Mercurial > hg > maltfilter
comparison example.conf @ 66:42889eed0ce8
Lots of cleanups, etc. Documentation updates.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Tue, 18 Aug 2009 03:21:30 +0300 |
parents | d2e2b82dd2f2 |
children | b090ddfccdab |
comparison
equal
deleted
inserted
replaced
65:d2e2b82dd2f2 | 66:42889eed0ce8 |
---|---|
1 ############################################################################# | 1 ############################################################################# |
2 ### Maltfilter configuration file. | 2 ### Maltfilter configuration file. |
3 ### PLEASE READ THROUGH THIS FILE VERY CAREFULLY! | 3 ### PLEASE READ THROUGH THIS FILE VERY CAREFULLY! |
4 ############################################################################# | |
4 | 5 |
5 ############################################################################# | 6 ############################################################################# |
6 ### General settings | 7 ### General settings |
7 ############################################################################# | 8 ############################################################################# |
8 # Verbosity level (0 = quiet, bigger values add noise. valid range 0 - 4) | 9 ## Verbosity level (0 = quiet, bigger values add noise. valid range 0 - 4) |
9 VERBOSITY = 4 | 10 VERBOSITY = 3 |
10 | 11 |
11 # Dry-run: 1 = disables daemonization/forking to background, disables | 12 ## Dry-run: 1 = disables daemonization/forking to background, disables |
12 # modification of netfilter/iptables, printing the iptables commands to | 13 ## modification of netfilter via iptables, printing the iptables commands |
13 # stdout instead. | 14 ## to stdout instead and DroneBL submissions will be disabled. |
14 # NOTICE! IF YOU DON'T CHANGE THIS TO 0, MALTFILTER WILL NOT DAEMONIZE! | 15 ## NOTICE! IF YOU DON'T CHANGE THIS TO 0, MALTFILTER WILL NOT DAEMONIZE! |
15 DRY_RUN = 1 | 16 DRY_RUN = 1 |
16 | 17 |
17 # Full path to iptables binary | 18 ## Maltfilter logfile path and name (set empty "" if you don't want logging) |
18 IPTABLES = "/sbin/iptables" | |
19 | |
20 # Maltfilter logfile path and name (set empty "" if you don't want logging) | |
21 LOGFILE = "/var/log/maltfilter" | 19 LOGFILE = "/var/log/maltfilter" |
22 | 20 |
23 # System passwd file location (default is /etc/passwd), this file | 21 ## IP addresses that should NOT be blocked under any circumstances. You should |
24 # is checked to figure out system account names. See also SYSACCT_ | 22 ## set this if you wish to have a surefire open channel from some host, even in |
25 # settings below. | 23 ## the case someone tries to spoof IPs for denial of service. |
24 ## | |
25 ## NOTICE! This setting supports only IPv4 addresses, no IPv6 or DNS names. | |
26 ## You can have any number of NOACTION_IPS settings. | |
27 #NOACTION_IPS = "192.121.86.15" | |
28 #NOACTION_IPS = "74.125.45.100" | |
29 | |
30 ## For how many hours to keep general information about IP. Affects from | |
31 ## how long period statistics dump shows data. Also hitcount thresholds | |
32 ## take the old data into account, meaning that if FILTER_MAX_AGE < GLOBAL_MAX_AGE | |
33 ## hit data older than FILTER_MAX_AGE will be counted towards THRESHOLD. | |
34 #GLOBAL_MAX_AGE = 336 | |
35 | |
36 ## System passwd file location (default is /etc/passwd), this file | |
37 ## is checked to figure out system account names. See also SYSACCT_* | |
38 ## settings below. | |
26 #PASSWD = "/etc/passwd" | 39 #PASSWD = "/etc/passwd" |
27 | 40 |
28 ## Set range of system account UIDs here, default is 1-100. | 41 ## Set range of system account UIDs here, default is 1-100. |
29 ## Root account is handled by CHK_ROOT_SSH_PWD check. | 42 ## Root account is handled by CHK_ROOT_SSH_PWD check. |
30 #SYSACCT_MIN_UID = 1 | 43 #SYSACCT_MIN_UID = 1 |
31 #SYSACCT_MAX_UID = 100 | 44 #SYSACCT_MAX_UID = 100 |
32 | 45 |
33 | 46 |
34 ############################################################################# | 47 ############################################################################# |
35 ### Actions, etc. settings | 48 ### Netfilter actions |
36 ############################################################################# | 49 ############################################################################# |
50 ## 0 = Netfilter handling disabled | |
51 FILTER = 0 | |
52 | |
53 ## Full path to iptables binary | |
54 IPTABLES = "/sbin/iptables" | |
55 | |
56 ## How many "hits" the IP needs until it is eligible to be filtered. | |
57 ## (the "hits" can be from any check, e.g. sshd crack, httpd, etc.) | |
58 FILTER_THRESHOLD = 3 | |
59 | |
37 ## Weeding threshold in hours. Entries older than this will be removed | 60 ## Weeding threshold in hours. Entries older than this will be removed |
38 ## off from current netfilter settings. Also, entries older than this | 61 ## off from current netfilter settings. Also, entries older than this |
39 ## will not be added to netfilter to begin with. | 62 ## will not be added to netfilter to begin with. |
40 #WEED_FILTER = 168 | 63 FILTER_MAX_AGE = 168 |
41 | 64 |
42 ## For how many hours to keep general information about IP. Affects from | 65 ## Target iptables target for added entries, default is DROP, but you |
43 ## how long period statistics dump shows data. Also hitcount thresholds | |
44 ## take the old data into account, meaning that if WEED_FILTER < WEED_GLOBAL | |
45 ## hit data older than WEED_FILTER will be counted towards THRESHOLD. | |
46 #WEED_GLOBAL = 336 | |
47 | |
48 ## How many "hits" the IP needs until it is eligible to be blocked. | |
49 ## (the "hits" can be from any "source", e.g. sshd crack, httpd, etc.) | |
50 #THRESHOLD = 3 | |
51 | |
52 ## Target iptables action for added entries, default is DROP, but you | |
53 ## can use whatever rule chain name you want to here. | 66 ## can use whatever rule chain name you want to here. |
54 #ACTION = "DROP" | 67 FILTER_TARGET = "DROP" |
55 | |
56 ## IP addresses that should NOT be blocked under any circumstances. You should | |
57 ## set this if you wish to have a surefire open channel from some host, even in | |
58 ## the case someone tries to spoof IPs for denial of service. | |
59 ## | |
60 ## NOTICE! This setting supports only IPv4 addresses, no IPv6 or DNS names. | |
61 ## You can have any number of NOBLOCK_IPS settings. | |
62 #NOBLOCK_IPS = "192.121.86.15" | |
63 #NOBLOCK_IPS = "74.125.45.100" | |
64 | 68 |
65 | 69 |
66 ############################################################################# | 70 ############################################################################# |
67 ### Logfiles | 71 ### Logfiles |
68 ############################################################################# | 72 ############################################################################# |
95 ## (1.2) Root account SSH login password bruteforcing attempts. | 99 ## (1.2) Root account SSH login password bruteforcing attempts. |
96 ## This check catches failed password logins for root account. | 100 ## This check catches failed password logins for root account. |
97 ## | 101 ## |
98 ## NOTICE! Do not enable this setting, if you allow SSH root logins via | 102 ## NOTICE! Do not enable this setting, if you allow SSH root logins via |
99 ## password authentication! Mistyping password may get you blocked unless | 103 ## password authentication! Mistyping password may get you blocked unless |
100 ## your host IP is defined in NOBLOCK_IPS. If you wish to enable this | 104 ## your host IP is defined in NOACTION_IPS. If you wish to enable this |
101 ## check, you should set "PermitRootLogin" to "without-password" or "no" | 105 ## check, you should set "PermitRootLogin" to "without-password" or "no" |
102 ## in your sshd_config. | 106 ## in your sshd_config. |
103 CHK_ROOT_SSH_PWD = 0 | 107 CHK_ROOT_SSH_PWD = 0 |
104 | 108 |
105 ## (1.3) System account SSH login password bruteforcing attempts. | 109 ## (1.3) System account SSH login password bruteforcing attempts. |
106 ## Catches failed password logins for system accounts. | 110 ## Catches failed password logins for system accounts. |
107 ## | 111 ## |
108 ## NOTICE! If you enable this setting, make sure have defined safe | 112 ## NOTICE! If you enable this setting, make sure have defined safe |
109 ## host IPs in NOBLOCK_IPS, and that your system DOES NOT have passwords | 113 ## host IPs in NOACTION_IPS, and that your system DOES NOT have passwords |
110 ## for system accounts .. which would be stupid anyway. | 114 ## for system accounts .. which would be stupid anyway. |
111 CHK_SYSACCT_SSH_PWD = 0 | 115 CHK_SYSACCT_SSH_PWD = 0 |
112 | |
113 | 116 |
114 | 117 |
115 # (2) Common/known vulnerable CGI/PHP software scans (like phpMyAdmin) | 118 # (2) Common/known vulnerable CGI/PHP software scans (like phpMyAdmin) |
116 # NOTICE! This matches ERRORLOG, thus it only works if you DO NOT have | 119 # NOTICE! This matches ERRORLOG, thus it only works if you DO NOT have |
117 # any or some of these installed. Preferably none, or use uncommon | 120 # any or some of these installed. Preferably none, or use uncommon |
143 ############################################################################# | 146 ############################################################################# |
144 ## Define files for periodically updated status reports (refreshed once | 147 ## Define files for periodically updated status reports (refreshed once |
145 ## every few minutes.) Leave empty ("") or commented if you do not want | 148 ## every few minutes.) Leave empty ("") or commented if you do not want |
146 ## status reports. | 149 ## status reports. |
147 | 150 |
148 ## Plain ASCII text file rerpot | 151 ## Plain ASCII text file report |
149 #STATUS_FILE_PLAIN = "/var/www/maltstatus.txt" | 152 #STATUS_FILE_PLAIN = "/var/www/maltstatus.txt" |
150 | 153 |
151 ## HTML file and optional CSS stylesheet URL for the HTML | 154 ## HTML file and optional CSS stylesheet URL for the HTML |
152 ## (if left empty, CSS is not used.) | 155 ## (if left empty/unset, CSS will not be linked from the HTML file.) |
153 #STATUS_FILE_HTML = "/var/www/maltstatus.html" | 156 #STATUS_FILE_HTML = "/var/www/maltstatus.html" |
154 #STATUS_FILE_CSS = "cool.css" | 157 #STATUS_FILE_CSS = "cool.css" |
155 | 158 |
156 ## URL for a web-based WHOIS service. This URL will be used for creating | 159 ## URL for a web-based WHOIS service. This URL will be used for creating |
157 ## href links of the IP addresses. Default is whois.domaintools.com. Set | 160 ## href links of the IP addresses. Default is whois.domaintools.com. Set |
167 ############################################################################# | 170 ############################################################################# |
168 ### Evidence gathering | 171 ### Evidence gathering |
169 ############################################################################# | 172 ############################################################################# |
170 ## By enabling EVIDENCE=1 and setting EVIDENCE_DIR to existing directory | 173 ## By enabling EVIDENCE=1 and setting EVIDENCE_DIR to existing directory |
171 ## writable by the effective UID which Maltfilter runs as, it will be | 174 ## writable by the effective UID which Maltfilter runs as, it will be |
172 ## populated by *.data and *.hosts files. If succesfully retrieved, .data | 175 ## populated by *.info, *.data and *.hosts files. If succesfully retrieved, |
173 ## files will have contents of the attempted XSS URI. *.hosts files | 176 ## .data files will have contents of the attempted XSS URI. *.hosts files |
174 ## list which hosts have attempted to exploit this specific URI. | 177 ## list which hosts have attempted to exploit this specific URI. *.info |
175 | 178 ## contain generic information and HTTP headers. |
176 #EVIDENCE = 0 | 179 |
177 #EVIDENCE_DIR = "/var/run/malt-evidence" | 180 EVIDENCE = 0 |
181 EVIDENCE_DIR = "/var/run/malt-evidence" | |
178 | 182 |
179 | 183 |
180 ############################################################################# | 184 ############################################################################# |
181 ### DroneBL submissions | 185 ### DroneBL submissions |
182 ############################################################################# | 186 ############################################################################# |
190 ## This setting is independent of the general THRESHOLD value and | 194 ## This setting is independent of the general THRESHOLD value and |
191 ## only affects DroneBL submissions. | 195 ## only affects DroneBL submissions. |
192 DRONEBL_THRESHOLD = 5 | 196 DRONEBL_THRESHOLD = 5 |
193 | 197 |
194 ## Maximum age of hits counted towards DroneBL submission threshold. | 198 ## Maximum age of hits counted towards DroneBL submission threshold. |
195 ## There is currently no weeding of submissions. | 199 ## NOTICE! Value this is in minutes! |
196 DRONEBL_MAX_AGE = 30 | 200 DRONEBL_MAX_AGE = 60 |
197 | 201 |
198 ## Your personal RPC key. This _MUST_ be set to a valid value, if you | 202 ## Your personal RPC key. This _MUST_ be set to a valid value, if you |
199 ## have enabled submissions. To get a personal key, go to: | 203 ## have enabled submissions. To get a personal key, go to: |
200 ## http://www.dronebl.org/rpckey_signup | 204 ## http://www.dronebl.org/rpckey_signup |
201 DRONEBL_RPC_KEY = "" | 205 DRONEBL_RPC_KEY = "" |