Mercurial > hg > maltfilter
view example.conf @ 44:471731c79bb3
Add configuration setting for PASSWD file.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Sun, 16 Aug 2009 02:51:28 +0300 |
parents | b11a56e256a9 |
children | 19dace24ad46 |
line wrap: on
line source
############################################################################# ### Maltfilter configuration file. ### PLEASE READ THROUGH THIS FILE VERY CAREFULLY! ############################################################################# ### General settings ############################################################################# # Verbosity level (0 = quiet, bigger values add noise. valid range 0 - 4) VERBOSITY = 4 # Dry-run: 1 = disables daemonization/forking to background, disables # modification of netfilter/iptables, printing the iptables commands to # stdout instead. # NOTICE! IF YOU DON'T CHANGE THIS TO 0, MALTFILTER WILL NOT DAEMONIZE! DRY_RUN = 1 # Maltfilter logfile path and name (set empty "" if you don't want logging) LOGFILE = "/var/log/maltfilter" # Full path to iptables binary IPTABLES = "/sbin/iptables" # System passwd file location (default is /etc/passwd), this file # is checked to figure out system account names. See also SYSACCT_ # settings below. #PASSWD = "/etc/passwd" ## Set range of system account UIDs here, default is 1-100. ## Root account is handled by CHK_ROOT_SSH_PWD check. #SYSACCT_MIN_UID = 1 #SYSACCT_MAX_UID = 100 ############################################################################# ### Actions, etc. settings ############################################################################# ## Weeding treshold in hours. Entries older than this will be removed ## off from current netfilter settings (e.g. they become unblocked again.) #WEED_BLOCK = 168 ## For how many hours to keep general information about IP. Affects from ## how long period statistics dump shows data. Also hitcount tresholds ## take the old data into account, meaning that if WEED_BLOCK < WEED_GLOBAL ## hit data older than WEED_BLOCK will be counted towards THRESHOLD. #WEED_GLOBAL = 336 ## How many "hits" the IP needs until it is eligible to be blocked. ## (the "hits" can be from any "source", e.g. sshd crack, httpd, etc.) #TRESHOLD = 3 ## Target iptables action for added entries, default is DROP, but you ## can use whatever rule chain name you want to here. #ACTION = "DROP" ## IP addresses that should NOT be blocked under any circumstances. You should ## set this if you wish to have a surefire open channel from some host, even in ## the case someone tries to spoof IPs for denial of service. ## ## NOTICE! This setting supports only IPv4 addresses, no IPv6 or DNS names. ## You can have any number of NOBLOCK_IPS settings. #NOBLOCK_IPS = "192.121.86.15" #NOBLOCK_IPS = "74.125.45.100" ############################################################################# ### Logfiles ############################################################################# ## Define system log files to scan. Only auth.log and Apache errorlog / ## common log format files are supported for now. You can have as many ## of SCANFILE settings as you wish. SCANFILE = "/var/log/auth.log" SCANFILE = "/var/log/httpd/error.log" SCANFILE = "/var/log/httpd/access.log" ############################################################################# ### Checks / tests ############################################################################# ## Enabled checks (1 = enabled, 0 = disabled). Please read the test ## descriptions from "check_log_line" function in the maltfilter script. # (1) SSHD scans ## (1.1) Generic login scan attempts. ## Bruteforce attempts of login/password combinations leads to lots of ## "Failed password for invalid user" errors. This check catches them. CHK_SSHD = 1 ## (1.2) Root account SSH login password bruteforcing attempts. ## This check catches failed password logins for root account. ## ## NOTICE! Do not enable this setting, if you allow SSH root logins via ## password authentication! Mistyping password may get you blocked unless ## your host IP is defined in NOBLOCK_IPS. If you wish to enable this ## check, you should set "PermitRootLogin" to "without-password" or "no" ## in your sshd_config. CHK_ROOT_SSH_PWD = 0 ## (1.3) System account SSH login password bruteforcing attempts. ## Catches failed password logins for system accounts. ## ## NOTICE! If you enable this setting, make sure have defined safe ## host IPs in NOBLOCK_IPS, and that your system DOES NOT have passwords ## for system accounts .. which would be stupid anyway. CHK_SYSACCT_SSH_PWD = 0 # (2) Common/known vulnerable CGI/PHP software scans (like phpMyAdmin) # NOTICE! This matches ERRORLOG, thus it only works if you DO NOT have # any or some of these installed. Preferably none, or use uncommon # paths and prefixes. CHK_KNOWN_CGI = 1 # (3) pache common logging format checks ## With CHK_GOOD_HOSTS setting you can define hostnames and IPs ## which do not cause section (3) checks to trigger. For example ## if your website uses local URL pointers, you should define ## the hostname(s) and IPs here. #CHK_GOOD_HOSTS = "example.org|google.com|74.125.45.100" ## (3.1) Simple match for generic PHP XSS vulnerability scans ## ## NOTICE! If your site genuinely uses (checked) PHP parameters with ## URIs, you should set CHK_GOOD_HOSTS to match your hostname(s)/IP(s) ## used in the URIs. CHK_PHP_XSS = 1 ## (3.2) Try to match proxy scanning attempts ## Certain attempts to find open HTTP proxies are caught by this check. CHK_PROXY_SCAN = 1 ############################################################################# ### Reports ############################################################################# ## Define files for periodically updated status reports (refreshed once ## every few minutes.) Leave empty ("") or commented if you do not want ## status reports. ## Plain ASCII text file rerpot #STATUS_FILE_PLAIN = "/var/www/maltstatus.txt" ## HTML file and optional CSS stylesheet URL for the HTML ## (if left empty, CSS is not used.) #STATUS_FILE_HTML = "/var/www/maltstatus.html" #STATUS_FILE_CSS = "cool.css" ## URL for a web-based WHOIS service. This URL will be used for creating ## href links of the IP addresses. Default is whois.domaintools.com. Set ## empty if you don't want links. #WHOIS_URL = "http://whois.domaintools.com/" ## If disabled (0), instead of full timestamps, first/last hit times ## will be printed as "W weeks, D days, H hours ago." etc. #FULL_TIME = 1