Mercurial > hg > maltfilter
diff example.conf @ 40:24babaa1e331
Many cleanups and fixes; Example configuration updated.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Sun, 16 Aug 2009 02:42:45 +0300 |
parents | 61b6d742c49c |
children | b11a56e256a9 |
line wrap: on
line diff
--- a/example.conf Sun Aug 16 01:30:13 2009 +0300 +++ b/example.conf Sun Aug 16 02:42:45 2009 +0300 @@ -68,16 +68,61 @@ ############################################################################# ## Enabled checks (1 = enabled, 0 = disabled). Please read the test ## descriptions from "check_log_line" function in the maltfilter script. + +# (1) SSHD scans +## (1.1) Generic login scan attempts. +## Bruteforce attempts of login/password combinations leads to lots of +## "Failed password for invalid user" errors. This check catches them. CHK_SSHD = 1 + +## (1.2) Root account SSH login password bruteforcing attempts. +## This check catches failed password logins for root account. +## +## NOTICE! Do not enable this setting, if you allow SSH root logins via +## password authentication! Mistyping password may get you blocked unless +## your host IP is defined in NOBLOCK_IPS. If you wish to enable this +## check, you should set "PermitRootLogin" to "without-password" or "no" +## in your sshd_config. +CHK_ROOT_SSH_PWD = 0 + +## (1.3) System account SSH login password bruteforcing attempts. +## Catches failed password logins for system accounts. +## +## NOTICE! If you enable this setting, make sure have defined safe +## host IPs in NOBLOCK_IPS, and that your system DOES NOT have passwords +## for system accounts .. which would be stupid anyway. +CHK_SYSACCT_SSH_PWD = 0 + +## Set range of system account UIDs here, default is 1-100. +## Root account is handled by CHK_ROOT_SSH_PWD check. +#SYSACCT_MIN_UID = 1 +#SYSACCT_MAX_UID = 100 + + +# (2) Common/known vulnerable CGI/PHP software scans (like phpMyAdmin) +# NOTICE! This matches ERRORLOG, thus it only works if you DO NOT have +# any or some of these installed. Preferably none, or use uncommon +# paths and prefixes. CHK_KNOWN_CGI = 1 -CHK_PHP_XSS = 1 -CHK_PROXY_SCAN = 1 + + +# (3) pache common logging format checks +## With CHK_GOOD_HOSTS setting you can define hostnames and IPs +## which do not cause section (3) checks to trigger. For example +## if your website uses local URL pointers, you should define +## the hostname(s) and IPs here. #CHK_GOOD_HOSTS = "example.org|google.com|74.125.45.100" -## Notice! ONLY enable this setting, if you have disabled password root -## logins from sshd_config (e.g. you have "PermitRootLogin without-password") -## or that alternatively you have defined "safe" hosts in NOBLOCK_IPS. -CHK_ROOT_SSH_PWD = 0 +## (3.1) Simple match for generic PHP XSS vulnerability scans +## +## NOTICE! If your site genuinely uses (checked) PHP parameters with +## URIs, you should set CHK_GOOD_HOSTS to match your hostname(s)/IP(s) +## used in the URIs. +CHK_PHP_XSS = 1 + +## (3.2) Try to match proxy scanning attempts +## Certain attempts to find open HTTP proxies are caught by this check. +CHK_PROXY_SCAN = 1 #############################################################################