Mercurial > hg > maltfilter

view README @ 57:a70493b6c916

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Clear %statlist and %ignorelist when re-initializing (due to HUP), so we don't count stats twice.
author Matti Hamalainen <ccr@tnsp.org>
date Sun, 16 Aug 2009 22:14:48 +0300
parents 30a5b56b753e
children 8b33436dd18b
line wrap: on
line source

Malicious Attack Livid Termination Filter daemon (maltfilter) v0.13.1
=====================================================================
Programmed by Matti 'ccr' Hämäläinen <ccr@tnsp.org>
(C) Copyright 2009 Tecnic Software productions (TNSP)

Distributed under the modified ("3-clause") BSD license. Please see
included file COPYING for more information.

About
=====
Automagic management script for adding and removing Netfilter/iptables
filtering rules based on continuous logfile parsing for certain break-in
and exploitation scanning attempts.

Maltfilter daemon script continuously scans various system logfiles
including auth.log, httpd logs, etc. for signs of malicious connections
break-in and exploitation attempts. The originating IP addresses of
these connections are then blocked via Netfilter (iptables).

Requirements:

 - Perl 5.8 or later
 - Date::Parse (libtimedate-perl)
 - Net::IP (libnet-ip-perl)


Installation
============
Copy maltfilter script to /usr/sbin and set permissions

$ cp maltfilter /usr/sbin/maltfilter
$ chmod 755 /usr/sbin/maltfilter
$ chown root:root /usr/sbin/maltfilter

Copy example configuration under /etc (you may not want to
to have the configuration readable to regular users, so below
example sets mode 600 to it.)

$ cp example.conf /etc/maltfilter.conf
$ chmod 600 /etc/maltfilter.conf
$ chown root:root /etc/maltfilter.conf


Optional
========
Additionally you can set up the provided Debian style init script:

$ cp example.init /etc/init.d/maltfilter
$ chmod 755 /etc/init.d/maltfilter
$ chown root:root /etc/init.d/maltfilter

You need to edit the script, if you didn't install the configuration
and maltfilter to paths described in installation section.

Also a simple example HTML CSS stylesheet is provided for your convenience.


Configuration and usage
=======================
See example.conf for documentation about settings.
Start maltfilter either via the init script or through commandline:

$ maltfilter /var/run/maltfilter.pid /etc/maltfilter.conf

If you want to use the init script, you need to edit your init runlevel
settings to enable it, for example in Debian/Ubuntu you can use rcconf(8)
or chkconfig(8).


Reports
=======
Automatic report generation can be enabled from configuration.
You can also run "full" report generation via the "-f" option, in this
special mode, no automatic weeding is performed, resulting in
more data being shown.