Mercurial > hg > maltfilter

view example.conf @ 61:8b33436dd18b

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Update example configuration and documentation.
author Matti Hamalainen <ccr@tnsp.org>
date Mon, 17 Aug 2009 08:22:38 +0300
parents 19dace24ad46
children d2e2b82dd2f2
line wrap: on
line source

#############################################################################
### Maltfilter configuration file.
### PLEASE READ THROUGH THIS FILE VERY CAREFULLY!

#############################################################################
### General settings
#############################################################################
# Verbosity level (0 = quiet, bigger values add noise. valid range 0 - 4)
VERBOSITY = 4

# Dry-run: 1 = disables daemonization/forking to background, disables
# modification of netfilter/iptables, printing the iptables commands to
# stdout instead.
# NOTICE! IF YOU DON'T CHANGE THIS TO 0, MALTFILTER WILL NOT DAEMONIZE!
DRY_RUN = 1

# Full path to iptables binary
IPTABLES = "/sbin/iptables"

# Maltfilter logfile path and name (set empty "" if you don't want logging)
LOGFILE = "/var/log/maltfilter"

# System passwd file location (default is /etc/passwd), this file
# is checked to figure out system account names. See also SYSACCT_
# settings below.
#PASSWD = "/etc/passwd"

## Set range of system account UIDs here, default is 1-100.
## Root account is handled by CHK_ROOT_SSH_PWD check.
#SYSACCT_MIN_UID     = 1
#SYSACCT_MAX_UID     = 100


#############################################################################
### Actions, etc. settings
#############################################################################
## Weeding treshold in hours. Entries older than this will be removed
## off from current netfilter settings (e.g. they become unblocked again.)
#WEED_BLOCK = 168

## For how many hours to keep general information about IP. Affects from
## how long period statistics dump shows data. Also hitcount tresholds
## take the old data into account, meaning that if WEED_BLOCK < WEED_GLOBAL
## hit data older than WEED_BLOCK will be counted towards THRESHOLD.
#WEED_GLOBAL = 336

## How many "hits" the IP needs until it is eligible to be blocked.
## (the "hits" can be from any "source", e.g. sshd crack, httpd, etc.)
#TRESHOLD = 3

## Target iptables action for added entries, default is DROP, but you
## can use whatever rule chain name you want to here.
#ACTION = "DROP"

## IP addresses that should NOT be blocked under any circumstances. You should
## set this if you wish to have a surefire open channel from some host, even in
## the case someone tries to spoof IPs for denial of service.
##
## NOTICE! This setting supports only IPv4 addresses, no IPv6 or DNS names.
## You can have any number of NOBLOCK_IPS settings.
#NOBLOCK_IPS = "192.121.86.15"
#NOBLOCK_IPS = "74.125.45.100"


#############################################################################
### Logfiles
#############################################################################
## Define system log files to scan. Only auth.log and Apache errorlog /
## common log format files are supported for now. You can have as many
## of SCANFILE settings as you wish.
SCANFILE = "/var/log/auth.log"
SCANFILE = "/var/log/httpd/error.log"
SCANFILE = "/var/log/httpd/access.log"

## SCANFILE_ONCE is like SCANFILE setting, but these files are only
## parsed through once, and are NOT followed for changes in "tail -f"
## style as SCANFILEs are. This is useful if you want to include data
## from logrotated files. (Notice that gzip compressed files are not supported.)
SCANFILE_ONCE = "/var/log/auth.log.1"


#############################################################################
### Checks / tests
#############################################################################
## Enabled checks (1 = enabled, 0 = disabled). Please read the test
## descriptions from "check_log_line" function in the maltfilter script.

# (1) SSHD scans
## (1.1) Generic login scan attempts.
## Bruteforce attempts of login/password combinations leads to lots of
## "Failed password for invalid user" errors. This check catches them.
CHK_SSHD            = 1

## (1.2) Root account SSH login password bruteforcing attempts.
## This check catches failed password logins for root account.
##
## NOTICE! Do not enable this setting, if you allow SSH root logins via
## password authentication! Mistyping password may get you blocked unless
## your host IP is defined in NOBLOCK_IPS. If you wish to enable this
## check, you should set "PermitRootLogin" to "without-password" or "no"
## in your sshd_config.
CHK_ROOT_SSH_PWD    = 0

## (1.3) System account SSH login password bruteforcing attempts.
## Catches failed password logins for system accounts.
##
## NOTICE! If you enable this setting, make sure have defined safe
## host IPs in NOBLOCK_IPS, and that your system DOES NOT have passwords
## for system accounts .. which would be stupid anyway.
CHK_SYSACCT_SSH_PWD = 0



# (2) Common/known vulnerable CGI/PHP software scans (like phpMyAdmin)
# NOTICE! This matches ERRORLOG, thus it only works if you DO NOT have
# any or some of these installed. Preferably none, or use uncommon
# paths and prefixes.
CHK_KNOWN_CGI       = 1


# (3) pache common logging format checks
## With CHK_GOOD_HOSTS setting you can define hostnames and IPs
## which do not cause section (3) checks to trigger. For example
## if your website uses local URL pointers, you should define
## the hostname(s) and IPs here.
#CHK_GOOD_HOSTS      = "example.org|google.com|74.125.45.100"

## (3.1) Simple match for generic PHP XSS vulnerability scans
##
## NOTICE! If your site genuinely uses (checked) PHP parameters with
## URIs, you should set CHK_GOOD_HOSTS to match your hostname(s)/IP(s)
## used in the URIs.
CHK_PHP_XSS         = 1

## (3.2) Try to match proxy scanning attempts
## Certain attempts to find open HTTP proxies are caught by this check.
CHK_PROXY_SCAN      = 1

  
#############################################################################
### Reports
#############################################################################
## Define files for periodically updated status reports (refreshed once
## every few minutes.) Leave empty ("") or commented if you do not want
## status reports.

## Plain ASCII text file rerpot
#STATUS_FILE_PLAIN = "/var/www/maltstatus.txt"

## HTML file and optional CSS stylesheet URL for the HTML
## (if left empty, CSS is not used.)
#STATUS_FILE_HTML = "/var/www/maltstatus.html"
#STATUS_FILE_CSS = "cool.css"

## URL for a web-based WHOIS service. This URL will be used for creating
## href links of the IP addresses. Default is whois.domaintools.com. Set
## empty if you don't want links.
#WHOIS_URL = "http://whois.domaintools.com/"


## If disabled (0), instead of full timestamps, first/last hit times
## will be printed as "W weeks, D days, H hours ago." etc.
#FULL_TIME           = 1


#############################################################################
### Evidence gathering
#############################################################################
## By enabling EVIDENCE=1 and setting EVIDENCE_DIR to existing directory
## writable by the effective UID which Maltfilter runs as, it will be
## populated by *.data and *.hosts files. If succesfully retrieved, .data
## files will have contents of the attempted XSS URI. *.hosts files
## list which hosts have attempted to exploit this specific URI.

#EVIDENCE            = 0
#EVIDENCE_DIR        = "/var/run/malt-evidence"