Mercurial > hg > maltfilter
annotate README @ 108:d38b77d1e6c8
Update example configuration.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Thu, 12 Nov 2009 14:42:38 +0200 |
parents | 5786194984c5 |
children | ed506a76eb31 |
rev | line source |
---|---|
105 | 1 Malicious Attack Livid Termination Filter daemon (maltfilter) v0.20.1 |
27 | 2 ===================================================================== |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
3 Programmed by Matti 'ccr' Hämäläinen <ccr@tnsp.org> |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
4 (C) Copyright 2009 Tecnic Software productions (TNSP) |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
5 |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
6 Distributed under the modified ("3-clause") BSD license. Please see |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
7 included file COPYING for more information. |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
8 |
104 | 9 |
10 Homepage: http://www.tnsp.org/maltfilter.php | |
11 | |
12 | |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
13 About |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
14 ===== |
89 | 15 Maltfilter is daemon script written in Perl, which continuously scans various |
16 system logfiles including auth.log, Apache style common logformat and error | |
17 logs, etc. for signs of malicious connections, break-in (login bruteforcing, | |
18 etc.) and exploitation attempts. The originating IP addresses of these | |
19 connections can be then acted upon in following ways, each being optional: | |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
20 |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
21 * Insertion (and eventual deletion or "weeding") of Netfilter rules. |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
22 * Submitting entry to DroneBL DNSBL service. |
85 | 23 * Gather "evidence" about certain PHP XSS exploit attempts into |
24 specified directory. These evidence files include the attempted | |
25 exploit code (if found) and hosts which have tried to make your | |
26 server run it. | |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
27 |
61
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
28 Additionally Maltfilter can generate status reports (either continuously |
85 | 29 in daemon mode, or in run-once report mode), in plaintext and HTML |
30 formats. | |
61
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
31 |
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
32 |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
33 Requirements: |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
34 |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
35 - Perl 5.8 or later |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
36 - Date::Parse (libtimedate-perl) |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
37 - Net::IP (libnet-ip-perl) |
61
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
38 - Net::DNS (libnet-dns-perl) |
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
39 - LWP::UserAgent (libwww-perl) |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
40 |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
41 |
72
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
42 Memory requirement considerations |
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
43 ================================= |
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
44 Because Maltfilter is written in Perl, it (or rather the Perl interpreter |
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
45 it is running under) tends not to free any allocated memory. This is NOT |
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
46 a memory leak per se, but a feature of Perl's memory allocator. Currently |
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
47 allocated memory is simply reused for other structures when needed, |
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
48 thus making the VIRT consumption periodically rise. |
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
49 |
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
50 However, there may be some situations (none that I have experienced myself |
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
51 as of yet, but as usual anything is possible) where Maltfilter's memory |
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
52 consumption rises to unbearable level. In high-volume servers it may be |
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
53 useful to periodically restart (as in complete restart, not reload via HUP) |
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
54 the daemon to free the memory. |
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
55 |
73
5d722da1392b
Add tip about changing certain configuration values to lessen memory consumption.
Matti Hamalainen <ccr@tnsp.org>
parents:
72
diff
changeset
|
56 It is also helpful to change the FILTER_MAX_AGE and GLOBAL_MAX_AGE |
5d722da1392b
Add tip about changing certain configuration values to lessen memory consumption.
Matti Hamalainen <ccr@tnsp.org>
parents:
72
diff
changeset
|
57 configuration settings to smaller values, so that amount of data held |
5d722da1392b
Add tip about changing certain configuration values to lessen memory consumption.
Matti Hamalainen <ccr@tnsp.org>
parents:
72
diff
changeset
|
58 in memory at once is smaller. |
5d722da1392b
Add tip about changing certain configuration values to lessen memory consumption.
Matti Hamalainen <ccr@tnsp.org>
parents:
72
diff
changeset
|
59 |
72
84c7edc1a619
Add note about Perl memory allocator behaviour.
Matti Hamalainen <ccr@tnsp.org>
parents:
70
diff
changeset
|
60 |
104 | 61 Manual installation |
62 =================== | |
63 1) Copy maltfilter script to /usr/sbin and set permissions | |
64 | |
65 $ cp maltfilter /usr/sbin/maltfilter | |
66 $ chmod 755 /usr/sbin/maltfilter | |
67 $ chown root:root /usr/sbin/maltfilter | |
68 | |
69 2) Copy example configuration under /etc (you may not want to have the | |
70 configuration readable to regular users, so below example sets mode | |
71 0600 to it.) | |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
72 |
104 | 73 $ cp example.conf /etc/maltfilter.conf |
74 $ chmod 600 /etc/maltfilter.conf | |
75 $ chown root:root /etc/maltfilter.conf | |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
76 |
104 | 77 3) Additionally you can set up the provided Debian style init script |
78 for starting Maltfilter at boot. You may need to edit the script, | |
79 if you didn't install the configuration and maltfilter script to | |
80 paths described above. | |
81 | |
82 $ cp example.init /etc/init.d/maltfilter | |
83 $ chmod 755 /etc/init.d/maltfilter | |
84 $ chown root:root /etc/init.d/maltfilter | |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
85 |
104 | 86 After that you should run rcconf(8) or chkconfig(8) or similar SysV |
87 runlevel configuration utility to enable the script on desired | |
88 runlevels. | |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
89 |
104 | 90 4) You will also most likely want to set up Maltfilter to be SIGHUP'd/ |
91 restarted when logfiles are rotated via logrotate (because Maltfilter | |
92 does not automatically notice if logfiles are switched while it is | |
93 running). | |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
94 |
104 | 95 There are several ways this can be done, most of which are distribution |
96 specific. If you are using Debian-based distribution or something close | |
97 enough, you can try following: | |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
98 |
104 | 99 a) Use the included 'logrotate.example' logrotate script. This may not |
100 as reliable method as below, however, but it is somewhat easier and | |
101 much more maintainable. | |
102 | |
103 $ cp logrotate.example /etc/logrotate.d/maltfilter | |
104 $ chmod 644 /etc/logrotate.d/maltfilter | |
105 $ chown root:root /etc/logrotate.d/maltfilter | |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
106 |
104 | 107 b) Alternatively you can edit /etc/logrotate.conf or relevant file(s) |
108 under /etc/logrotate.d/ and add reloading or restarting maltfilter | |
109 in the script's postrotate section. | |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
110 |
104 | 111 For example, if you are using Debian with rsyslog, there should be |
112 /etc/logrotate.d/rsyslog, which takes care of rotating most system | |
113 logs, such as auth.log. Add following line in postrotate section: | |
114 | |
115 invoke-rc.d maltfilter reload > /dev/null | |
48 | 116 |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
117 |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
118 Configuration and usage |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
119 ======================= |
104 | 120 See example.conf for documentation about settings. After editing your |
121 configuration, you should do a preliminary test run via report mode to | |
122 see if most settings are sane. | |
123 | |
124 $ maltfilter -f /etc/maltfilter.conf | |
125 | |
126 After that, you can start maltfilter either via the init script | |
127 (recommended) or through commandline: | |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
128 |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
129 $ maltfilter /var/run/maltfilter.pid /etc/maltfilter.conf |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
130 |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
131 If you want to use the init script, you need to edit your init runlevel |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
132 settings to enable it, for example in Debian/Ubuntu you can use rcconf(8) |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
133 or chkconfig(8). |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
6
diff
changeset
|
134 |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
135 |
13
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
136 Reports |
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
137 ======= |
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
138 Automatic report generation can be enabled from configuration. |
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
139 You can also run "full" report generation via the "-f" option, in this |
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
140 special mode, no automatic weeding is performed, resulting in |
104 | 141 more data being shown. In report mode Maltfilter will only parse files |
142 once, generate reports (if enabled) and quit. | |
61
8b33436dd18b
Update example configuration and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
143 |