Mercurial > hg > maltfilter
comparison README @ 61:8b33436dd18b
Update example configuration and documentation.
| author | Matti Hamalainen <ccr@tnsp.org> |
|---|---|
| date | Mon, 17 Aug 2009 08:22:38 +0300 |
| parents | a70493b6c916 |
| children | d2e2b82dd2f2 |
comparison
equal
deleted
inserted
replaced
| 60:38885f5f34f6 | 61:8b33436dd18b |
|---|---|
| 1 Malicious Attack Livid Termination Filter daemon (maltfilter) v0.13.1 | 1 Malicious Attack Livid Termination Filter daemon (maltfilter) v0.14.0 |
| 2 ===================================================================== | 2 ===================================================================== |
| 3 Programmed by Matti 'ccr' Hämäläinen <ccr@tnsp.org> | 3 Programmed by Matti 'ccr' Hämäläinen <ccr@tnsp.org> |
| 4 (C) Copyright 2009 Tecnic Software productions (TNSP) | 4 (C) Copyright 2009 Tecnic Software productions (TNSP) |
| 5 | 5 |
| 6 Distributed under the modified ("3-clause") BSD license. Please see | 6 Distributed under the modified ("3-clause") BSD license. Please see |
| 7 included file COPYING for more information. | 7 included file COPYING for more information. |
| 8 | 8 |
| 9 About | 9 About |
| 10 ===== | 10 ===== |
| 11 Automagic management script for adding and removing Netfilter/iptables | |
| 12 filtering rules based on continuous logfile parsing for certain break-in | |
| 13 and exploitation scanning attempts. | |
| 14 | |
| 15 Maltfilter daemon script continuously scans various system logfiles | 11 Maltfilter daemon script continuously scans various system logfiles |
| 16 including auth.log, httpd logs, etc. for signs of malicious connections | 12 including auth.log, httpd logs, etc. for signs of malicious connections, |
| 17 break-in and exploitation attempts. The originating IP addresses of | 13 break-in and exploitation attempts. The originating IP addresses of |
| 18 these connections are then blocked via Netfilter (iptables). | 14 these connections are then blocked via Netfilter (iptables). |
| 15 | |
| 16 Additionally Maltfilter can generate status reports (either continuously | |
| 17 in daemon mode, or as once-run report), in plaintext and HTML formats. | |
| 18 | |
| 19 Since v0.14, there is also option for gathering "evidence" about certain | |
| 20 PHP XSS exploit attempts into specified directory. These evidence files | |
| 21 include the attempted exploit code (if found) and hosts which have tried | |
| 22 to make your server run it. | |
| 23 | |
| 19 | 24 |
| 20 Requirements: | 25 Requirements: |
| 21 | 26 |
| 22 - Perl 5.8 or later | 27 - Perl 5.8 or later |
| 23 - Date::Parse (libtimedate-perl) | 28 - Date::Parse (libtimedate-perl) |
| 24 - Net::IP (libnet-ip-perl) | 29 - Net::IP (libnet-ip-perl) |
| 30 - Net::DNS (libnet-dns-perl) | |
| 31 - LWP::UserAgent (libwww-perl) | |
| 25 | 32 |
| 26 | 33 |
| 27 Installation | 34 Installation |
| 28 ============ | 35 ============ |
| 29 Copy maltfilter script to /usr/sbin and set permissions | 36 Copy maltfilter script to /usr/sbin and set permissions |
| 71 ======= | 78 ======= |
| 72 Automatic report generation can be enabled from configuration. | 79 Automatic report generation can be enabled from configuration. |
| 73 You can also run "full" report generation via the "-f" option, in this | 80 You can also run "full" report generation via the "-f" option, in this |
| 74 special mode, no automatic weeding is performed, resulting in | 81 special mode, no automatic weeding is performed, resulting in |
| 75 more data being shown. | 82 more data being shown. |
| 83 |