Mercurial > hg > maltfilter

view example.conf @ 91:d8d8cd36e201

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Update configuration.
author Matti Hamalainen <ccr@tnsp.org>
date Sun, 30 Aug 2009 22:39:26 +0300
parents 532169789f52
children 1cbefe9c26c1
line wrap: on
line source

#############################################################################
### Maltfilter configuration file.
### PLEASE READ THROUGH THIS FILE VERY CAREFULLY!
#############################################################################

#############################################################################
### General settings
#############################################################################
## Verbosity level (0 = quiet, bigger values add noise. valid range 0 - 4)
VERBOSITY = 3

## Dry-run: 1 = disables daemonization/forking to background, disables
## modification of netfilter via iptables, printing the iptables commands
## to stdout instead and DroneBL submissions will be disabled.
## NOTICE! IF YOU DON'T CHANGE THIS TO 0, MALTFILTER WILL NOT DAEMONIZE!
DRY_RUN = 1

## Maltfilter logfile path and name (set empty "" if you don't want logging)
LOGFILE = "/var/log/maltfilter"

## IP addresses that should NOT be blocked under any circumstances. You should
## set this if you wish to have a surefire open channel from some host, even in
## the case someone tries to spoof IPs for denial of service.
##
## NOTICE! This setting supports only IPv4 addresses and address ranges, no
## IPv6 or DNS names. You can have any number of NOACTION_IPS settings.
#NOACTION_IPS = "192.121.86.15"
#NOACTION_IPS = "74.125.45.100"

## Also ranges defined via CIDR notation can be used:
#NOACTION_IPS = "213.129.224.0/19"

## For how many hours to keep general information about IP. Affects from
## how long period statistics dump shows data. Also hitcount thresholds
## take the old data into account, meaning that if FILTER_MAX_AGE < GLOBAL_MAX_AGE
## hit data older than FILTER_MAX_AGE will be counted towards THRESHOLD.
#GLOBAL_MAX_AGE = 336

## System passwd file location (default is /etc/passwd), this file
## is checked to figure out system account names. See also SYSACCT_*
## settings below.
#PASSWD = "/etc/passwd"

## Set range of system account UIDs here, default is 1-999.
## Root account is handled by CHK_ROOT_SSH_PWD check.
#SYSACCT_MIN_UID     = 1
#SYSACCT_MAX_UID     = 999


#############################################################################
### Netfilter actions
#############################################################################
## 0 = Netfilter handling disabled
FILTER = 0

## Full path to iptables binary
IPTABLES = "/sbin/iptables"

## How many "hits" the IP needs until it is eligible to be filtered.
## (the "hits" can be from any check, e.g. sshd crack, httpd, etc.)
FILTER_THRESHOLD = 3

## Weeding threshold in hours. Entries older than this will be removed
## off from current netfilter settings. Also, entries older than this
## will not be added to netfilter to begin with.
FILTER_MAX_AGE = 168

## Target iptables target for added entries, default is DROP, but you
## can use whatever rule chain name you want to here.
FILTER_TARGET = "DROP"

## Netfilter rule chain to add/remove rules to/from.
#FILTER_CHAIN = "INPUT"

## Netfilter table to add/remove rules to/from.
#FILTER_TABLE = "filter"


#############################################################################
### Logfiles
#############################################################################
## Define system log files to scan. Only auth.log and Apache errorlog /
## common log format files are supported for now. You can have as many
## of SCANFILE settings as you wish.
SCANFILE = "/var/log/auth.log"
SCANFILE = "/var/log/httpd/error.log"
SCANFILE = "/var/log/httpd/access.log"

## SCANFILE_ONCE is like SCANFILE setting, but these files are only
## parsed through once, and are NOT followed for changes in "tail -f"
## style as SCANFILEs are. This is useful if you want to include data
## from logrotated files. (Notice that gzip compressed files are not supported.)
SCANFILE_ONCE = "/var/log/auth.log.1"


#############################################################################
### Checks / tests
#############################################################################
## Enabled checks (1 = enabled, 0 = disabled). Please read the test
## descriptions from "check_log_line" function in the maltfilter script.

# (1) SSHD scans
## (1.1) Generic login scan attempts.
## Bruteforce attempts of login/password combinations leads to lots of
## "Failed password for invalid user" errors. This check catches them.
CHK_SSHD            = 1

## (1.2) Root account SSH login password bruteforcing attempts.
## This check catches failed password logins for root account.
##
## NOTICE! Do not enable this setting, if you allow SSH root logins via
## password authentication! Mistyping password may get you blocked unless
## your host IP is defined in NOACTION_IPS. If you wish to enable this
## check, you should set "PermitRootLogin" to "without-password" or "no"
## in your sshd_config.
CHK_ROOT_SSH_PWD    = 0

## (1.3) System account SSH login password bruteforcing attempts.
## Catches failed password logins for system accounts.
##
## NOTICE! If you enable this setting, make sure have defined safe
## host IPs in NOACTION_IPS, and that your system DOES NOT have passwords
## for system accounts .. which would be stupid anyway.
CHK_SYSACCT_SSH_PWD = 0


# (2) Common/known vulnerable CGI/PHP software scans (like phpMyAdmin)
# NOTICE! This matches ERRORLOG, thus it only works if you DO NOT have
# any or some of these installed. Preferably none, or use uncommon
# paths and prefixes.
CHK_KNOWN_CGI       = 1


# (3) pache common logging format checks
## With CHK_GOOD_HOSTS setting you can define hostnames and IPs
## which do not cause section (3) checks to trigger. For example
## if your website uses local URL pointers, you should define
## the hostname(s) and IPs here.
#CHK_GOOD_HOSTS      = "example.org|google.com|74.125.45.100"

## (3.1) Simple match for generic PHP XSS vulnerability scans
##
## NOTICE! If your site genuinely uses (checked) PHP parameters with
## URIs, you should set CHK_GOOD_HOSTS to match your hostname(s)/IP(s)
## used in the URIs.
CHK_PHP_XSS         = 1

## (3.2) Try to match proxy scanning attempts
## Certain attempts to find open HTTP proxies are caught by this check.
CHK_PROXY_SCAN      = 1

  
#############################################################################
### Reports
#############################################################################
## Define files for periodically updated status reports (refreshed once
## every few minutes.) Leave empty ("") or commented if you do not want
## status reports.

## Plain ASCII text file report
#STATUS_FILE_PLAIN = "/var/www/maltstatus.txt"

## HTML file and optional CSS stylesheet URL for the HTML
## (if left empty/unset, CSS will not be linked from the HTML file.)
#STATUS_FILE_HTML = "/var/www/maltstatus.html"
#STATUS_FILE_CSS = "cool.css"

## URL for a web-based WHOIS service. This URL will be used for creating
## href links of the IP addresses. Default is whois.domaintools.com. Set
## empty if you don't want links.
#WHOIS_URL = "http://whois.domaintools.com/"


## If disabled (0), instead of full timestamps, first/last hit times
## will be printed as "W weeks, D days, H hours ago." etc.
#FULL_TIME           = 1


#############################################################################
### Evidence gathering
#############################################################################
## By enabling EVIDENCE=1 and setting EVIDENCE_DIR to existing directory
## writable by the effective UID which Maltfilter runs as, it will be
## populated by *.info, *.data and *.hosts files. If succesfully retrieved,
## .data files will have contents of the attempted XSS URI. *.hosts files
## list which hosts have attempted to exploit this specific URI. *.info
## contain generic information and HTTP headers.

EVIDENCE            = 0
EVIDENCE_DIR        = "/var/run/malt-evidence"


#############################################################################
### DroneBL submissions
#############################################################################
## Maltfilter can automatically submit entries to DroneBL DNSBL service.
## See <http://www.dronebl.org/> for more information.

## 0 = submission disabled, otherwise enabled
DRONEBL              = 0

## Number of hits required before host IP goes to submission queue.
## This setting is independent of the general THRESHOLD value and
## only affects DroneBL submissions.
DRONEBL_THRESHOLD    = 5

## Maximum age of hits counted towards DroneBL submission threshold.
## NOTICE! Value this is in _minutes_!
DRONEBL_MAX_AGE      = 60

## Your personal RPC key. This _MUST_ be set to a valid value, if you
## have enabled submissions. To get a personal key, go to:
## http://www.dronebl.org/rpckey_signup
DRONEBL_RPC_KEY      = ""

## RPC2 submission URI, usually you do not need to change this.
#DRONEBL_RPC_URI      = "http://dronebl.org/RPC2"

## Number of errors are tolerated in submission / HTTP connection
## before submissions are suspended?
#DRONEBL_MAX_ERRORS   = 5

## Number of Maltfilter maintenance "rounds" to suspend submissions for.
## Currently maintenances happen approximately every 60 seconds.
## Thus value of 10 would mean suspending for about 10 minutes.
## (the times are not exact, because maintenances include operations
## which vary in duration.)
#DRONEBL_SUSPEND      = 10