Mercurial > hg > maltfilter
annotate example.conf @ 4:b2c7c76b3529 maltfilter-0.7
Added scanning feature for SSH root login attempts with failed passwords.
| author | Matti Hamalainen <ccr@tnsp.org> |
|---|---|
| date | Thu, 13 Aug 2009 18:02:53 +0300 |
| parents | fec14263801d |
| children | ee5f7b8dcdea |
| rev | line source |
|---|---|
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1 ## Maltfilter configuration file. |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
2 ## PLEASE GO THROUGH THIS FILE VERY CAREFULLY! |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
3 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
4 # Verbosity level (0 = quiet, bigger values add noise. valid range 0 - 4) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
5 VERBOSITY = 4 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
6 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
7 # Dry-run: 1 = disables daemonization/forking to background, disables |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
8 # modification of netfilter/iptables, printing the iptables commands to |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
9 # stdout instead. |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
10 # NOTICE! IF YOU DON'T CHANGE THIS TO 0, MALTFILTER WILL NOT DAEMONIZE! |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
11 DRY_RUN = 1 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
12 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
13 # Define system log files to scan. Only auth.log and Apache errorlog / |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
14 # common log format files are supported for now. You can have as many |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
15 # of SCANFILE settings as you wish. |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
16 SCANFILE = "/var/log/auth.log" |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
17 SCANFILE = "/var/log/httpd/error.log" |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
18 SCANFILE = "/var/log/httpd/access.log" |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
19 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
20 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
21 # Weeding treshold in hours. Entries older than this will be "weeded" |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
22 # off from current netfilter settings. |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
23 WEEDPERIOD = 72 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
24 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
25 # How many "hits" the IP needs until it is eligible to be blocked. |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
26 # (the "hits" can be from any "source", e.g. sshd crack, httpd, etc.) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
27 TRESHOLD = 3 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
28 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
29 # Target iptables action for added entries, default is DROP, but you |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
30 # can use whatever rule chain name you want to here. |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
31 ACTION = "DROP" |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
32 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
33 # Enabled checks (1 = enabled, 0 = disabled). Please read the test |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
34 # descriptions from "check_log_line" function in the maltfilter script. |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
35 CHK_SSHD = 1 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
36 CHK_KNOWN_CGI = 1 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
37 CHK_PHP_XSS = 1 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
38 CHK_PROXY_SCAN = 1 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
39 CHK_GOOD_HOSTS = "example.org|google.com|74.125.45.100" |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
40 |
|
4
b2c7c76b3529
Added scanning feature for SSH root login attempts with failed passwords.
Matti Hamalainen <ccr@tnsp.org>
parents:
0
diff
changeset
|
41 # Notice! ONLY enable this setting, if you have disabled password root |
|
b2c7c76b3529
Added scanning feature for SSH root login attempts with failed passwords.
Matti Hamalainen <ccr@tnsp.org>
parents:
0
diff
changeset
|
42 # logins from sshd_config (e.g. you have "PermitRootLogin without-password") |
|
b2c7c76b3529
Added scanning feature for SSH root login attempts with failed passwords.
Matti Hamalainen <ccr@tnsp.org>
parents:
0
diff
changeset
|
43 # or that alternatively you have defined "safe" hosts in NOBLOCK_HOSTS below. |
|
b2c7c76b3529
Added scanning feature for SSH root login attempts with failed passwords.
Matti Hamalainen <ccr@tnsp.org>
parents:
0
diff
changeset
|
44 CHK_ROOT_SSH_PWD = 0 |
|
b2c7c76b3529
Added scanning feature for SSH root login attempts with failed passwords.
Matti Hamalainen <ccr@tnsp.org>
parents:
0
diff
changeset
|
45 |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
46 # Maltfilter logfile path and name (set empty "" if you don't want logging) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
47 LOGFILE = "/var/log/maltfilter" |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
48 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
49 # Full path to iptables binary |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
50 IPTABLES = "/sbin/iptables" |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
51 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
52 # IP(s) NOT to be blocked under any circumstances, separated by pipes (|). |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
53 # You should set this if you wish to have a surefire open channel from |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
54 # somewhere, even in case someone tries to spoof IPs for denial of service. |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
55 # NOTICE! This setting supports only IPv4 addresses, no IPv6 or DNS names. |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
56 NOBLOCK_HOSTS = "127.0.0.1|74.125.45.100" |