Mercurial > hg > maltfilter

view README @ 66:42889eed0ce8

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Lots of cleanups, etc. Documentation updates.
author Matti Hamalainen <ccr@tnsp.org>
date Tue, 18 Aug 2009 03:21:30 +0300
parents d2e2b82dd2f2
children b090ddfccdab
line wrap: on
line source

Malicious Attack Livid Termination Filter daemon (maltfilter) v0.16.0
=====================================================================
Programmed by Matti 'ccr' Hämäläinen <ccr@tnsp.org>
(C) Copyright 2009 Tecnic Software productions (TNSP)

Distributed under the modified ("3-clause") BSD license. Please see
included file COPYING for more information.

About
=====
Maltfilter daemon script continuously scans various system logfiles
including auth.log, httpd logs, etc. for signs of malicious connections,
break-in and exploitation attempts. The originating IP addresses of
these connections can be then acted upon in following ways, each
being optional:

 * Insertion (and eventual deletion or "weeding") of Netfilter rules.
 * Submitting entry to DroneBL DNSBL service.

Additionally Maltfilter can generate status reports (either continuously
in daemon mode, or as once-run report), in plaintext and HTML formats

Since v0.14, there is also option for gathering "evidence" about certain
PHP XSS exploit attempts into specified directory. These evidence files
include the attempted exploit code (if found) and hosts which have tried
to make your server run it.


Requirements:

 - Perl 5.8 or later
 - Date::Parse (libtimedate-perl)
 - Net::IP (libnet-ip-perl)
 - Net::DNS (libnet-dns-perl)
 - LWP::UserAgent (libwww-perl)


Installation
============
Copy maltfilter script to /usr/sbin and set permissions

$ cp maltfilter /usr/sbin/maltfilter
$ chmod 755 /usr/sbin/maltfilter
$ chown root:root /usr/sbin/maltfilter

Copy example configuration under /etc (you may not want to
to have the configuration readable to regular users, so below
example sets mode 600 to it.)

$ cp example.conf /etc/maltfilter.conf
$ chmod 600 /etc/maltfilter.conf
$ chown root:root /etc/maltfilter.conf


Optional
========
Additionally you can set up the provided Debian style init script:

$ cp example.init /etc/init.d/maltfilter
$ chmod 755 /etc/init.d/maltfilter
$ chown root:root /etc/init.d/maltfilter

You need to edit the script, if you didn't install the configuration
and maltfilter to paths described in installation section.

Also a simple example HTML CSS stylesheet is provided for your convenience.


Configuration and usage
=======================
See example.conf for documentation about settings. Start maltfilter
either via the init script or through commandline:

$ maltfilter /var/run/maltfilter.pid /etc/maltfilter.conf

If you want to use the init script, you need to edit your init runlevel
settings to enable it, for example in Debian/Ubuntu you can use rcconf(8)
or chkconfig(8).


Reports
=======
Automatic report generation can be enabled from configuration.
You can also run "full" report generation via the "-f" option, in this
special mode, no automatic weeding is performed, resulting in
more data being shown.