Mercurial > hg > maltfilter
annotate README @ 61:8b33436dd18b
Update example configuration and documentation.
| author | Matti Hamalainen <ccr@tnsp.org> |
|---|---|
| date | Mon, 17 Aug 2009 08:22:38 +0300 |
| parents | a70493b6c916 |
| children | d2e2b82dd2f2 |
| rev | line source |
|---|---|
|
61
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
1 Malicious Attack Livid Termination Filter daemon (maltfilter) v0.14.0 |
| 27 | 2 ===================================================================== |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
3 Programmed by Matti 'ccr' Hämäläinen <ccr@tnsp.org> |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
4 (C) Copyright 2009 Tecnic Software productions (TNSP) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
5 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
6 Distributed under the modified ("3-clause") BSD license. Please see |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
7 included file COPYING for more information. |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
8 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
9 About |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
10 ===== |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
11 Maltfilter daemon script continuously scans various system logfiles |
|
61
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
12 including auth.log, httpd logs, etc. for signs of malicious connections, |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
13 break-in and exploitation attempts. The originating IP addresses of |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
14 these connections are then blocked via Netfilter (iptables). |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
15 |
|
61
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
16 Additionally Maltfilter can generate status reports (either continuously |
|
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
17 in daemon mode, or as once-run report), in plaintext and HTML formats. |
|
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
18 |
|
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
19 Since v0.14, there is also option for gathering "evidence" about certain |
|
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
20 PHP XSS exploit attempts into specified directory. These evidence files |
|
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
21 include the attempted exploit code (if found) and hosts which have tried |
|
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
22 to make your server run it. |
|
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
23 |
|
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
24 |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
25 Requirements: |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
26 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
27 - Perl 5.8 or later |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
28 - Date::Parse (libtimedate-perl) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
29 - Net::IP (libnet-ip-perl) |
|
61
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
30 - Net::DNS (libnet-dns-perl) |
|
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
31 - LWP::UserAgent (libwww-perl) |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
32 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
33 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
34 Installation |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
35 ============ |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
36 Copy maltfilter script to /usr/sbin and set permissions |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
37 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
38 $ cp maltfilter /usr/sbin/maltfilter |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
39 $ chmod 755 /usr/sbin/maltfilter |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
40 $ chown root:root /usr/sbin/maltfilter |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
41 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
42 Copy example configuration under /etc (you may not want to |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
43 to have the configuration readable to regular users, so below |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
44 example sets mode 600 to it.) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
45 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
46 $ cp example.conf /etc/maltfilter.conf |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
47 $ chmod 600 /etc/maltfilter.conf |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
48 $ chown root:root /etc/maltfilter.conf |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
49 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
50 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
51 Optional |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
52 ======== |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
53 Additionally you can set up the provided Debian style init script: |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
54 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
55 $ cp example.init /etc/init.d/maltfilter |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
56 $ chmod 755 /etc/init.d/maltfilter |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
57 $ chown root:root /etc/init.d/maltfilter |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
58 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
59 You need to edit the script, if you didn't install the configuration |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
60 and maltfilter to paths described in installation section. |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
61 |
| 48 | 62 Also a simple example HTML CSS stylesheet is provided for your convenience. |
| 63 | |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
64 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
65 Configuration and usage |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
66 ======================= |
| 42 | 67 See example.conf for documentation about settings. |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
68 Start maltfilter either via the init script or through commandline: |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
69 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
70 $ maltfilter /var/run/maltfilter.pid /etc/maltfilter.conf |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
71 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
72 If you want to use the init script, you need to edit your init runlevel |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
73 settings to enable it, for example in Debian/Ubuntu you can use rcconf(8) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
74 or chkconfig(8). |
|
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
6
diff
changeset
|
75 |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
76 |
|
13
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
77 Reports |
|
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
78 ======= |
|
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
79 Automatic report generation can be enabled from configuration. |
|
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
80 You can also run "full" report generation via the "-f" option, in this |
|
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
81 special mode, no automatic weeding is performed, resulting in |
|
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
82 more data being shown. |
|
61
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
83 |