Mercurial > hg > maltfilter
diff example.conf @ 0:fec14263801d
Initial import of maltfilter development version.
| author | Matti Hamalainen <ccr@tnsp.org> |
|---|---|
| date | Thu, 13 Aug 2009 15:15:18 +0300 |
| parents | |
| children | b2c7c76b3529 |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/example.conf Thu Aug 13 15:15:18 2009 +0300 @@ -0,0 +1,51 @@ +## Maltfilter configuration file. +## PLEASE GO THROUGH THIS FILE VERY CAREFULLY! + +# Verbosity level (0 = quiet, bigger values add noise. valid range 0 - 4) +VERBOSITY = 4 + +# Dry-run: 1 = disables daemonization/forking to background, disables +# modification of netfilter/iptables, printing the iptables commands to +# stdout instead. +# NOTICE! IF YOU DON'T CHANGE THIS TO 0, MALTFILTER WILL NOT DAEMONIZE! +DRY_RUN = 1 + +# Define system log files to scan. Only auth.log and Apache errorlog / +# common log format files are supported for now. You can have as many +# of SCANFILE settings as you wish. +SCANFILE = "/var/log/auth.log" +SCANFILE = "/var/log/httpd/error.log" +SCANFILE = "/var/log/httpd/access.log" + + +# Weeding treshold in hours. Entries older than this will be "weeded" +# off from current netfilter settings. +WEEDPERIOD = 72 + +# How many "hits" the IP needs until it is eligible to be blocked. +# (the "hits" can be from any "source", e.g. sshd crack, httpd, etc.) +TRESHOLD = 3 + +# Target iptables action for added entries, default is DROP, but you +# can use whatever rule chain name you want to here. +ACTION = "DROP" + +# Enabled checks (1 = enabled, 0 = disabled). Please read the test +# descriptions from "check_log_line" function in the maltfilter script. +CHK_SSHD = 1 +CHK_KNOWN_CGI = 1 +CHK_PHP_XSS = 1 +CHK_PROXY_SCAN = 1 +CHK_GOOD_HOSTS = "example.org|google.com|74.125.45.100" + +# Maltfilter logfile path and name (set empty "" if you don't want logging) +LOGFILE = "/var/log/maltfilter" + +# Full path to iptables binary +IPTABLES = "/sbin/iptables" + +# IP(s) NOT to be blocked under any circumstances, separated by pipes (|). +# You should set this if you wish to have a surefire open channel from +# somewhere, even in case someone tries to spoof IPs for denial of service. +# NOTICE! This setting supports only IPv4 addresses, no IPv6 or DNS names. +NOBLOCK_HOSTS = "127.0.0.1|74.125.45.100"