 ############################################################################# |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
9 ## Verbosity level (0 = quiet, bigger values add noise. valid range 0 - 4) |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
10 VERBOSITY = 3 |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
11 |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
12 ## Dry-run: 1 = disables daemonization/forking to background, disables |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
13 ## modification of netfilter via iptables, printing the iptables commands |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
14 ## to stdout instead and DroneBL submissions will be disabled. |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
15 ## NOTICE! IF YOU DON'T CHANGE THIS TO 0, MALTFILTER WILL NOT DAEMONIZE! |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
16 DRY_RUN = 1 |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
17 |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
18 ## Maltfilter logfile path and name (set empty "" if you don't want logging) |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
19 LOGFILE = "/var/log/maltfilter" |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
20 |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
21 ## IP addresses that should NOT be blocked under any circumstances. You should |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
22 ## set this if you wish to have a surefire open channel from some host, even in |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
23 ## the case someone tries to spoof IPs for denial of service. |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
24 ## |
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
66
diff
changeset
|
25 ## NOTICE! This setting supports only IPv4 addresses and address ranges, no |
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
66
diff
changeset
|
26 ## IPv6 or DNS names. You can have any number of NOACTION_IPS settings. |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
27 #NOACTION_IPS = "192.121.86.15" |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
28 #NOACTION_IPS = "74.125.45.100" |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
29 |
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
66
diff
changeset
|
30 ## Also ranges defined via CIDR notation can be used: |
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
66
diff
changeset
|
31 #NOACTION_IPS = "213.129.224.0/19" |
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
66
diff
changeset
|
32 |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
33 ## For how many hours to keep general information about IP. Affects from |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
34 ## how long period statistics dump shows data. Also hitcount thresholds |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
35 ## take the old data into account, meaning that if FILTER_MAX_AGE < GLOBAL_MAX_AGE |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
36 ## hit data older than FILTER_MAX_AGE will be counted towards THRESHOLD. |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
37 #GLOBAL_MAX_AGE = 336 |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
38 |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
39 ## System passwd file location (default is /etc/passwd), this file |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
40 ## is checked to figure out system account names. See also SYSACCT_* |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
41 ## settings below. |
44
471731c79bb3
Add configuration setting for PASSWD file.
Matti Hamalainen <ccr@tnsp.org>
parents:
41
diff
changeset
|
42 #PASSWD = "/etc/passwd" |
471731c79bb3
Add configuration setting for PASSWD file.
Matti Hamalainen <ccr@tnsp.org>
parents:
41
diff
changeset
|
43 |
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
66
diff
changeset
|
44 ## Set range of system account UIDs here, default is 1-999. |
44
471731c79bb3
Add configuration setting for PASSWD file.
Matti Hamalainen <ccr@tnsp.org>
parents:
41
diff
changeset
|
45 ## Root account is handled by CHK_ROOT_SSH_PWD check. |
471731c79bb3
Add configuration setting for PASSWD file.
Matti Hamalainen <ccr@tnsp.org>
parents:
41
diff
changeset
|
46 #SYSACCT_MIN_UID = 1 |
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
66
diff
changeset
|
47 #SYSACCT_MAX_UID = 999 |
44
471731c79bb3
Add configuration setting for PASSWD file.
Matti Hamalainen <ccr@tnsp.org>
parents:
41
diff
changeset
|
48 |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
49 |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
50 ############################################################################# |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
51 ### Netfilter actions |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
52 ############################################################################# |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
53 ## 0 = Netfilter handling disabled |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
54 FILTER = 0 |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
55 |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
56 ## Full path to iptables binary |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
57 IPTABLES = "/sbin/iptables" |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
58 |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
59 ## How many "hits" the IP needs until it is eligible to be filtered. |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
60 ## (the "hits" can be from any check, e.g. sshd crack, httpd, etc.) |
102
1cbefe9c26c1
Swap defaults for filter and dronebl threshold values.
Matti Hamalainen <ccr@tnsp.org>
parents:
91
diff
changeset
|
61 FILTER_THRESHOLD = 5 |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
62 |
65 | 63 ## Weeding threshold in hours. Entries older than this will be removed |
64 ## off from current netfilter settings. Also, entries older than this | |
65 ## will not be added to netfilter to begin with. | |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
66 FILTER_MAX_AGE = 168 |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
67 |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
68 ## Target iptables target for added entries, default is DROP, but you |
12
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
69 ## can use whatever rule chain name you want to here. |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
70 FILTER_TARGET = "DROP" |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
71 |
91 | 72 ## Netfilter rule chain to add/remove rules to/from. |
73 #FILTER_CHAIN = "INPUT" | |
74 | |
75 ## Netfilter table to add/remove rules to/from. | |
76 #FILTER_TABLE = "filter" | |
77 | |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
78 |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
79 ############################################################################# |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
80 ### Logfiles |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
81 ############################################################################# |
12
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
82 ## Define system log files to scan. Only auth.log and Apache errorlog / |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
83 ## common log format files are supported for now. You can have as many |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
84 ## of SCANFILE settings as you wish. |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
85 SCANFILE = "/var/log/auth.log" |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
86 SCANFILE = "/var/log/httpd/error.log" |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
87 SCANFILE = "/var/log/httpd/access.log" |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
88 |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
44
diff
changeset
|
89 ## SCANFILE_ONCE is like SCANFILE setting, but these files are only |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
44
diff
changeset
|
90 ## parsed through once, and are NOT followed for changes in "tail -f" |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
44
diff
changeset
|
91 ## style as SCANFILEs are. This is useful if you want to include data |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
44
diff
changeset
|
92 ## from logrotated files. (Notice that gzip compressed files are not supported.) |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
44
diff
changeset
|
93 SCANFILE_ONCE = "/var/log/auth.log.1" |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
44
diff
changeset
|
94 |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
95 |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
96 ############################################################################# |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
97 ### Checks / tests |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
98 ############################################################################# |
12
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
99 ## Enabled checks (1 = enabled, 0 = disabled). Please read the test |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
100 ## descriptions from "check_log_line" function in the maltfilter script. |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
101 |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
102 # (1) SSHD scans |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
103 ## (1.1) Generic login scan attempts. |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
104 ## Bruteforce attempts of login/password combinations leads to lots of |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
105 ## "Failed password for invalid user" errors. This check catches them. |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
106 CHK_SSHD = 1 |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
107 |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
108 ## (1.2) Root account SSH login password bruteforcing attempts. |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
109 ## This check catches failed password logins for root account. |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
110 ## |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
111 ## NOTICE! Do not enable this setting, if you allow SSH root logins via |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
112 ## password authentication! Mistyping password may get you blocked unless |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
113 ## your host IP is defined in NOACTION_IPS. If you wish to enable this |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
114 ## check, you should set "PermitRootLogin" to "without-password" or "no" |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
115 ## in your sshd_config. |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
116 CHK_ROOT_SSH_PWD = 0 |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
117 |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
118 ## (1.3) System account SSH login password bruteforcing attempts. |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
119 ## Catches failed password logins for system accounts. |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
120 ## |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
121 ## NOTICE! If you enable this setting, make sure have defined safe |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
122 ## host IPs in NOACTION_IPS, and that your system DOES NOT have passwords |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
123 ## for system accounts .. which would be stupid anyway. |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
124 CHK_SYSACCT_SSH_PWD = 0 |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
125 |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
126 |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
127 # (2) Common/known vulnerable CGI/PHP software scans (like phpMyAdmin) |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
128 # NOTICE! This matches ERRORLOG, thus it only works if you DO NOT have |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
129 # any or some of these installed. Preferably none, or use uncommon |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
130 # paths and prefixes. |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
131 CHK_KNOWN_CGI = 1 |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
132 |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
133 |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
134 # (3) pache common logging format checks |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
135 ## With CHK_GOOD_HOSTS setting you can define hostnames and IPs |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
136 ## which do not cause section (3) checks to trigger. For example |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
137 ## if your website uses local URL pointers, you should define |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
138 ## the hostname(s) and IPs here. |
12
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
139 #CHK_GOOD_HOSTS = "example.org|google.com|74.125.45.100" |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
140 |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
141 ## (3.1) Simple match for generic PHP XSS vulnerability scans |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
142 ## |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
143 ## NOTICE! If your site genuinely uses (checked) PHP parameters with |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
144 ## URIs, you should set CHK_GOOD_HOSTS to match your hostname(s)/IP(s) |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
145 ## used in the URIs. |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
146 CHK_PHP_XSS = 1 |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
147 |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
148 ## (3.2) Try to match proxy scanning attempts |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
149 ## Certain attempts to find open HTTP proxies are caught by this check. |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
26
diff
changeset
|
150 CHK_PROXY_SCAN = 1 |
4
b2c7c76b3529
Added scanning feature for SSH root login attempts with failed passwords.
Matti Hamalainen <ccr@tnsp.org>
parents:
0
diff
changeset
|
151 |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
152 |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
153 ############################################################################# |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
154 ### Reports |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
155 ############################################################################# |
12
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
156 ## Define files for periodically updated status reports (refreshed once |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
157 ## every few minutes.) Leave empty ("") or commented if you do not want |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
158 ## status reports. |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
159 |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
160 ## Plain ASCII text file report |
12
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
161 #STATUS_FILE_PLAIN = "/var/www/maltstatus.txt" |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
162 |
12
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
163 ## HTML file and optional CSS stylesheet URL for the HTML |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
164 ## (if left empty/unset, CSS will not be linked from the HTML file.) |
12
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
165 #STATUS_FILE_HTML = "/var/www/maltstatus.html" |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
166 #STATUS_FILE_CSS = "cool.css" |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
14
diff
changeset
|
167 |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
14
diff
changeset
|
168 ## URL for a web-based WHOIS service. This URL will be used for creating |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
14
diff
changeset
|
169 ## href links of the IP addresses. Default is whois.domaintools.com. Set |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
14
diff
changeset
|
170 ## empty if you don't want links. |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
14
diff
changeset
|
171 #WHOIS_URL = "http://whois.domaintools.com/" |
41
b11a56e256a9
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
40
diff
changeset
|
172 |
b11a56e256a9
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
40
diff
changeset
|
173 |
b11a56e256a9
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
40
diff
changeset
|
174 ## If disabled (0), instead of full timestamps, first/last hit times |
b11a56e256a9
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
40
diff
changeset
|
175 ## will be printed as "W weeks, D days, H hours ago." etc. |
b11a56e256a9
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
40
diff
changeset
|
176 #FULL_TIME = 1 |
61
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
54
diff
changeset
|
177 |
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
54
diff
changeset
|
178 |
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
54
diff
changeset
|
179 ############################################################################# |
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
54
diff
changeset
|
180 ### Evidence gathering |
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
54
diff
changeset
|
181 ############################################################################# |
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
54
diff
changeset
|
182 ## By enabling EVIDENCE=1 and setting EVIDENCE_DIR to existing directory |
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
54
diff
changeset
|
183 ## writable by the effective UID which Maltfilter runs as, it will be |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
184 ## populated by *.info, *.data and *.hosts files. If succesfully retrieved, |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
185 ## .data files will have contents of the attempted XSS URI. *.hosts files |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
186 ## list which hosts have attempted to exploit this specific URI. *.info |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
187 ## contain generic information and HTTP headers. |
61
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
54
diff
changeset
|
188 |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
189 EVIDENCE = 0 |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
190 EVIDENCE_DIR = "/var/run/malt-evidence" |
65 | 191 |
192 | |
193 ############################################################################# | |
194 ### DroneBL submissions | |
195 ############################################################################# | |
196 ## Maltfilter can automatically submit entries to DroneBL DNSBL service. | |
197 ## See <http://www.dronebl.org/> for more information. | |
198 | |
199 ## 0 = submission disabled, otherwise enabled | |
200 DRONEBL = 0 | |
201 | |
202 ## Number of hits required before host IP goes to submission queue. | |
203 ## This setting is independent of the general THRESHOLD value and | |
204 ## only affects DroneBL submissions. | |
102
1cbefe9c26c1
Swap defaults for filter and dronebl threshold values.
Matti Hamalainen <ccr@tnsp.org>
parents:
91
diff
changeset
|
205 DRONEBL_THRESHOLD = 3 |
65 | 206 |
207 ## Maximum age of hits counted towards DroneBL submission threshold. | |
83
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
208 ## NOTICE! Value this is in _minutes_! |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
209 DRONEBL_MAX_AGE = 60 |
65 | 210 |
211 ## Your personal RPC key. This _MUST_ be set to a valid value, if you | |
212 ## have enabled submissions. To get a personal key, go to: | |
213 ## http://www.dronebl.org/rpckey_signup | |
214 DRONEBL_RPC_KEY = "" | |
215 | |
216 ## RPC2 submission URI, usually you do not need to change this. | |
217 #DRONEBL_RPC_URI = "http://dronebl.org/RPC2" | |
83
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
218 |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
219 ## Number of errors are tolerated in submission / HTTP connection |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
220 ## before submissions are suspended? |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
221 #DRONEBL_MAX_ERRORS = 5 |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
222 |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
223 ## Number of Maltfilter maintenance "rounds" to suspend submissions for. |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
224 ## Currently maintenances happen approximately every 60 seconds. |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
225 ## Thus value of 10 would mean suspending for about 10 minutes. |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
226 ## (the times are not exact, because maintenances include operations |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
227 ## which vary in duration.) |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
228 #DRONEBL_SUSPEND = 10 |