Mercurial > hg > maltfilter
view README @ 65:d2e2b82dd2f2
Work on DroneBL support.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Tue, 18 Aug 2009 00:43:10 +0300 |
parents | 8b33436dd18b |
children | 42889eed0ce8 |
line wrap: on
line source
Malicious Attack Livid Termination Filter daemon (maltfilter) v0.15.0 ===================================================================== Programmed by Matti 'ccr' Hämäläinen <ccr@tnsp.org> (C) Copyright 2009 Tecnic Software productions (TNSP) Distributed under the modified ("3-clause") BSD license. Please see included file COPYING for more information. About ===== Maltfilter daemon script continuously scans various system logfiles including auth.log, httpd logs, etc. for signs of malicious connections, break-in and exploitation attempts. The originating IP addresses of these connections are then blocked via Netfilter (iptables). Additionally Maltfilter can generate status reports (either continuously in daemon mode, or as once-run report), in plaintext and HTML formats and submit data to DroneBL DNSBL service. Since v0.14, there is also option for gathering "evidence" about certain PHP XSS exploit attempts into specified directory. These evidence files include the attempted exploit code (if found) and hosts which have tried to make your server run it. Requirements: - Perl 5.8 or later - Date::Parse (libtimedate-perl) - Net::IP (libnet-ip-perl) - Net::DNS (libnet-dns-perl) - LWP::UserAgent (libwww-perl) Installation ============ Copy maltfilter script to /usr/sbin and set permissions $ cp maltfilter /usr/sbin/maltfilter $ chmod 755 /usr/sbin/maltfilter $ chown root:root /usr/sbin/maltfilter Copy example configuration under /etc (you may not want to to have the configuration readable to regular users, so below example sets mode 600 to it.) $ cp example.conf /etc/maltfilter.conf $ chmod 600 /etc/maltfilter.conf $ chown root:root /etc/maltfilter.conf Optional ======== Additionally you can set up the provided Debian style init script: $ cp example.init /etc/init.d/maltfilter $ chmod 755 /etc/init.d/maltfilter $ chown root:root /etc/init.d/maltfilter You need to edit the script, if you didn't install the configuration and maltfilter to paths described in installation section. Also a simple example HTML CSS stylesheet is provided for your convenience. Configuration and usage ======================= See example.conf for documentation about settings. Start maltfilter either via the init script or through commandline: $ maltfilter /var/run/maltfilter.pid /etc/maltfilter.conf If you want to use the init script, you need to edit your init runlevel settings to enable it, for example in Debian/Ubuntu you can use rcconf(8) or chkconfig(8). Reports ======= Automatic report generation can be enabled from configuration. You can also run "full" report generation via the "-f" option, in this special mode, no automatic weeding is performed, resulting in more data being shown.