Mercurial > hg > maltfilter
annotate README @ 66:42889eed0ce8
Lots of cleanups, etc. Documentation updates.
| author | Matti Hamalainen <ccr@tnsp.org> |
|---|---|
| date | Tue, 18 Aug 2009 03:21:30 +0300 |
| parents | d2e2b82dd2f2 |
| children | b090ddfccdab |
| rev | line source |
|---|---|
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1 Malicious Attack Livid Termination Filter daemon (maltfilter) v0.16.0 |
| 27 | 2 ===================================================================== |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
3 Programmed by Matti 'ccr' Hämäläinen <ccr@tnsp.org> |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
4 (C) Copyright 2009 Tecnic Software productions (TNSP) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
5 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
6 Distributed under the modified ("3-clause") BSD license. Please see |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
7 included file COPYING for more information. |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
8 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
9 About |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
10 ===== |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
11 Maltfilter daemon script continuously scans various system logfiles |
|
61
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
12 including auth.log, httpd logs, etc. for signs of malicious connections, |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
13 break-in and exploitation attempts. The originating IP addresses of |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
14 these connections can be then acted upon in following ways, each |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
15 being optional: |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
16 |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
17 * Insertion (and eventual deletion or "weeding") of Netfilter rules. |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
18 * Submitting entry to DroneBL DNSBL service. |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
19 |
|
61
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
20 Additionally Maltfilter can generate status reports (either continuously |
| 65 | 21 in daemon mode, or as once-run report), in plaintext and HTML formats |
|
61
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
22 |
|
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
23 Since v0.14, there is also option for gathering "evidence" about certain |
|
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
24 PHP XSS exploit attempts into specified directory. These evidence files |
|
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
25 include the attempted exploit code (if found) and hosts which have tried |
|
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
26 to make your server run it. |
|
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
27 |
|
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
28 |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
29 Requirements: |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
30 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
31 - Perl 5.8 or later |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
32 - Date::Parse (libtimedate-perl) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
33 - Net::IP (libnet-ip-perl) |
|
61
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
34 - Net::DNS (libnet-dns-perl) |
|
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
35 - LWP::UserAgent (libwww-perl) |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
36 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
37 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
38 Installation |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
39 ============ |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
40 Copy maltfilter script to /usr/sbin and set permissions |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
41 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
42 $ cp maltfilter /usr/sbin/maltfilter |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
43 $ chmod 755 /usr/sbin/maltfilter |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
44 $ chown root:root /usr/sbin/maltfilter |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
45 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
46 Copy example configuration under /etc (you may not want to |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
47 to have the configuration readable to regular users, so below |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
48 example sets mode 600 to it.) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
49 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
50 $ cp example.conf /etc/maltfilter.conf |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
51 $ chmod 600 /etc/maltfilter.conf |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
52 $ chown root:root /etc/maltfilter.conf |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
53 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
54 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
55 Optional |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
56 ======== |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
57 Additionally you can set up the provided Debian style init script: |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
58 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
59 $ cp example.init /etc/init.d/maltfilter |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
60 $ chmod 755 /etc/init.d/maltfilter |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
61 $ chown root:root /etc/init.d/maltfilter |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
62 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
63 You need to edit the script, if you didn't install the configuration |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
64 and maltfilter to paths described in installation section. |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
65 |
| 48 | 66 Also a simple example HTML CSS stylesheet is provided for your convenience. |
| 67 | |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
68 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
69 Configuration and usage |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
70 ======================= |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
71 See example.conf for documentation about settings. Start maltfilter |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
72 either via the init script or through commandline: |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
73 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
74 $ maltfilter /var/run/maltfilter.pid /etc/maltfilter.conf |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
75 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
76 If you want to use the init script, you need to edit your init runlevel |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
77 settings to enable it, for example in Debian/Ubuntu you can use rcconf(8) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
78 or chkconfig(8). |
|
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
6
diff
changeset
|
79 |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
80 |
|
13
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
81 Reports |
|
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
82 ======= |
|
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
83 Automatic report generation can be enabled from configuration. |
|
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
84 You can also run "full" report generation via the "-f" option, in this |
|
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
85 special mode, no automatic weeding is performed, resulting in |
|
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
86 more data being shown. |
|
61
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
87 |