Mercurial > hg > maltfilter
view README @ 49:13e6507ec1bb maltfilter-0.12.2
v0.12.2
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Sun, 16 Aug 2009 02:55:37 +0300 |
parents | f6af53354c17 |
children | 8cfb71b296da |
line wrap: on
line source
Malicious Attack Livid Termination Filter daemon (maltfilter) v0.12.2 ===================================================================== Programmed by Matti 'ccr' Hämäläinen <ccr@tnsp.org> (C) Copyright 2009 Tecnic Software productions (TNSP) Distributed under the modified ("3-clause") BSD license. Please see included file COPYING for more information. About ===== Automagic management script for adding and removing Netfilter/iptables filtering rules based on continuous logfile parsing for certain break-in and exploitation scanning attempts. Maltfilter daemon script continuously scans various system logfiles including auth.log, httpd logs, etc. for signs of malicious connections break-in and exploitation attempts. The originating IP addresses of these connections are then blocked via Netfilter (iptables). Requirements: - Perl 5.8 or later - Date::Parse (libtimedate-perl) - Net::IP (libnet-ip-perl) Installation ============ Copy maltfilter script to /usr/sbin and set permissions $ cp maltfilter /usr/sbin/maltfilter $ chmod 755 /usr/sbin/maltfilter $ chown root:root /usr/sbin/maltfilter Copy example configuration under /etc (you may not want to to have the configuration readable to regular users, so below example sets mode 600 to it.) $ cp example.conf /etc/maltfilter.conf $ chmod 600 /etc/maltfilter.conf $ chown root:root /etc/maltfilter.conf Optional ======== Additionally you can set up the provided Debian style init script: $ cp example.init /etc/init.d/maltfilter $ chmod 755 /etc/init.d/maltfilter $ chown root:root /etc/init.d/maltfilter You need to edit the script, if you didn't install the configuration and maltfilter to paths described in installation section. Also a simple example HTML CSS stylesheet is provided for your convenience. Configuration and usage ======================= See example.conf for documentation about settings. Start maltfilter either via the init script or through commandline: $ maltfilter /var/run/maltfilter.pid /etc/maltfilter.conf If you want to use the init script, you need to edit your init runlevel settings to enable it, for example in Debian/Ubuntu you can use rcconf(8) or chkconfig(8). Reports ======= Automatic report generation can be enabled from configuration. You can also run "full" report generation via the "-f" option, in this special mode, no automatic weeding is performed, resulting in more data being shown.