Mercurial > hg > maltfilter
view example.conf @ 93:55670dabda5a maltfilter-0.19.2
Add support for FILTER_CHAIN and FILTER_TABLE settings.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Sun, 30 Aug 2009 23:06:58 +0300 |
parents | d8d8cd36e201 |
children | 1cbefe9c26c1 |
line wrap: on
line source
############################################################################# ### Maltfilter configuration file. ### PLEASE READ THROUGH THIS FILE VERY CAREFULLY! ############################################################################# ############################################################################# ### General settings ############################################################################# ## Verbosity level (0 = quiet, bigger values add noise. valid range 0 - 4) VERBOSITY = 3 ## Dry-run: 1 = disables daemonization/forking to background, disables ## modification of netfilter via iptables, printing the iptables commands ## to stdout instead and DroneBL submissions will be disabled. ## NOTICE! IF YOU DON'T CHANGE THIS TO 0, MALTFILTER WILL NOT DAEMONIZE! DRY_RUN = 1 ## Maltfilter logfile path and name (set empty "" if you don't want logging) LOGFILE = "/var/log/maltfilter" ## IP addresses that should NOT be blocked under any circumstances. You should ## set this if you wish to have a surefire open channel from some host, even in ## the case someone tries to spoof IPs for denial of service. ## ## NOTICE! This setting supports only IPv4 addresses and address ranges, no ## IPv6 or DNS names. You can have any number of NOACTION_IPS settings. #NOACTION_IPS = "192.121.86.15" #NOACTION_IPS = "74.125.45.100" ## Also ranges defined via CIDR notation can be used: #NOACTION_IPS = "213.129.224.0/19" ## For how many hours to keep general information about IP. Affects from ## how long period statistics dump shows data. Also hitcount thresholds ## take the old data into account, meaning that if FILTER_MAX_AGE < GLOBAL_MAX_AGE ## hit data older than FILTER_MAX_AGE will be counted towards THRESHOLD. #GLOBAL_MAX_AGE = 336 ## System passwd file location (default is /etc/passwd), this file ## is checked to figure out system account names. See also SYSACCT_* ## settings below. #PASSWD = "/etc/passwd" ## Set range of system account UIDs here, default is 1-999. ## Root account is handled by CHK_ROOT_SSH_PWD check. #SYSACCT_MIN_UID = 1 #SYSACCT_MAX_UID = 999 ############################################################################# ### Netfilter actions ############################################################################# ## 0 = Netfilter handling disabled FILTER = 0 ## Full path to iptables binary IPTABLES = "/sbin/iptables" ## How many "hits" the IP needs until it is eligible to be filtered. ## (the "hits" can be from any check, e.g. sshd crack, httpd, etc.) FILTER_THRESHOLD = 3 ## Weeding threshold in hours. Entries older than this will be removed ## off from current netfilter settings. Also, entries older than this ## will not be added to netfilter to begin with. FILTER_MAX_AGE = 168 ## Target iptables target for added entries, default is DROP, but you ## can use whatever rule chain name you want to here. FILTER_TARGET = "DROP" ## Netfilter rule chain to add/remove rules to/from. #FILTER_CHAIN = "INPUT" ## Netfilter table to add/remove rules to/from. #FILTER_TABLE = "filter" ############################################################################# ### Logfiles ############################################################################# ## Define system log files to scan. Only auth.log and Apache errorlog / ## common log format files are supported for now. You can have as many ## of SCANFILE settings as you wish. SCANFILE = "/var/log/auth.log" SCANFILE = "/var/log/httpd/error.log" SCANFILE = "/var/log/httpd/access.log" ## SCANFILE_ONCE is like SCANFILE setting, but these files are only ## parsed through once, and are NOT followed for changes in "tail -f" ## style as SCANFILEs are. This is useful if you want to include data ## from logrotated files. (Notice that gzip compressed files are not supported.) SCANFILE_ONCE = "/var/log/auth.log.1" ############################################################################# ### Checks / tests ############################################################################# ## Enabled checks (1 = enabled, 0 = disabled). Please read the test ## descriptions from "check_log_line" function in the maltfilter script. # (1) SSHD scans ## (1.1) Generic login scan attempts. ## Bruteforce attempts of login/password combinations leads to lots of ## "Failed password for invalid user" errors. This check catches them. CHK_SSHD = 1 ## (1.2) Root account SSH login password bruteforcing attempts. ## This check catches failed password logins for root account. ## ## NOTICE! Do not enable this setting, if you allow SSH root logins via ## password authentication! Mistyping password may get you blocked unless ## your host IP is defined in NOACTION_IPS. If you wish to enable this ## check, you should set "PermitRootLogin" to "without-password" or "no" ## in your sshd_config. CHK_ROOT_SSH_PWD = 0 ## (1.3) System account SSH login password bruteforcing attempts. ## Catches failed password logins for system accounts. ## ## NOTICE! If you enable this setting, make sure have defined safe ## host IPs in NOACTION_IPS, and that your system DOES NOT have passwords ## for system accounts .. which would be stupid anyway. CHK_SYSACCT_SSH_PWD = 0 # (2) Common/known vulnerable CGI/PHP software scans (like phpMyAdmin) # NOTICE! This matches ERRORLOG, thus it only works if you DO NOT have # any or some of these installed. Preferably none, or use uncommon # paths and prefixes. CHK_KNOWN_CGI = 1 # (3) pache common logging format checks ## With CHK_GOOD_HOSTS setting you can define hostnames and IPs ## which do not cause section (3) checks to trigger. For example ## if your website uses local URL pointers, you should define ## the hostname(s) and IPs here. #CHK_GOOD_HOSTS = "example.org|google.com|74.125.45.100" ## (3.1) Simple match for generic PHP XSS vulnerability scans ## ## NOTICE! If your site genuinely uses (checked) PHP parameters with ## URIs, you should set CHK_GOOD_HOSTS to match your hostname(s)/IP(s) ## used in the URIs. CHK_PHP_XSS = 1 ## (3.2) Try to match proxy scanning attempts ## Certain attempts to find open HTTP proxies are caught by this check. CHK_PROXY_SCAN = 1 ############################################################################# ### Reports ############################################################################# ## Define files for periodically updated status reports (refreshed once ## every few minutes.) Leave empty ("") or commented if you do not want ## status reports. ## Plain ASCII text file report #STATUS_FILE_PLAIN = "/var/www/maltstatus.txt" ## HTML file and optional CSS stylesheet URL for the HTML ## (if left empty/unset, CSS will not be linked from the HTML file.) #STATUS_FILE_HTML = "/var/www/maltstatus.html" #STATUS_FILE_CSS = "cool.css" ## URL for a web-based WHOIS service. This URL will be used for creating ## href links of the IP addresses. Default is whois.domaintools.com. Set ## empty if you don't want links. #WHOIS_URL = "http://whois.domaintools.com/" ## If disabled (0), instead of full timestamps, first/last hit times ## will be printed as "W weeks, D days, H hours ago." etc. #FULL_TIME = 1 ############################################################################# ### Evidence gathering ############################################################################# ## By enabling EVIDENCE=1 and setting EVIDENCE_DIR to existing directory ## writable by the effective UID which Maltfilter runs as, it will be ## populated by *.info, *.data and *.hosts files. If succesfully retrieved, ## .data files will have contents of the attempted XSS URI. *.hosts files ## list which hosts have attempted to exploit this specific URI. *.info ## contain generic information and HTTP headers. EVIDENCE = 0 EVIDENCE_DIR = "/var/run/malt-evidence" ############################################################################# ### DroneBL submissions ############################################################################# ## Maltfilter can automatically submit entries to DroneBL DNSBL service. ## See <http://www.dronebl.org/> for more information. ## 0 = submission disabled, otherwise enabled DRONEBL = 0 ## Number of hits required before host IP goes to submission queue. ## This setting is independent of the general THRESHOLD value and ## only affects DroneBL submissions. DRONEBL_THRESHOLD = 5 ## Maximum age of hits counted towards DroneBL submission threshold. ## NOTICE! Value this is in _minutes_! DRONEBL_MAX_AGE = 60 ## Your personal RPC key. This _MUST_ be set to a valid value, if you ## have enabled submissions. To get a personal key, go to: ## http://www.dronebl.org/rpckey_signup DRONEBL_RPC_KEY = "" ## RPC2 submission URI, usually you do not need to change this. #DRONEBL_RPC_URI = "http://dronebl.org/RPC2" ## Number of errors are tolerated in submission / HTTP connection ## before submissions are suspended? #DRONEBL_MAX_ERRORS = 5 ## Number of Maltfilter maintenance "rounds" to suspend submissions for. ## Currently maintenances happen approximately every 60 seconds. ## Thus value of 10 would mean suspending for about 10 minutes. ## (the times are not exact, because maintenances include operations ## which vary in duration.) #DRONEBL_SUSPEND = 10