maltfilter: example.conf annotate

annotate example.conf @ 91:d8d8cd36e201

Update configuration.

author	Matti Hamalainen <ccr@tnsp.org>
date	Sun, 30 Aug 2009 22:39:26 +0300
parents	532169789f52
children	1cbefe9c26c1

rev	line source
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	1 #############################################################################
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	2 ### Maltfilter configuration file.
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	3 ### PLEASE READ THROUGH THIS FILE VERY CAREFULLY!
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	4 #############################################################################
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	5
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	6 #############################################################################
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	7 ### General settings
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	8 #############################################################################
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	9 ## Verbosity level (0 = quiet, bigger values add noise. valid range 0 - 4)
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	10 VERBOSITY = 3
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	11
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	12 ## Dry-run: 1 = disables daemonization/forking to background, disables
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	13 ## modification of netfilter via iptables, printing the iptables commands
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	14 ## to stdout instead and DroneBL submissions will be disabled.
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	15 ## NOTICE! IF YOU DON'T CHANGE THIS TO 0, MALTFILTER WILL NOT DAEMONIZE!
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	16 DRY_RUN = 1
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	17
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	18 ## Maltfilter logfile path and name (set empty "" if you don't want logging)
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	19 LOGFILE = "/var/log/maltfilter"
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	20
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	21 ## IP addresses that should NOT be blocked under any circumstances. You should
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	22 ## set this if you wish to have a surefire open channel from some host, even in
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	23 ## the case someone tries to spoof IPs for denial of service.
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	24 ##
69 b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 66 diff changeset	25 ## NOTICE! This setting supports only IPv4 addresses and address ranges, no
b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 66 diff changeset	26 ## IPv6 or DNS names. You can have any number of NOACTION_IPS settings.
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	27 #NOACTION_IPS = "192.121.86.15"
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	28 #NOACTION_IPS = "74.125.45.100"
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	29
69 b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 66 diff changeset	30 ## Also ranges defined via CIDR notation can be used:
b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 66 diff changeset	31 #NOACTION_IPS = "213.129.224.0/19"
b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 66 diff changeset	32
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	33 ## For how many hours to keep general information about IP. Affects from
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	34 ## how long period statistics dump shows data. Also hitcount thresholds
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	35 ## take the old data into account, meaning that if FILTER_MAX_AGE < GLOBAL_MAX_AGE
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	36 ## hit data older than FILTER_MAX_AGE will be counted towards THRESHOLD.
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	37 #GLOBAL_MAX_AGE = 336
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	38
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	39 ## System passwd file location (default is /etc/passwd), this file
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	40 ## is checked to figure out system account names. See also SYSACCT_*
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	41 ## settings below.
44 471731c79bb3 Add configuration setting for PASSWD file. Matti Hamalainen <ccr@tnsp.org> parents: 41 diff changeset	42 #PASSWD = "/etc/passwd"
471731c79bb3 Add configuration setting for PASSWD file. Matti Hamalainen <ccr@tnsp.org> parents: 41 diff changeset	43
69 b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 66 diff changeset	44 ## Set range of system account UIDs here, default is 1-999.
44 471731c79bb3 Add configuration setting for PASSWD file. Matti Hamalainen <ccr@tnsp.org> parents: 41 diff changeset	45 ## Root account is handled by CHK_ROOT_SSH_PWD check.
471731c79bb3 Add configuration setting for PASSWD file. Matti Hamalainen <ccr@tnsp.org> parents: 41 diff changeset	46 #SYSACCT_MIN_UID = 1
69 b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 66 diff changeset	47 #SYSACCT_MAX_UID = 999
44 471731c79bb3 Add configuration setting for PASSWD file. Matti Hamalainen <ccr@tnsp.org> parents: 41 diff changeset	48
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	49
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	50 #############################################################################
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	51 ### Netfilter actions
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	52 #############################################################################
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	53 ## 0 = Netfilter handling disabled
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	54 FILTER = 0
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	55
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	56 ## Full path to iptables binary
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	57 IPTABLES = "/sbin/iptables"
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	58
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	59 ## How many "hits" the IP needs until it is eligible to be filtered.
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	60 ## (the "hits" can be from any check, e.g. sshd crack, httpd, etc.)
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	61 FILTER_THRESHOLD = 3
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	62
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 61 diff changeset	63 ## Weeding threshold in hours. Entries older than this will be removed
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 61 diff changeset	64 ## off from current netfilter settings. Also, entries older than this
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 61 diff changeset	65 ## will not be added to netfilter to begin with.
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	66 FILTER_MAX_AGE = 168
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	67
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	68 ## Target iptables target for added entries, default is DROP, but you
12 d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	69 ## can use whatever rule chain name you want to here.
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	70 FILTER_TARGET = "DROP"
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	71
91 d8d8cd36e201 Update configuration. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	72 ## Netfilter rule chain to add/remove rules to/from.
d8d8cd36e201 Update configuration. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	73 #FILTER_CHAIN = "INPUT"
d8d8cd36e201 Update configuration. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	74
d8d8cd36e201 Update configuration. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	75 ## Netfilter table to add/remove rules to/from.
d8d8cd36e201 Update configuration. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	76 #FILTER_TABLE = "filter"
d8d8cd36e201 Update configuration. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	77
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	78
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	79 #############################################################################
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	80 ### Logfiles
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	81 #############################################################################
12 d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	82 ## Define system log files to scan. Only auth.log and Apache errorlog /
d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	83 ## common log format files are supported for now. You can have as many
d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	84 ## of SCANFILE settings as you wish.
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	85 SCANFILE = "/var/log/auth.log"
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	86 SCANFILE = "/var/log/httpd/error.log"
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	87 SCANFILE = "/var/log/httpd/access.log"
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	88
54 19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 44 diff changeset	89 ## SCANFILE_ONCE is like SCANFILE setting, but these files are only
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 44 diff changeset	90 ## parsed through once, and are NOT followed for changes in "tail -f"
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 44 diff changeset	91 ## style as SCANFILEs are. This is useful if you want to include data
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 44 diff changeset	92 ## from logrotated files. (Notice that gzip compressed files are not supported.)
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 44 diff changeset	93 SCANFILE_ONCE = "/var/log/auth.log.1"
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 44 diff changeset	94
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	95
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	96 #############################################################################
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	97 ### Checks / tests
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	98 #############################################################################
12 d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	99 ## Enabled checks (1 = enabled, 0 = disabled). Please read the test
d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	100 ## descriptions from "check_log_line" function in the maltfilter script.
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	101
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	102 # (1) SSHD scans
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	103 ## (1.1) Generic login scan attempts.
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	104 ## Bruteforce attempts of login/password combinations leads to lots of
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	105 ## "Failed password for invalid user" errors. This check catches them.
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	106 CHK_SSHD = 1
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	107
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	108 ## (1.2) Root account SSH login password bruteforcing attempts.
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	109 ## This check catches failed password logins for root account.
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	110 ##
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	111 ## NOTICE! Do not enable this setting, if you allow SSH root logins via
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	112 ## password authentication! Mistyping password may get you blocked unless
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	113 ## your host IP is defined in NOACTION_IPS. If you wish to enable this
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	114 ## check, you should set "PermitRootLogin" to "without-password" or "no"
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	115 ## in your sshd_config.
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	116 CHK_ROOT_SSH_PWD = 0
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	117
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	118 ## (1.3) System account SSH login password bruteforcing attempts.
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	119 ## Catches failed password logins for system accounts.
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	120 ##
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	121 ## NOTICE! If you enable this setting, make sure have defined safe
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	122 ## host IPs in NOACTION_IPS, and that your system DOES NOT have passwords
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	123 ## for system accounts .. which would be stupid anyway.
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	124 CHK_SYSACCT_SSH_PWD = 0
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	125
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	126
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	127 # (2) Common/known vulnerable CGI/PHP software scans (like phpMyAdmin)
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	128 # NOTICE! This matches ERRORLOG, thus it only works if you DO NOT have
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	129 # any or some of these installed. Preferably none, or use uncommon
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	130 # paths and prefixes.
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	131 CHK_KNOWN_CGI = 1
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	132
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	133
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	134 # (3) pache common logging format checks
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	135 ## With CHK_GOOD_HOSTS setting you can define hostnames and IPs
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	136 ## which do not cause section (3) checks to trigger. For example
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	137 ## if your website uses local URL pointers, you should define
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	138 ## the hostname(s) and IPs here.
12 d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	139 #CHK_GOOD_HOSTS = "example.org\|google.com\|74.125.45.100"
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	140
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	141 ## (3.1) Simple match for generic PHP XSS vulnerability scans
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	142 ##
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	143 ## NOTICE! If your site genuinely uses (checked) PHP parameters with
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	144 ## URIs, you should set CHK_GOOD_HOSTS to match your hostname(s)/IP(s)
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	145 ## used in the URIs.
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	146 CHK_PHP_XSS = 1
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	147
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	148 ## (3.2) Try to match proxy scanning attempts
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	149 ## Certain attempts to find open HTTP proxies are caught by this check.
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 26 diff changeset	150 CHK_PROXY_SCAN = 1
4 b2c7c76b3529 Added scanning feature for SSH root login attempts with failed passwords. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	151
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	152
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	153 #############################################################################
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	154 ### Reports
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	155 #############################################################################
12 d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	156 ## Define files for periodically updated status reports (refreshed once
d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	157 ## every few minutes.) Leave empty ("") or commented if you do not want
d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	158 ## status reports.
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	159
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	160 ## Plain ASCII text file report
12 d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	161 #STATUS_FILE_PLAIN = "/var/www/maltstatus.txt"
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 10 diff changeset	162
12 d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	163 ## HTML file and optional CSS stylesheet URL for the HTML
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	164 ## (if left empty/unset, CSS will not be linked from the HTML file.)
12 d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	165 #STATUS_FILE_HTML = "/var/www/maltstatus.html"
d6da1a6567f8 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	166 #STATUS_FILE_CSS = "cool.css"
17 fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 14 diff changeset	167
fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 14 diff changeset	168 ## URL for a web-based WHOIS service. This URL will be used for creating
fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 14 diff changeset	169 ## href links of the IP addresses. Default is whois.domaintools.com. Set
fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 14 diff changeset	170 ## empty if you don't want links.
fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 14 diff changeset	171 #WHOIS_URL = "http://whois.domaintools.com/"
41 b11a56e256a9 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 40 diff changeset	172
b11a56e256a9 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 40 diff changeset	173
b11a56e256a9 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 40 diff changeset	174 ## If disabled (0), instead of full timestamps, first/last hit times
b11a56e256a9 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 40 diff changeset	175 ## will be printed as "W weeks, D days, H hours ago." etc.
b11a56e256a9 Update example configuration. Matti Hamalainen <ccr@tnsp.org> parents: 40 diff changeset	176 #FULL_TIME = 1
61 8b33436dd18b Update example configuration and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 54 diff changeset	177
8b33436dd18b Update example configuration and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 54 diff changeset	178
8b33436dd18b Update example configuration and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 54 diff changeset	179 #############################################################################
8b33436dd18b Update example configuration and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 54 diff changeset	180 ### Evidence gathering
8b33436dd18b Update example configuration and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 54 diff changeset	181 #############################################################################
8b33436dd18b Update example configuration and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 54 diff changeset	182 ## By enabling EVIDENCE=1 and setting EVIDENCE_DIR to existing directory
8b33436dd18b Update example configuration and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 54 diff changeset	183 ## writable by the effective UID which Maltfilter runs as, it will be
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	184 ## populated by .info, .data and *.hosts files. If succesfully retrieved,
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	185 ## .data files will have contents of the attempted XSS URI. *.hosts files
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	186 ## list which hosts have attempted to exploit this specific URI. *.info
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	187 ## contain generic information and HTTP headers.
61 8b33436dd18b Update example configuration and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 54 diff changeset	188
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	189 EVIDENCE = 0
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	190 EVIDENCE_DIR = "/var/run/malt-evidence"
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 61 diff changeset	191
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 61 diff changeset	192
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 61 diff changeset	193 #############################################################################
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 61 diff changeset	194 ### DroneBL submissions
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 61 diff changeset	195 #############################################################################
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 61 diff changeset	196 ## Maltfilter can automatically submit entries to DroneBL DNSBL service.
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 61 diff changeset	197 ## See <http://www.dronebl.org/> for more information.
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 61 diff changeset	198
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 61 diff changeset	199 ## 0 = submission disabled, otherwise enabled
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 61 diff changeset	200 DRONEBL = 0
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 61 diff changeset	201
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 61 diff changeset	202 ## Number of hits required before host IP goes to submission queue.
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 61 diff changeset	203 ## This setting is independent of the general THRESHOLD value and
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 61 diff changeset	204 ## only affects DroneBL submissions.
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 61 diff changeset	205 DRONEBL_THRESHOLD = 5
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 61 diff changeset	206
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 61 diff changeset	207 ## Maximum age of hits counted towards DroneBL submission threshold.
83 532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	208 ## NOTICE! Value this is in _minutes_!
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	209 DRONEBL_MAX_AGE = 60
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 61 diff changeset	210
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 61 diff changeset	211 ## Your personal RPC key. This _MUST_ be set to a valid value, if you
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 61 diff changeset	212 ## have enabled submissions. To get a personal key, go to:
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 61 diff changeset	213 ## http://www.dronebl.org/rpckey_signup
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 61 diff changeset	214 DRONEBL_RPC_KEY = ""
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 61 diff changeset	215
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 61 diff changeset	216 ## RPC2 submission URI, usually you do not need to change this.
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 61 diff changeset	217 #DRONEBL_RPC_URI = "http://dronebl.org/RPC2"
83 532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	218
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	219 ## Number of errors are tolerated in submission / HTTP connection
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	220 ## before submissions are suspended?
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	221 #DRONEBL_MAX_ERRORS = 5
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	222
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	223 ## Number of Maltfilter maintenance "rounds" to suspend submissions for.
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	224 ## Currently maintenances happen approximately every 60 seconds.
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	225 ## Thus value of 10 would mean suspending for about 10 minutes.
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	226 ## (the times are not exact, because maintenances include operations
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	227 ## which vary in duration.)
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	228 #DRONEBL_SUSPEND = 10

Mercurial > hg > maltfilter

annotate example.conf @ 91:d8d8cd36e201