Mercurial > hg > maltfilter
comparison README @ 61:8b33436dd18b
Update example configuration and documentation.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Mon, 17 Aug 2009 08:22:38 +0300 |
parents | a70493b6c916 |
children | d2e2b82dd2f2 |
comparison
equal
deleted
inserted
replaced
60:38885f5f34f6 | 61:8b33436dd18b |
---|---|
1 Malicious Attack Livid Termination Filter daemon (maltfilter) v0.13.1 | 1 Malicious Attack Livid Termination Filter daemon (maltfilter) v0.14.0 |
2 ===================================================================== | 2 ===================================================================== |
3 Programmed by Matti 'ccr' Hämäläinen <ccr@tnsp.org> | 3 Programmed by Matti 'ccr' Hämäläinen <ccr@tnsp.org> |
4 (C) Copyright 2009 Tecnic Software productions (TNSP) | 4 (C) Copyright 2009 Tecnic Software productions (TNSP) |
5 | 5 |
6 Distributed under the modified ("3-clause") BSD license. Please see | 6 Distributed under the modified ("3-clause") BSD license. Please see |
7 included file COPYING for more information. | 7 included file COPYING for more information. |
8 | 8 |
9 About | 9 About |
10 ===== | 10 ===== |
11 Automagic management script for adding and removing Netfilter/iptables | |
12 filtering rules based on continuous logfile parsing for certain break-in | |
13 and exploitation scanning attempts. | |
14 | |
15 Maltfilter daemon script continuously scans various system logfiles | 11 Maltfilter daemon script continuously scans various system logfiles |
16 including auth.log, httpd logs, etc. for signs of malicious connections | 12 including auth.log, httpd logs, etc. for signs of malicious connections, |
17 break-in and exploitation attempts. The originating IP addresses of | 13 break-in and exploitation attempts. The originating IP addresses of |
18 these connections are then blocked via Netfilter (iptables). | 14 these connections are then blocked via Netfilter (iptables). |
15 | |
16 Additionally Maltfilter can generate status reports (either continuously | |
17 in daemon mode, or as once-run report), in plaintext and HTML formats. | |
18 | |
19 Since v0.14, there is also option for gathering "evidence" about certain | |
20 PHP XSS exploit attempts into specified directory. These evidence files | |
21 include the attempted exploit code (if found) and hosts which have tried | |
22 to make your server run it. | |
23 | |
19 | 24 |
20 Requirements: | 25 Requirements: |
21 | 26 |
22 - Perl 5.8 or later | 27 - Perl 5.8 or later |
23 - Date::Parse (libtimedate-perl) | 28 - Date::Parse (libtimedate-perl) |
24 - Net::IP (libnet-ip-perl) | 29 - Net::IP (libnet-ip-perl) |
30 - Net::DNS (libnet-dns-perl) | |
31 - LWP::UserAgent (libwww-perl) | |
25 | 32 |
26 | 33 |
27 Installation | 34 Installation |
28 ============ | 35 ============ |
29 Copy maltfilter script to /usr/sbin and set permissions | 36 Copy maltfilter script to /usr/sbin and set permissions |
71 ======= | 78 ======= |
72 Automatic report generation can be enabled from configuration. | 79 Automatic report generation can be enabled from configuration. |
73 You can also run "full" report generation via the "-f" option, in this | 80 You can also run "full" report generation via the "-f" option, in this |
74 special mode, no automatic weeding is performed, resulting in | 81 special mode, no automatic weeding is performed, resulting in |
75 more data being shown. | 82 more data being shown. |
83 |