Mercurial > hg > maltfilter
annotate README @ 105:5786194984c5 maltfilter-0.20.1
Version bump.
| author | Matti Hamalainen <ccr@tnsp.org> |
|---|---|
| date | Mon, 07 Sep 2009 02:32:33 +0300 |
| parents | f24388499e66 |
| children | ed506a76eb31 |
| rev | line source |
|---|---|
| 105 | 1 Malicious Attack Livid Termination Filter daemon (maltfilter) v0.20.1 |
| 27 | 2 ===================================================================== |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
3 Programmed by Matti 'ccr' Hämäläinen <ccr@tnsp.org> |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
4 (C) Copyright 2009 Tecnic Software productions (TNSP) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
5 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
6 Distributed under the modified ("3-clause") BSD license. Please see |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
7 included file COPYING for more information. |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
8 |
| 104 | 9 |
| 10 Homepage: http://www.tnsp.org/maltfilter.php | |
| 11 | |
| 12 | |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
13 About |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
14 ===== |
| 89 | 15 Maltfilter is daemon script written in Perl, which continuously scans various |
| 16 system logfiles including auth.log, Apache style common logformat and error | |
| 17 logs, etc. for signs of malicious connections, break-in (login bruteforcing, | |
| 18 etc.) and exploitation attempts. The originating IP addresses of these | |
| 19 connections can be then acted upon in following ways, each being optional: | |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
20 |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
21 * Insertion (and eventual deletion or "weeding") of Netfilter rules. |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
22 * Submitting entry to DroneBL DNSBL service. |
| 85 | 23 * Gather "evidence" about certain PHP XSS exploit attempts into |
| 24 specified directory. These evidence files include the attempted | |
| 25 exploit code (if found) and hosts which have tried to make your | |
| 26 server run it. | |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
27 |
|
61
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
28 Additionally Maltfilter can generate status reports (either continuously |
| 85 | 29 in daemon mode, or in run-once report mode), in plaintext and HTML |
| 30 formats. | |
|
61
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
31 |
|
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
32 |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
33 Requirements: |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
34 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
35 - Perl 5.8 or later |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
36 - Date::Parse (libtimedate-perl) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
37 - Net::IP (libnet-ip-perl) |
|
61
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
38 - Net::DNS (libnet-dns-perl) |
|
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
39 - LWP::UserAgent (libwww-perl) |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
40 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
41 |
|
72
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
42 Memory requirement considerations |
|
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
43 ================================= |
|
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
44 Because Maltfilter is written in Perl, it (or rather the Perl interpreter |
|
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
45 it is running under) tends not to free any allocated memory. This is NOT |
|
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
46 a memory leak per se, but a feature of Perl's memory allocator. Currently |
|
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
47 allocated memory is simply reused for other structures when needed, |
|
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
48 thus making the VIRT consumption periodically rise. |
|
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
49 |
|
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
50 However, there may be some situations (none that I have experienced myself |
|
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
51 as of yet, but as usual anything is possible) where Maltfilter's memory |
|
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
52 consumption rises to unbearable level. In high-volume servers it may be |
|
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
53 useful to periodically restart (as in complete restart, not reload via HUP) |
|
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
54 the daemon to free the memory. |
|
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
55 |
|
73
5d722da1392b
Add tip about changing certain configuration values to lessen memory consumption.
Matti Hamalainen <ccr@tnsp.org>
parents:
72
diff
changeset
|
56 It is also helpful to change the FILTER_MAX_AGE and GLOBAL_MAX_AGE |
|
5d722da1392b
Add tip about changing certain configuration values to lessen memory consumption.
Matti Hamalainen <ccr@tnsp.org>
parents:
72
diff
changeset
|
57 configuration settings to smaller values, so that amount of data held |
|
5d722da1392b
Add tip about changing certain configuration values to lessen memory consumption.
Matti Hamalainen <ccr@tnsp.org>
parents:
72
diff
changeset
|
58 in memory at once is smaller. |
|
5d722da1392b
Add tip about changing certain configuration values to lessen memory consumption.
Matti Hamalainen <ccr@tnsp.org>
parents:
72
diff
changeset
|
59 |
|
72
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
60 |
| 104 | 61 Manual installation |
| 62 =================== | |
| 63 1) Copy maltfilter script to /usr/sbin and set permissions | |
| 64 | |
| 65 $ cp maltfilter /usr/sbin/maltfilter | |
| 66 $ chmod 755 /usr/sbin/maltfilter | |
| 67 $ chown root:root /usr/sbin/maltfilter | |
| 68 | |
| 69 2) Copy example configuration under /etc (you may not want to have the | |
| 70 configuration readable to regular users, so below example sets mode | |
| 71 0600 to it.) | |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
72 |
| 104 | 73 $ cp example.conf /etc/maltfilter.conf |
| 74 $ chmod 600 /etc/maltfilter.conf | |
| 75 $ chown root:root /etc/maltfilter.conf | |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
76 |
| 104 | 77 3) Additionally you can set up the provided Debian style init script |
| 78 for starting Maltfilter at boot. You may need to edit the script, | |
| 79 if you didn't install the configuration and maltfilter script to | |
| 80 paths described above. | |
| 81 | |
| 82 $ cp example.init /etc/init.d/maltfilter | |
| 83 $ chmod 755 /etc/init.d/maltfilter | |
| 84 $ chown root:root /etc/init.d/maltfilter | |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
85 |
| 104 | 86 After that you should run rcconf(8) or chkconfig(8) or similar SysV |
| 87 runlevel configuration utility to enable the script on desired | |
| 88 runlevels. | |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
89 |
| 104 | 90 4) You will also most likely want to set up Maltfilter to be SIGHUP'd/ |
| 91 restarted when logfiles are rotated via logrotate (because Maltfilter | |
| 92 does not automatically notice if logfiles are switched while it is | |
| 93 running). | |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
94 |
| 104 | 95 There are several ways this can be done, most of which are distribution |
| 96 specific. If you are using Debian-based distribution or something close | |
| 97 enough, you can try following: | |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
98 |
| 104 | 99 a) Use the included 'logrotate.example' logrotate script. This may not |
| 100 as reliable method as below, however, but it is somewhat easier and | |
| 101 much more maintainable. | |
| 102 | |
| 103 $ cp logrotate.example /etc/logrotate.d/maltfilter | |
| 104 $ chmod 644 /etc/logrotate.d/maltfilter | |
| 105 $ chown root:root /etc/logrotate.d/maltfilter | |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
106 |
| 104 | 107 b) Alternatively you can edit /etc/logrotate.conf or relevant file(s) |
| 108 under /etc/logrotate.d/ and add reloading or restarting maltfilter | |
| 109 in the script's postrotate section. | |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
110 |
| 104 | 111 For example, if you are using Debian with rsyslog, there should be |
| 112 /etc/logrotate.d/rsyslog, which takes care of rotating most system | |
| 113 logs, such as auth.log. Add following line in postrotate section: | |
| 114 | |
| 115 invoke-rc.d maltfilter reload > /dev/null | |
| 48 | 116 |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
117 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
118 Configuration and usage |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
119 ======================= |
| 104 | 120 See example.conf for documentation about settings. After editing your |
| 121 configuration, you should do a preliminary test run via report mode to | |
| 122 see if most settings are sane. | |
| 123 | |
| 124 $ maltfilter -f /etc/maltfilter.conf | |
| 125 | |
| 126 After that, you can start maltfilter either via the init script | |
| 127 (recommended) or through commandline: | |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
128 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
129 $ maltfilter /var/run/maltfilter.pid /etc/maltfilter.conf |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
130 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
131 If you want to use the init script, you need to edit your init runlevel |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
132 settings to enable it, for example in Debian/Ubuntu you can use rcconf(8) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
133 or chkconfig(8). |
|
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
6
diff
changeset
|
134 |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
135 |
|
13
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
136 Reports |
|
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
137 ======= |
|
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
138 Automatic report generation can be enabled from configuration. |
|
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
139 You can also run "full" report generation via the "-f" option, in this |
|
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
140 special mode, no automatic weeding is performed, resulting in |
| 104 | 141 more data being shown. In report mode Maltfilter will only parse files |
| 142 once, generate reports (if enabled) and quit. | |
|
61
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
143 |