Mercurial > hg > maltfilter
comparison README @ 0:fec14263801d
Initial import of maltfilter development version.
| author | Matti Hamalainen <ccr@tnsp.org> |
|---|---|
| date | Thu, 13 Aug 2009 15:15:18 +0300 |
| parents | |
| children | 56612ebc16ac |
comparison
equal
deleted
inserted
replaced
| -1:000000000000 | 0:fec14263801d |
|---|---|
| 1 Malicious Attack Livid Termination Filter daemon (maltfilter) v0.7 | |
| 2 ================================================================== | |
| 3 Programmed by Matti 'ccr' Hämäläinen <ccr@tnsp.org> | |
| 4 (C) Copyright 2009 Tecnic Software productions (TNSP) | |
| 5 | |
| 6 Distributed under the modified ("3-clause") BSD license. Please see | |
| 7 included file COPYING for more information. | |
| 8 | |
| 9 About | |
| 10 ===== | |
| 11 Automagic management script for adding and removing Netfilter/iptables | |
| 12 filtering rules based on continuous logfile parsing for certain break-in | |
| 13 and exploitation scanning attempts. | |
| 14 | |
| 15 Maltfilter daemon script continuously scans various system logfiles | |
| 16 including auth.log, httpd logs, etc. for signs of malicious connections | |
| 17 break-in and exploitation attempts. The originating IP addresses of | |
| 18 these connections are then blocked via Netfilter (iptables). | |
| 19 | |
| 20 Requirements: | |
| 21 | |
| 22 - Perl 5.8 or later | |
| 23 - Date::Parse (libtimedate-perl) | |
| 24 - Net::IP (libnet-ip-perl) | |
| 25 | |
| 26 | |
| 27 Installation | |
| 28 ============ | |
| 29 Copy maltfilter script to /usr/sbin and set permissions | |
| 30 | |
| 31 $ cp maltfilter /usr/sbin/maltfilter | |
| 32 $ chmod 755 /usr/sbin/maltfilter | |
| 33 $ chown root:root /usr/sbin/maltfilter | |
| 34 | |
| 35 Copy example configuration under /etc (you may not want to | |
| 36 to have the configuration readable to regular users, so below | |
| 37 example sets mode 600 to it.) | |
| 38 | |
| 39 $ cp example.conf /etc/maltfilter.conf | |
| 40 $ chmod 600 /etc/maltfilter.conf | |
| 41 $ chown root:root /etc/maltfilter.conf | |
| 42 | |
| 43 | |
| 44 Optional | |
| 45 ======== | |
| 46 Additionally you can set up the provided Debian style init script: | |
| 47 | |
| 48 $ cp example.init /etc/init.d/maltfilter | |
| 49 $ chmod 755 /etc/init.d/maltfilter | |
| 50 $ chown root:root /etc/init.d/maltfilter | |
| 51 | |
| 52 You need to edit the script, if you didn't install the configuration | |
| 53 and maltfilter to paths described in installation section. | |
| 54 | |
| 55 | |
| 56 Configuration and usage | |
| 57 ======================= | |
| 58 See example.conf or /etc/maltfilter.conf for general settings. | |
| 59 I HIGHLY recommend that you carefully think which | |
| 60 | |
| 61 The script itself contains additional information about what | |
| 62 certain scan options actually do. | |
| 63 | |
| 64 Start maltfilter either via the init script or through commandline: | |
| 65 | |
| 66 $ maltfilter /var/run/maltfilter.pid /etc/maltfilter.conf | |
| 67 | |
| 68 If you want to use the init script, you need to edit your init runlevel | |
| 69 settings to enable it, for example in Debian/Ubuntu you can use rcconf(8) | |
| 70 or chkconfig(8). |