Mercurial > hg > maltfilter
annotate example.conf @ 12:d6da1a6567f8
Update example configuration.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Fri, 14 Aug 2009 01:26:29 +0300 |
parents | 26c2cc5077aa |
children | 3d18fdeabf90 |
rev | line source |
---|---|
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
1 ############################################################################# |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
2 ### Maltfilter configuration file. |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
3 ### PLEASE READ THROUGH THIS FILE VERY CAREFULLY! |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
4 |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
5 ############################################################################# |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
6 ### General settings |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
7 ############################################################################# |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
8 # Verbosity level (0 = quiet, bigger values add noise. valid range 0 - 4) |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
9 VERBOSITY = 4 |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
10 |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
11 # Dry-run: 1 = disables daemonization/forking to background, disables |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
12 # modification of netfilter/iptables, printing the iptables commands to |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
13 # stdout instead. |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
14 # NOTICE! IF YOU DON'T CHANGE THIS TO 0, MALTFILTER WILL NOT DAEMONIZE! |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
15 DRY_RUN = 1 |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
16 |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
17 # Maltfilter logfile path and name (set empty "" if you don't want logging) |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
18 LOGFILE = "/var/log/maltfilter" |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
19 |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
20 # Full path to iptables binary |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
21 IPTABLES = "/sbin/iptables" |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
22 |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
23 |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
24 ############################################################################# |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
25 ### Actions, etc. settings |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
26 ############################################################################# |
12
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
27 ## Weeding treshold in hours. Entries older than this will be "weeded" |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
28 ## off from current netfilter settings. |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
29 #WEEDPERIOD = 150 |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
30 |
12
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
31 ## How many "hits" the IP needs until it is eligible to be blocked. |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
32 ## (the "hits" can be from any "source", e.g. sshd crack, httpd, etc.) |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
33 #TRESHOLD = 3 |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
34 |
12
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
35 ## Target iptables action for added entries, default is DROP, but you |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
36 ## can use whatever rule chain name you want to here. |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
37 #ACTION = "DROP" |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
38 |
12
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
39 ## IP addresses that should NOT be blocked under any circumstances. You should |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
40 ## set this if you wish to have a surefire open channel from some host, even in |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
41 ## the case someone tries to spoof IPs for denial of service. |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
42 ## |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
43 ## NOTICE! This setting supports only IPv4 addresses, no IPv6 or DNS names. |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
44 ## You can have any number of NOBLOCK_IPS settings. |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
45 #NOBLOCK_IPS = "192.121.86.15" |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
46 #NOBLOCK_IPS = "74.125.45.100" |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
47 |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
48 |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
49 ############################################################################# |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
50 ### Logfiles |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
51 ############################################################################# |
12
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
52 ## Define system log files to scan. Only auth.log and Apache errorlog / |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
53 ## common log format files are supported for now. You can have as many |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
54 ## of SCANFILE settings as you wish. |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
55 SCANFILE = "/var/log/auth.log" |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
56 SCANFILE = "/var/log/httpd/error.log" |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
57 SCANFILE = "/var/log/httpd/access.log" |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
58 |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
59 |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
60 ############################################################################# |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
61 ### Checks / tests |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
62 ############################################################################# |
12
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
63 ## Enabled checks (1 = enabled, 0 = disabled). Please read the test |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
64 ## descriptions from "check_log_line" function in the maltfilter script. |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
65 CHK_SSHD = 1 |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
66 CHK_KNOWN_CGI = 1 |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
67 CHK_PHP_XSS = 1 |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
68 CHK_PROXY_SCAN = 1 |
12
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
69 #CHK_GOOD_HOSTS = "example.org|google.com|74.125.45.100" |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
70 |
12
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
71 ## Notice! ONLY enable this setting, if you have disabled password root |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
72 ## logins from sshd_config (e.g. you have "PermitRootLogin without-password") |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
73 ## or that alternatively you have defined "safe" hosts in NOBLOCK_HOSTS below. |
4
b2c7c76b3529
Added scanning feature for SSH root login attempts with failed passwords.
Matti Hamalainen <ccr@tnsp.org>
parents:
0
diff
changeset
|
74 CHK_ROOT_SSH_PWD = 0 |
b2c7c76b3529
Added scanning feature for SSH root login attempts with failed passwords.
Matti Hamalainen <ccr@tnsp.org>
parents:
0
diff
changeset
|
75 |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
76 |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
77 ############################################################################# |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
78 ### Reports |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
79 ############################################################################# |
12
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
80 ## Define files for periodically updated status reports (refreshed once |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
81 ## every few minutes.) Leave empty ("") or commented if you do not want |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
82 ## status reports. |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
83 |
12
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
84 ## Plain ASCII text file rerpot |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
85 #STATUS_FILE_PLAIN = "/var/www/maltstatus.txt" |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
10
diff
changeset
|
86 |
12
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
87 ## HTML file and optional CSS stylesheet URL for the HTML |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
88 ## (if left empty, CSS is not used.) |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
89 #STATUS_FILE_HTML = "/var/www/maltstatus.html" |
d6da1a6567f8
Update example configuration.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
90 #STATUS_FILE_CSS = "cool.css" |