maltfilter: example.conf annotate

annotate example.conf @ 26:61b6d742c49c

Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.

author	Matti Hamalainen <ccr@tnsp.org>
date	Sat, 15 Aug 2009 23:43:22 +0300
parents	fe220b5a975a
children	24babaa1e331

rev	line source
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	1 #############################################################################
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	2 ### Maltfilter configuration file.
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	3 ### PLEASE READ THROUGH THIS FILE VERY CAREFULLY!
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	4
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	5 #############################################################################
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	6 ### General settings
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	7 #############################################################################
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	8 # Verbosity level (0 = quiet, bigger values add noise. valid range 0 - 4)
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	9 VERBOSITY = 4
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	10
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	11 # Dry-run: 1 = disables daemonization/forking to background, disables
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	12 # modification of netfilter/iptables, printing the iptables commands to
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	13 # stdout instead.
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	14 # NOTICE! IF YOU DON'T CHANGE THIS TO 0, MALTFILTER WILL NOT DAEMONIZE!
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	15 DRY_RUN = 1
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	16
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	17 # Maltfilter logfile path and name (set empty "" if you don't want logging)
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	18 LOGFILE = "/var/log/maltfilter"
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	19
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	20 # Full path to iptables binary
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	21 IPTABLES = "/sbin/iptables"
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	22
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	23
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	24 #############################################################################
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	25 ### Actions, etc. settings
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	26 #############################################################################
26 61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 17 diff changeset	27 ## Weeding treshold in hours. Entries older than this will be removed
61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 17 diff changeset	28 ## off from current netfilter settings (e.g. they become unblocked again.)
61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 17 diff changeset	29 #WEED_BLOCK = 168
61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 17 diff changeset	30
61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 17 diff changeset	31 ## For how many hours to keep general information about IP. Affects from
61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 17 diff changeset	32 ## how long period statistics dump shows data. Also hitcount tresholds
61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 17 diff changeset	33 ## take the old data into account, meaning that if WEED_BLOCK < WEED_GLOBAL
61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 17 diff changeset	34 ## hit data older than WEED_BLOCK will be counted towards THRESHOLD.
61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 17 diff changeset	35 #WEED_GLOBAL = 336
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	36
12 d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	37 ## How many "hits" the IP needs until it is eligible to be blocked.
d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	38 ## (the "hits" can be from any "source", e.g. sshd crack, httpd, etc.)
d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	39 #TRESHOLD = 3
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	40
12 d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	41 ## Target iptables action for added entries, default is DROP, but you
d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	42 ## can use whatever rule chain name you want to here.
d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	43 #ACTION = "DROP"
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	44
12 d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	45 ## IP addresses that should NOT be blocked under any circumstances. You should
d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	46 ## set this if you wish to have a surefire open channel from some host, even in
d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	47 ## the case someone tries to spoof IPs for denial of service.
d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	48 ##
d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	49 ## NOTICE! This setting supports only IPv4 addresses, no IPv6 or DNS names.
d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	50 ## You can have any number of NOBLOCK_IPS settings.
d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	51 #NOBLOCK_IPS = "192.121.86.15"
d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	52 #NOBLOCK_IPS = "74.125.45.100"
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	53
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	54
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	55 #############################################################################
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	56 ### Logfiles
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	57 #############################################################################
12 d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	58 ## Define system log files to scan. Only auth.log and Apache errorlog /
d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	59 ## common log format files are supported for now. You can have as many
d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	60 ## of SCANFILE settings as you wish.
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	61 SCANFILE = "/var/log/auth.log"
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	62 SCANFILE = "/var/log/httpd/error.log"
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	63 SCANFILE = "/var/log/httpd/access.log"
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	64
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	65
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	66 #############################################################################
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	67 ### Checks / tests
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	68 #############################################################################
12 d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	69 ## Enabled checks (1 = enabled, 0 = disabled). Please read the test
d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	70 ## descriptions from "check_log_line" function in the maltfilter script.
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	71 CHK_SSHD = 1
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	72 CHK_KNOWN_CGI = 1
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	73 CHK_PHP_XSS = 1
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	74 CHK_PROXY_SCAN = 1
12 d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	75 #CHK_GOOD_HOSTS = "example.org\|google.com\|74.125.45.100"
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	76
12 d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	77 ## Notice! ONLY enable this setting, if you have disabled password root
d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	78 ## logins from sshd_config (e.g. you have "PermitRootLogin without-password")
14 3d18fdeabf90 Fix example config. Matti Hamalainen <ccr@tnsp.org> parents: 12 diff changeset	79 ## or that alternatively you have defined "safe" hosts in NOBLOCK_IPS.
4 b2c7c76b3529 Added scanning feature for SSH root login attempts with failed passwords. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	80 CHK_ROOT_SSH_PWD = 0
b2c7c76b3529 Added scanning feature for SSH root login attempts with failed passwords. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	81
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	82
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	83 #############################################################################
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	84 ### Reports
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	85 #############################################################################
12 d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	86 ## Define files for periodically updated status reports (refreshed once
d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	87 ## every few minutes.) Leave empty ("") or commented if you do not want
d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	88 ## status reports.
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	89
12 d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	90 ## Plain ASCII text file rerpot
d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	91 #STATUS_FILE_PLAIN = "/var/www/maltstatus.txt"
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	92
12 d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	93 ## HTML file and optional CSS stylesheet URL for the HTML
d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	94 ## (if left empty, CSS is not used.)
d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	95 #STATUS_FILE_HTML = "/var/www/maltstatus.html"
d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	96 #STATUS_FILE_CSS = "cool.css"
17 fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 14 diff changeset	97
fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 14 diff changeset	98 ## URL for a web-based WHOIS service. This URL will be used for creating
fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 14 diff changeset	99 ## href links of the IP addresses. Default is whois.domaintools.com. Set
fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 14 diff changeset	100 ## empty if you don't want links.
fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 14 diff changeset	101 #WHOIS_URL = "http://whois.domaintools.com/"

Mercurial > hg > maltfilter

annotate example.conf @ 26:61b6d742c49c