# HG changeset patch # User Matti Hamalainen # Date 1250486558 -10800 # Node ID 8b33436dd18b391fa4e5eaaaa984560be1f2a5f3 # Parent 38885f5f34f66f362450d97fa6d3a33b2145f594 Update example configuration and documentation. diff -r 38885f5f34f6 -r 8b33436dd18b README --- a/README Mon Aug 17 08:22:24 2009 +0300 +++ b/README Mon Aug 17 08:22:38 2009 +0300 @@ -1,4 +1,4 @@ -Malicious Attack Livid Termination Filter daemon (maltfilter) v0.13.1 +Malicious Attack Livid Termination Filter daemon (maltfilter) v0.14.0 ===================================================================== Programmed by Matti 'ccr' Hämäläinen (C) Copyright 2009 Tecnic Software productions (TNSP) @@ -8,20 +8,27 @@ About ===== -Automagic management script for adding and removing Netfilter/iptables -filtering rules based on continuous logfile parsing for certain break-in -and exploitation scanning attempts. - Maltfilter daemon script continuously scans various system logfiles -including auth.log, httpd logs, etc. for signs of malicious connections +including auth.log, httpd logs, etc. for signs of malicious connections, break-in and exploitation attempts. The originating IP addresses of these connections are then blocked via Netfilter (iptables). +Additionally Maltfilter can generate status reports (either continuously +in daemon mode, or as once-run report), in plaintext and HTML formats. + +Since v0.14, there is also option for gathering "evidence" about certain +PHP XSS exploit attempts into specified directory. These evidence files +include the attempted exploit code (if found) and hosts which have tried +to make your server run it. + + Requirements: - Perl 5.8 or later - Date::Parse (libtimedate-perl) - Net::IP (libnet-ip-perl) + - Net::DNS (libnet-dns-perl) + - LWP::UserAgent (libwww-perl) Installation @@ -73,3 +80,4 @@ You can also run "full" report generation via the "-f" option, in this special mode, no automatic weeding is performed, resulting in more data being shown. + diff -r 38885f5f34f6 -r 8b33436dd18b example.conf --- a/example.conf Mon Aug 17 08:22:24 2009 +0300 +++ b/example.conf Mon Aug 17 08:22:38 2009 +0300 @@ -14,11 +14,11 @@ # NOTICE! IF YOU DON'T CHANGE THIS TO 0, MALTFILTER WILL NOT DAEMONIZE! DRY_RUN = 1 +# Full path to iptables binary +IPTABLES = "/sbin/iptables" + # Maltfilter logfile path and name (set empty "" if you don't want logging) LOGFILE = "/var/log/maltfilter" - -# Full path to iptables binary -IPTABLES = "/sbin/iptables" # System passwd file location (default is /etc/passwd), this file # is checked to figure out system account names. See also SYSACCT_ @@ -161,3 +161,16 @@ ## If disabled (0), instead of full timestamps, first/last hit times ## will be printed as "W weeks, D days, H hours ago." etc. #FULL_TIME = 1 + + +############################################################################# +### Evidence gathering +############################################################################# +## By enabling EVIDENCE=1 and setting EVIDENCE_DIR to existing directory +## writable by the effective UID which Maltfilter runs as, it will be +## populated by *.data and *.hosts files. If succesfully retrieved, .data +## files will have contents of the attempted XSS URI. *.hosts files +## list which hosts have attempted to exploit this specific URI. + +#EVIDENCE = 0 +#EVIDENCE_DIR = "/var/run/malt-evidence"