Mercurial > hg > maltfilter
annotate README @ 79:9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
usage improvements.
| author | Matti Hamalainen <ccr@tnsp.org> |
|---|---|
| date | Sat, 29 Aug 2009 05:24:31 +0300 |
| parents | 54bb4f844063 |
| children | f6cc54356339 |
| rev | line source |
|---|---|
|
79
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
77
diff
changeset
|
1 Malicious Attack Livid Termination Filter daemon (maltfilter) v0.18.0 |
| 27 | 2 ===================================================================== |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
3 Programmed by Matti 'ccr' Hämäläinen <ccr@tnsp.org> |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
4 (C) Copyright 2009 Tecnic Software productions (TNSP) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
5 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
6 Distributed under the modified ("3-clause") BSD license. Please see |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
7 included file COPYING for more information. |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
8 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
9 About |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
10 ===== |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
11 Maltfilter daemon script continuously scans various system logfiles |
|
61
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
12 including auth.log, httpd logs, etc. for signs of malicious connections, |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
13 break-in and exploitation attempts. The originating IP addresses of |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
14 these connections can be then acted upon in following ways, each |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
15 being optional: |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
16 |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
17 * Insertion (and eventual deletion or "weeding") of Netfilter rules. |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
18 * Submitting entry to DroneBL DNSBL service. |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
19 |
|
61
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
20 Additionally Maltfilter can generate status reports (either continuously |
| 65 | 21 in daemon mode, or as once-run report), in plaintext and HTML formats |
|
61
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
22 |
|
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
23 Since v0.14, there is also option for gathering "evidence" about certain |
|
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
24 PHP XSS exploit attempts into specified directory. These evidence files |
|
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
25 include the attempted exploit code (if found) and hosts which have tried |
|
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
26 to make your server run it. |
|
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
27 |
|
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
28 |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
29 Requirements: |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
30 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
31 - Perl 5.8 or later |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
32 - Date::Parse (libtimedate-perl) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
33 - Net::IP (libnet-ip-perl) |
|
61
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
34 - Net::DNS (libnet-dns-perl) |
|
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
35 - LWP::UserAgent (libwww-perl) |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
36 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
37 |
|
72
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
38 Memory requirement considerations |
|
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
39 ================================= |
|
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
40 Because Maltfilter is written in Perl, it (or rather the Perl interpreter |
|
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
41 it is running under) tends not to free any allocated memory. This is NOT |
|
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
42 a memory leak per se, but a feature of Perl's memory allocator. Currently |
|
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
43 allocated memory is simply reused for other structures when needed, |
|
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
44 thus making the VIRT consumption periodically rise. |
|
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
45 |
|
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
46 However, there may be some situations (none that I have experienced myself |
|
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
47 as of yet, but as usual anything is possible) where Maltfilter's memory |
|
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
48 consumption rises to unbearable level. In high-volume servers it may be |
|
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
49 useful to periodically restart (as in complete restart, not reload via HUP) |
|
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
50 the daemon to free the memory. |
|
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
51 |
|
73
5d722da1392b
Add tip about changing certain configuration values to lessen memory consumption.
Matti Hamalainen <ccr@tnsp.org>
parents:
72
diff
changeset
|
52 It is also helpful to change the FILTER_MAX_AGE and GLOBAL_MAX_AGE |
|
5d722da1392b
Add tip about changing certain configuration values to lessen memory consumption.
Matti Hamalainen <ccr@tnsp.org>
parents:
72
diff
changeset
|
53 configuration settings to smaller values, so that amount of data held |
|
5d722da1392b
Add tip about changing certain configuration values to lessen memory consumption.
Matti Hamalainen <ccr@tnsp.org>
parents:
72
diff
changeset
|
54 in memory at once is smaller. |
|
5d722da1392b
Add tip about changing certain configuration values to lessen memory consumption.
Matti Hamalainen <ccr@tnsp.org>
parents:
72
diff
changeset
|
55 |
|
72
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
56 |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
57 Installation |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
58 ============ |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
59 Copy maltfilter script to /usr/sbin and set permissions |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
60 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
61 $ cp maltfilter /usr/sbin/maltfilter |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
62 $ chmod 755 /usr/sbin/maltfilter |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
63 $ chown root:root /usr/sbin/maltfilter |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
64 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
65 Copy example configuration under /etc (you may not want to |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
66 to have the configuration readable to regular users, so below |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
67 example sets mode 600 to it.) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
68 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
69 $ cp example.conf /etc/maltfilter.conf |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
70 $ chmod 600 /etc/maltfilter.conf |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
71 $ chown root:root /etc/maltfilter.conf |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
72 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
73 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
74 Optional |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
75 ======== |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
76 Additionally you can set up the provided Debian style init script: |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
77 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
78 $ cp example.init /etc/init.d/maltfilter |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
79 $ chmod 755 /etc/init.d/maltfilter |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
80 $ chown root:root /etc/init.d/maltfilter |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
81 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
82 You need to edit the script, if you didn't install the configuration |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
83 and maltfilter to paths described in installation section. |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
84 |
| 48 | 85 Also a simple example HTML CSS stylesheet is provided for your convenience. |
| 86 | |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
87 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
88 Configuration and usage |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
89 ======================= |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
90 See example.conf for documentation about settings. Start maltfilter |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
91 either via the init script or through commandline: |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
92 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
93 $ maltfilter /var/run/maltfilter.pid /etc/maltfilter.conf |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
94 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
95 If you want to use the init script, you need to edit your init runlevel |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
96 settings to enable it, for example in Debian/Ubuntu you can use rcconf(8) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
97 or chkconfig(8). |
|
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
6
diff
changeset
|
98 |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
99 |
|
13
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
100 Reports |
|
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
101 ======= |
|
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
102 Automatic report generation can be enabled from configuration. |
|
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
103 You can also run "full" report generation via the "-f" option, in this |
|
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
104 special mode, no automatic weeding is performed, resulting in |
|
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
105 more data being shown. |
|
61
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
106 |