Mercurial > hg > maltfilter
comparison README @ 66:42889eed0ce8
Lots of cleanups, etc. Documentation updates.
| author | Matti Hamalainen <ccr@tnsp.org> |
|---|---|
| date | Tue, 18 Aug 2009 03:21:30 +0300 |
| parents | d2e2b82dd2f2 |
| children | b090ddfccdab |
comparison
equal
deleted
inserted
replaced
| 65:d2e2b82dd2f2 | 66:42889eed0ce8 |
|---|---|
| 1 Malicious Attack Livid Termination Filter daemon (maltfilter) v0.15.0 | 1 Malicious Attack Livid Termination Filter daemon (maltfilter) v0.16.0 |
| 2 ===================================================================== | 2 ===================================================================== |
| 3 Programmed by Matti 'ccr' Hämäläinen <ccr@tnsp.org> | 3 Programmed by Matti 'ccr' Hämäläinen <ccr@tnsp.org> |
| 4 (C) Copyright 2009 Tecnic Software productions (TNSP) | 4 (C) Copyright 2009 Tecnic Software productions (TNSP) |
| 5 | 5 |
| 6 Distributed under the modified ("3-clause") BSD license. Please see | 6 Distributed under the modified ("3-clause") BSD license. Please see |
| 9 About | 9 About |
| 10 ===== | 10 ===== |
| 11 Maltfilter daemon script continuously scans various system logfiles | 11 Maltfilter daemon script continuously scans various system logfiles |
| 12 including auth.log, httpd logs, etc. for signs of malicious connections, | 12 including auth.log, httpd logs, etc. for signs of malicious connections, |
| 13 break-in and exploitation attempts. The originating IP addresses of | 13 break-in and exploitation attempts. The originating IP addresses of |
| 14 these connections are then blocked via Netfilter (iptables). | 14 these connections can be then acted upon in following ways, each |
| 15 being optional: | |
| 16 | |
| 17 * Insertion (and eventual deletion or "weeding") of Netfilter rules. | |
| 18 * Submitting entry to DroneBL DNSBL service. | |
| 15 | 19 |
| 16 Additionally Maltfilter can generate status reports (either continuously | 20 Additionally Maltfilter can generate status reports (either continuously |
| 17 in daemon mode, or as once-run report), in plaintext and HTML formats | 21 in daemon mode, or as once-run report), in plaintext and HTML formats |
| 18 and submit data to DroneBL DNSBL service. | |
| 19 | 22 |
| 20 Since v0.14, there is also option for gathering "evidence" about certain | 23 Since v0.14, there is also option for gathering "evidence" about certain |
| 21 PHP XSS exploit attempts into specified directory. These evidence files | 24 PHP XSS exploit attempts into specified directory. These evidence files |
| 22 include the attempted exploit code (if found) and hosts which have tried | 25 include the attempted exploit code (if found) and hosts which have tried |
| 23 to make your server run it. | 26 to make your server run it. |
| 63 Also a simple example HTML CSS stylesheet is provided for your convenience. | 66 Also a simple example HTML CSS stylesheet is provided for your convenience. |
| 64 | 67 |
| 65 | 68 |
| 66 Configuration and usage | 69 Configuration and usage |
| 67 ======================= | 70 ======================= |
| 68 See example.conf for documentation about settings. | 71 See example.conf for documentation about settings. Start maltfilter |
| 69 Start maltfilter either via the init script or through commandline: | 72 either via the init script or through commandline: |
| 70 | 73 |
| 71 $ maltfilter /var/run/maltfilter.pid /etc/maltfilter.conf | 74 $ maltfilter /var/run/maltfilter.pid /etc/maltfilter.conf |
| 72 | 75 |
| 73 If you want to use the init script, you need to edit your init runlevel | 76 If you want to use the init script, you need to edit your init runlevel |
| 74 settings to enable it, for example in Debian/Ubuntu you can use rcconf(8) | 77 settings to enable it, for example in Debian/Ubuntu you can use rcconf(8) |