Mercurial > hg > maltfilter

comparison example.conf @ 66:42889eed0ce8

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Lots of cleanups, etc. Documentation updates.
author Matti Hamalainen <ccr@tnsp.org>
date Tue, 18 Aug 2009 03:21:30 +0300
parents d2e2b82dd2f2
children b090ddfccdab
comparison
equal deleted inserted replaced
65:d2e2b82dd2f2 66:42889eed0ce8
1 ############################################################################# 1 #############################################################################
2 ### Maltfilter configuration file. 2 ### Maltfilter configuration file.
3 ### PLEASE READ THROUGH THIS FILE VERY CAREFULLY! 3 ### PLEASE READ THROUGH THIS FILE VERY CAREFULLY!
4 #############################################################################
4 5
5 ############################################################################# 6 #############################################################################
6 ### General settings 7 ### General settings
7 ############################################################################# 8 #############################################################################
8 # Verbosity level (0 = quiet, bigger values add noise. valid range 0 - 4) 9 ## Verbosity level (0 = quiet, bigger values add noise. valid range 0 - 4)
9 VERBOSITY = 4 10 VERBOSITY = 3
10 11
11 # Dry-run: 1 = disables daemonization/forking to background, disables 12 ## Dry-run: 1 = disables daemonization/forking to background, disables
12 # modification of netfilter/iptables, printing the iptables commands to 13 ## modification of netfilter via iptables, printing the iptables commands
13 # stdout instead. 14 ## to stdout instead and DroneBL submissions will be disabled.
14 # NOTICE! IF YOU DON'T CHANGE THIS TO 0, MALTFILTER WILL NOT DAEMONIZE! 15 ## NOTICE! IF YOU DON'T CHANGE THIS TO 0, MALTFILTER WILL NOT DAEMONIZE!
15 DRY_RUN = 1 16 DRY_RUN = 1
16 17
17 # Full path to iptables binary 18 ## Maltfilter logfile path and name (set empty "" if you don't want logging)
18 IPTABLES = "/sbin/iptables"
19
20 # Maltfilter logfile path and name (set empty "" if you don't want logging)
21 LOGFILE = "/var/log/maltfilter" 19 LOGFILE = "/var/log/maltfilter"
22 20
23 # System passwd file location (default is /etc/passwd), this file 21 ## IP addresses that should NOT be blocked under any circumstances. You should
24 # is checked to figure out system account names. See also SYSACCT_ 22 ## set this if you wish to have a surefire open channel from some host, even in
25 # settings below. 23 ## the case someone tries to spoof IPs for denial of service.
24 ##
25 ## NOTICE! This setting supports only IPv4 addresses, no IPv6 or DNS names.
26 ## You can have any number of NOACTION_IPS settings.
27 #NOACTION_IPS = "192.121.86.15"
28 #NOACTION_IPS = "74.125.45.100"
29
30 ## For how many hours to keep general information about IP. Affects from
31 ## how long period statistics dump shows data. Also hitcount thresholds
32 ## take the old data into account, meaning that if FILTER_MAX_AGE < GLOBAL_MAX_AGE
33 ## hit data older than FILTER_MAX_AGE will be counted towards THRESHOLD.
34 #GLOBAL_MAX_AGE = 336
35
36 ## System passwd file location (default is /etc/passwd), this file
37 ## is checked to figure out system account names. See also SYSACCT_*
38 ## settings below.
26 #PASSWD = "/etc/passwd" 39 #PASSWD = "/etc/passwd"
27 40
28 ## Set range of system account UIDs here, default is 1-100. 41 ## Set range of system account UIDs here, default is 1-100.
29 ## Root account is handled by CHK_ROOT_SSH_PWD check. 42 ## Root account is handled by CHK_ROOT_SSH_PWD check.
30 #SYSACCT_MIN_UID = 1 43 #SYSACCT_MIN_UID = 1
31 #SYSACCT_MAX_UID = 100 44 #SYSACCT_MAX_UID = 100
32 45
33 46
34 ############################################################################# 47 #############################################################################
35 ### Actions, etc. settings 48 ### Netfilter actions
36 ############################################################################# 49 #############################################################################
50 ## 0 = Netfilter handling disabled
51 FILTER = 0
52
53 ## Full path to iptables binary
54 IPTABLES = "/sbin/iptables"
55
56 ## How many "hits" the IP needs until it is eligible to be filtered.
57 ## (the "hits" can be from any check, e.g. sshd crack, httpd, etc.)
58 FILTER_THRESHOLD = 3
59
37 ## Weeding threshold in hours. Entries older than this will be removed 60 ## Weeding threshold in hours. Entries older than this will be removed
38 ## off from current netfilter settings. Also, entries older than this 61 ## off from current netfilter settings. Also, entries older than this
39 ## will not be added to netfilter to begin with. 62 ## will not be added to netfilter to begin with.
40 #WEED_FILTER = 168 63 FILTER_MAX_AGE = 168
41 64
42 ## For how many hours to keep general information about IP. Affects from 65 ## Target iptables target for added entries, default is DROP, but you
43 ## how long period statistics dump shows data. Also hitcount thresholds
44 ## take the old data into account, meaning that if WEED_FILTER < WEED_GLOBAL
45 ## hit data older than WEED_FILTER will be counted towards THRESHOLD.
46 #WEED_GLOBAL = 336
47
48 ## How many "hits" the IP needs until it is eligible to be blocked.
49 ## (the "hits" can be from any "source", e.g. sshd crack, httpd, etc.)
50 #THRESHOLD = 3
51
52 ## Target iptables action for added entries, default is DROP, but you
53 ## can use whatever rule chain name you want to here. 66 ## can use whatever rule chain name you want to here.
54 #ACTION = "DROP" 67 FILTER_TARGET = "DROP"
55
56 ## IP addresses that should NOT be blocked under any circumstances. You should
57 ## set this if you wish to have a surefire open channel from some host, even in
58 ## the case someone tries to spoof IPs for denial of service.
59 ##
60 ## NOTICE! This setting supports only IPv4 addresses, no IPv6 or DNS names.
61 ## You can have any number of NOBLOCK_IPS settings.
62 #NOBLOCK_IPS = "192.121.86.15"
63 #NOBLOCK_IPS = "74.125.45.100"
64 68
65 69
66 ############################################################################# 70 #############################################################################
67 ### Logfiles 71 ### Logfiles
68 ############################################################################# 72 #############################################################################
95 ## (1.2) Root account SSH login password bruteforcing attempts. 99 ## (1.2) Root account SSH login password bruteforcing attempts.
96 ## This check catches failed password logins for root account. 100 ## This check catches failed password logins for root account.
97 ## 101 ##
98 ## NOTICE! Do not enable this setting, if you allow SSH root logins via 102 ## NOTICE! Do not enable this setting, if you allow SSH root logins via
99 ## password authentication! Mistyping password may get you blocked unless 103 ## password authentication! Mistyping password may get you blocked unless
100 ## your host IP is defined in NOBLOCK_IPS. If you wish to enable this 104 ## your host IP is defined in NOACTION_IPS. If you wish to enable this
101 ## check, you should set "PermitRootLogin" to "without-password" or "no" 105 ## check, you should set "PermitRootLogin" to "without-password" or "no"
102 ## in your sshd_config. 106 ## in your sshd_config.
103 CHK_ROOT_SSH_PWD = 0 107 CHK_ROOT_SSH_PWD = 0
104 108
105 ## (1.3) System account SSH login password bruteforcing attempts. 109 ## (1.3) System account SSH login password bruteforcing attempts.
106 ## Catches failed password logins for system accounts. 110 ## Catches failed password logins for system accounts.
107 ## 111 ##
108 ## NOTICE! If you enable this setting, make sure have defined safe 112 ## NOTICE! If you enable this setting, make sure have defined safe
109 ## host IPs in NOBLOCK_IPS, and that your system DOES NOT have passwords 113 ## host IPs in NOACTION_IPS, and that your system DOES NOT have passwords
110 ## for system accounts .. which would be stupid anyway. 114 ## for system accounts .. which would be stupid anyway.
111 CHK_SYSACCT_SSH_PWD = 0 115 CHK_SYSACCT_SSH_PWD = 0
112
113 116
114 117
115 # (2) Common/known vulnerable CGI/PHP software scans (like phpMyAdmin) 118 # (2) Common/known vulnerable CGI/PHP software scans (like phpMyAdmin)
116 # NOTICE! This matches ERRORLOG, thus it only works if you DO NOT have 119 # NOTICE! This matches ERRORLOG, thus it only works if you DO NOT have
117 # any or some of these installed. Preferably none, or use uncommon 120 # any or some of these installed. Preferably none, or use uncommon
143 ############################################################################# 146 #############################################################################
144 ## Define files for periodically updated status reports (refreshed once 147 ## Define files for periodically updated status reports (refreshed once
145 ## every few minutes.) Leave empty ("") or commented if you do not want 148 ## every few minutes.) Leave empty ("") or commented if you do not want
146 ## status reports. 149 ## status reports.
147 150
148 ## Plain ASCII text file rerpot 151 ## Plain ASCII text file report
149 #STATUS_FILE_PLAIN = "/var/www/maltstatus.txt" 152 #STATUS_FILE_PLAIN = "/var/www/maltstatus.txt"
150 153
151 ## HTML file and optional CSS stylesheet URL for the HTML 154 ## HTML file and optional CSS stylesheet URL for the HTML
152 ## (if left empty, CSS is not used.) 155 ## (if left empty/unset, CSS will not be linked from the HTML file.)
153 #STATUS_FILE_HTML = "/var/www/maltstatus.html" 156 #STATUS_FILE_HTML = "/var/www/maltstatus.html"
154 #STATUS_FILE_CSS = "cool.css" 157 #STATUS_FILE_CSS = "cool.css"
155 158
156 ## URL for a web-based WHOIS service. This URL will be used for creating 159 ## URL for a web-based WHOIS service. This URL will be used for creating
157 ## href links of the IP addresses. Default is whois.domaintools.com. Set 160 ## href links of the IP addresses. Default is whois.domaintools.com. Set
167 ############################################################################# 170 #############################################################################
168 ### Evidence gathering 171 ### Evidence gathering
169 ############################################################################# 172 #############################################################################
170 ## By enabling EVIDENCE=1 and setting EVIDENCE_DIR to existing directory 173 ## By enabling EVIDENCE=1 and setting EVIDENCE_DIR to existing directory
171 ## writable by the effective UID which Maltfilter runs as, it will be 174 ## writable by the effective UID which Maltfilter runs as, it will be
172 ## populated by *.data and *.hosts files. If succesfully retrieved, .data 175 ## populated by *.info, *.data and *.hosts files. If succesfully retrieved,
173 ## files will have contents of the attempted XSS URI. *.hosts files 176 ## .data files will have contents of the attempted XSS URI. *.hosts files
174 ## list which hosts have attempted to exploit this specific URI. 177 ## list which hosts have attempted to exploit this specific URI. *.info
175 178 ## contain generic information and HTTP headers.
176 #EVIDENCE = 0 179
177 #EVIDENCE_DIR = "/var/run/malt-evidence" 180 EVIDENCE = 0
181 EVIDENCE_DIR = "/var/run/malt-evidence"
178 182
179 183
180 ############################################################################# 184 #############################################################################
181 ### DroneBL submissions 185 ### DroneBL submissions
182 ############################################################################# 186 #############################################################################
190 ## This setting is independent of the general THRESHOLD value and 194 ## This setting is independent of the general THRESHOLD value and
191 ## only affects DroneBL submissions. 195 ## only affects DroneBL submissions.
192 DRONEBL_THRESHOLD = 5 196 DRONEBL_THRESHOLD = 5
193 197
194 ## Maximum age of hits counted towards DroneBL submission threshold. 198 ## Maximum age of hits counted towards DroneBL submission threshold.
195 ## There is currently no weeding of submissions. 199 ## NOTICE! Value this is in minutes!
196 DRONEBL_MAX_AGE = 30 200 DRONEBL_MAX_AGE = 60
197 201
198 ## Your personal RPC key. This _MUST_ be set to a valid value, if you 202 ## Your personal RPC key. This _MUST_ be set to a valid value, if you
199 ## have enabled submissions. To get a personal key, go to: 203 ## have enabled submissions. To get a personal key, go to:
200 ## http://www.dronebl.org/rpckey_signup 204 ## http://www.dronebl.org/rpckey_signup
201 DRONEBL_RPC_KEY = "" 205 DRONEBL_RPC_KEY = ""