Malicious Attack Livid Termination Filter daemon (maltfilter) v0.18.0
=====================================================================
Programmed by Matti 'ccr' Hämäläinen <ccr@tnsp.org>
(C) Copyright 2009 Tecnic Software productions (TNSP)

Distributed under the modified ("3-clause") BSD license. Please see
included file COPYING for more information.

About
=====
Maltfilter daemon script continuously scans various system logfiles
including auth.log, httpd logs, etc. for signs of malicious connections,
break-in and exploitation attempts. The originating IP addresses of
these connections can be then acted upon in following ways, each
being optional:

 * Insertion (and eventual deletion or "weeding") of Netfilter rules.
 * Submitting entry to DroneBL DNSBL service.

Additionally Maltfilter can generate status reports (either continuously
in daemon mode, or as once-run report), in plaintext and HTML formats

Since v0.14, there is also option for gathering "evidence" about certain
PHP XSS exploit attempts into specified directory. These evidence files
include the attempted exploit code (if found) and hosts which have tried
to make your server run it.


Requirements:

 - Perl 5.8 or later
 - Date::Parse (libtimedate-perl)
 - Net::IP (libnet-ip-perl)
 - Net::DNS (libnet-dns-perl)
 - LWP::UserAgent (libwww-perl)


Memory requirement considerations
=================================
Because Maltfilter is written in Perl, it (or rather the Perl interpreter
it is running under) tends not to free any allocated memory. This is NOT
a memory leak per se, but a feature of Perl's memory allocator. Currently
allocated memory is simply reused for other structures when needed,
thus making the VIRT consumption periodically rise.

However, there may be some situations (none that I have experienced myself
as of yet, but as usual anything is possible) where Maltfilter's memory
consumption rises to unbearable level. In high-volume servers it may be
useful to periodically restart (as in complete restart, not reload via HUP)
the daemon to free the memory.

It is also helpful to change the FILTER_MAX_AGE and GLOBAL_MAX_AGE
configuration settings to smaller values, so that amount of data held
in memory at once is smaller.


Installation
============
Copy maltfilter script to /usr/sbin and set permissions

$ cp maltfilter /usr/sbin/maltfilter
$ chmod 755 /usr/sbin/maltfilter
$ chown root:root /usr/sbin/maltfilter

Copy example configuration under /etc (you may not want to
to have the configuration readable to regular users, so below
example sets mode 600 to it.)

$ cp example.conf /etc/maltfilter.conf
$ chmod 600 /etc/maltfilter.conf
$ chown root:root /etc/maltfilter.conf


Optional
========
Additionally you can set up the provided Debian style init script:

$ cp example.init /etc/init.d/maltfilter
$ chmod 755 /etc/init.d/maltfilter
$ chown root:root /etc/init.d/maltfilter

You need to edit the script, if you didn't install the configuration
and maltfilter to paths described in installation section.

Also a simple example HTML CSS stylesheet is provided for your convenience.


Configuration and usage
=======================
See example.conf for documentation about settings. Start maltfilter
either via the init script or through commandline:

$ maltfilter /var/run/maltfilter.pid /etc/maltfilter.conf

If you want to use the init script, you need to edit your init runlevel
settings to enable it, for example in Debian/Ubuntu you can use rcconf(8)
or chkconfig(8).


Reports
=======
Automatic report generation can be enabled from configuration.
You can also run "full" report generation via the "-f" option, in this
special mode, no automatic weeding is performed, resulting in
more data being shown.