Mercurial > hg > maltfilter
diff example.conf @ 66:42889eed0ce8
Lots of cleanups, etc. Documentation updates.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Tue, 18 Aug 2009 03:21:30 +0300 |
parents | d2e2b82dd2f2 |
children | b090ddfccdab |
line wrap: on
line diff
--- a/example.conf Tue Aug 18 00:43:10 2009 +0300 +++ b/example.conf Tue Aug 18 03:21:30 2009 +0300 @@ -1,28 +1,41 @@ ############################################################################# ### Maltfilter configuration file. ### PLEASE READ THROUGH THIS FILE VERY CAREFULLY! +############################################################################# ############################################################################# ### General settings ############################################################################# -# Verbosity level (0 = quiet, bigger values add noise. valid range 0 - 4) -VERBOSITY = 4 +## Verbosity level (0 = quiet, bigger values add noise. valid range 0 - 4) +VERBOSITY = 3 -# Dry-run: 1 = disables daemonization/forking to background, disables -# modification of netfilter/iptables, printing the iptables commands to -# stdout instead. -# NOTICE! IF YOU DON'T CHANGE THIS TO 0, MALTFILTER WILL NOT DAEMONIZE! +## Dry-run: 1 = disables daemonization/forking to background, disables +## modification of netfilter via iptables, printing the iptables commands +## to stdout instead and DroneBL submissions will be disabled. +## NOTICE! IF YOU DON'T CHANGE THIS TO 0, MALTFILTER WILL NOT DAEMONIZE! DRY_RUN = 1 -# Full path to iptables binary -IPTABLES = "/sbin/iptables" - -# Maltfilter logfile path and name (set empty "" if you don't want logging) +## Maltfilter logfile path and name (set empty "" if you don't want logging) LOGFILE = "/var/log/maltfilter" -# System passwd file location (default is /etc/passwd), this file -# is checked to figure out system account names. See also SYSACCT_ -# settings below. +## IP addresses that should NOT be blocked under any circumstances. You should +## set this if you wish to have a surefire open channel from some host, even in +## the case someone tries to spoof IPs for denial of service. +## +## NOTICE! This setting supports only IPv4 addresses, no IPv6 or DNS names. +## You can have any number of NOACTION_IPS settings. +#NOACTION_IPS = "192.121.86.15" +#NOACTION_IPS = "74.125.45.100" + +## For how many hours to keep general information about IP. Affects from +## how long period statistics dump shows data. Also hitcount thresholds +## take the old data into account, meaning that if FILTER_MAX_AGE < GLOBAL_MAX_AGE +## hit data older than FILTER_MAX_AGE will be counted towards THRESHOLD. +#GLOBAL_MAX_AGE = 336 + +## System passwd file location (default is /etc/passwd), this file +## is checked to figure out system account names. See also SYSACCT_* +## settings below. #PASSWD = "/etc/passwd" ## Set range of system account UIDs here, default is 1-100. @@ -32,35 +45,26 @@ ############################################################################# -### Actions, etc. settings +### Netfilter actions ############################################################################# +## 0 = Netfilter handling disabled +FILTER = 0 + +## Full path to iptables binary +IPTABLES = "/sbin/iptables" + +## How many "hits" the IP needs until it is eligible to be filtered. +## (the "hits" can be from any check, e.g. sshd crack, httpd, etc.) +FILTER_THRESHOLD = 3 + ## Weeding threshold in hours. Entries older than this will be removed ## off from current netfilter settings. Also, entries older than this ## will not be added to netfilter to begin with. -#WEED_FILTER = 168 - -## For how many hours to keep general information about IP. Affects from -## how long period statistics dump shows data. Also hitcount thresholds -## take the old data into account, meaning that if WEED_FILTER < WEED_GLOBAL -## hit data older than WEED_FILTER will be counted towards THRESHOLD. -#WEED_GLOBAL = 336 - -## How many "hits" the IP needs until it is eligible to be blocked. -## (the "hits" can be from any "source", e.g. sshd crack, httpd, etc.) -#THRESHOLD = 3 +FILTER_MAX_AGE = 168 -## Target iptables action for added entries, default is DROP, but you +## Target iptables target for added entries, default is DROP, but you ## can use whatever rule chain name you want to here. -#ACTION = "DROP" - -## IP addresses that should NOT be blocked under any circumstances. You should -## set this if you wish to have a surefire open channel from some host, even in -## the case someone tries to spoof IPs for denial of service. -## -## NOTICE! This setting supports only IPv4 addresses, no IPv6 or DNS names. -## You can have any number of NOBLOCK_IPS settings. -#NOBLOCK_IPS = "192.121.86.15" -#NOBLOCK_IPS = "74.125.45.100" +FILTER_TARGET = "DROP" ############################################################################# @@ -97,7 +101,7 @@ ## ## NOTICE! Do not enable this setting, if you allow SSH root logins via ## password authentication! Mistyping password may get you blocked unless -## your host IP is defined in NOBLOCK_IPS. If you wish to enable this +## your host IP is defined in NOACTION_IPS. If you wish to enable this ## check, you should set "PermitRootLogin" to "without-password" or "no" ## in your sshd_config. CHK_ROOT_SSH_PWD = 0 @@ -106,12 +110,11 @@ ## Catches failed password logins for system accounts. ## ## NOTICE! If you enable this setting, make sure have defined safe -## host IPs in NOBLOCK_IPS, and that your system DOES NOT have passwords +## host IPs in NOACTION_IPS, and that your system DOES NOT have passwords ## for system accounts .. which would be stupid anyway. CHK_SYSACCT_SSH_PWD = 0 - # (2) Common/known vulnerable CGI/PHP software scans (like phpMyAdmin) # NOTICE! This matches ERRORLOG, thus it only works if you DO NOT have # any or some of these installed. Preferably none, or use uncommon @@ -145,11 +148,11 @@ ## every few minutes.) Leave empty ("") or commented if you do not want ## status reports. -## Plain ASCII text file rerpot +## Plain ASCII text file report #STATUS_FILE_PLAIN = "/var/www/maltstatus.txt" ## HTML file and optional CSS stylesheet URL for the HTML -## (if left empty, CSS is not used.) +## (if left empty/unset, CSS will not be linked from the HTML file.) #STATUS_FILE_HTML = "/var/www/maltstatus.html" #STATUS_FILE_CSS = "cool.css" @@ -169,12 +172,13 @@ ############################################################################# ## By enabling EVIDENCE=1 and setting EVIDENCE_DIR to existing directory ## writable by the effective UID which Maltfilter runs as, it will be -## populated by *.data and *.hosts files. If succesfully retrieved, .data -## files will have contents of the attempted XSS URI. *.hosts files -## list which hosts have attempted to exploit this specific URI. +## populated by *.info, *.data and *.hosts files. If succesfully retrieved, +## .data files will have contents of the attempted XSS URI. *.hosts files +## list which hosts have attempted to exploit this specific URI. *.info +## contain generic information and HTTP headers. -#EVIDENCE = 0 -#EVIDENCE_DIR = "/var/run/malt-evidence" +EVIDENCE = 0 +EVIDENCE_DIR = "/var/run/malt-evidence" ############################################################################# @@ -192,8 +196,8 @@ DRONEBL_THRESHOLD = 5 ## Maximum age of hits counted towards DroneBL submission threshold. -## There is currently no weeding of submissions. -DRONEBL_MAX_AGE = 30 +## NOTICE! Value this is in minutes! +DRONEBL_MAX_AGE = 60 ## Your personal RPC key. This _MUST_ be set to a valid value, if you ## have enabled submissions. To get a personal key, go to: