Mercurial > hg > maltfilter

diff example.conf @ 40:24babaa1e331

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Many cleanups and fixes; Example configuration updated.
author Matti Hamalainen <ccr@tnsp.org>
date Sun, 16 Aug 2009 02:42:45 +0300
parents 61b6d742c49c
children b11a56e256a9
line wrap: on
line diff
--- a/example.conf	Sun Aug 16 01:30:13 2009 +0300
+++ b/example.conf	Sun Aug 16 02:42:45 2009 +0300
@@ -68,16 +68,61 @@
 #############################################################################
 ## Enabled checks (1 = enabled, 0 = disabled). Please read the test
 ## descriptions from "check_log_line" function in the maltfilter script.
+
+# (1) SSHD scans
+## (1.1) Generic login scan attempts.
+## Bruteforce attempts of login/password combinations leads to lots of
+## "Failed password for invalid user" errors. This check catches them.
 CHK_SSHD            = 1
+
+## (1.2) Root account SSH login password bruteforcing attempts.
+## This check catches failed password logins for root account.
+##
+## NOTICE! Do not enable this setting, if you allow SSH root logins via
+## password authentication! Mistyping password may get you blocked unless
+## your host IP is defined in NOBLOCK_IPS. If you wish to enable this
+## check, you should set "PermitRootLogin" to "without-password" or "no"
+## in your sshd_config.
+CHK_ROOT_SSH_PWD    = 0
+
+## (1.3) System account SSH login password bruteforcing attempts.
+## Catches failed password logins for system accounts.
+##
+## NOTICE! If you enable this setting, make sure have defined safe
+## host IPs in NOBLOCK_IPS, and that your system DOES NOT have passwords
+## for system accounts .. which would be stupid anyway.
+CHK_SYSACCT_SSH_PWD = 0
+
+## Set range of system account UIDs here, default is 1-100.
+## Root account is handled by CHK_ROOT_SSH_PWD check.
+#SYSACCT_MIN_UID     = 1
+#SYSACCT_MAX_UID     = 100
+
+
+# (2) Common/known vulnerable CGI/PHP software scans (like phpMyAdmin)
+# NOTICE! This matches ERRORLOG, thus it only works if you DO NOT have
+# any or some of these installed. Preferably none, or use uncommon
+# paths and prefixes.
 CHK_KNOWN_CGI       = 1
-CHK_PHP_XSS         = 1
-CHK_PROXY_SCAN      = 1
+
+
+# (3) pache common logging format checks
+## With CHK_GOOD_HOSTS setting you can define hostnames and IPs
+## which do not cause section (3) checks to trigger. For example
+## if your website uses local URL pointers, you should define
+## the hostname(s) and IPs here.
 #CHK_GOOD_HOSTS      = "example.org|google.com|74.125.45.100"
 
-## Notice! ONLY enable this setting, if you have disabled password root
-## logins from sshd_config (e.g. you have "PermitRootLogin without-password")
-## or that alternatively you have defined "safe" hosts in NOBLOCK_IPS.
-CHK_ROOT_SSH_PWD    = 0
+## (3.1) Simple match for generic PHP XSS vulnerability scans
+##
+## NOTICE! If your site genuinely uses (checked) PHP parameters with
+## URIs, you should set CHK_GOOD_HOSTS to match your hostname(s)/IP(s)
+## used in the URIs.
+CHK_PHP_XSS         = 1
+
+## (3.2) Try to match proxy scanning attempts
+## Certain attempts to find open HTTP proxies are caught by this check.
+CHK_PROXY_SCAN      = 1
 
   
 #############################################################################