Maltfilter is Open Source software distributed under modified ("3-clause") BSD license.


malt, n.
(1) Grain, usually barley, that has been allowed to sprout, used chiefly in brewing and distilling.
(2) An alcoholic beverage, such as beer or ale, brewed from malt.

Maltfilter is a daemon script written in Perl, which continuously scans various system logfiles including auth.log, Apache style common logformat and error logs, etc. for signs of malicious connections, break-in (login bruteforcing, etc.) and exploitation attempts. The originating IP addresses of these connections can be then acted upon in several different and optional ways.

Typical uses for Maltfilter include blocking of further connection attempts or even transparently redirecting (via a REDIRECT Netfilter target) those connections to somewhere else, such as specially crafted clone honeypots. Reporting features can be used for easy monitoring of current activities. Automatic evidence gathering may be useful for when further analysis of attempted XSS exploits is desired.


More information about Maltfilter's possibilities can be found in the example configuration file.

Planned features


Current release is v0.20.5. For the moment, Maltfilter is considered to be BETA quality. While I personally use it in three server environments, I cannot make any real guarantees of its applicability.

File GPG signature
maltfilter-0.20.5.tar.gz [sig]

To verify the GnuPG/PGP signatures:

Maltfilter Mercurial repository

Latest development version can always be found in the public read-only Mercurial (hg) repository.

Links and similar tools

List of some security related tools that have related or similar functionality to Maltfilter.


Because Maltfilter is currently at early stage of maturity and development, the only support is personal contact through e-mail or IRC. At a later point a mailing list might be set up if amount of users and feedback reaches such level.

Methods of contacting the author, Matti 'ccr' Hämäläinen:

Have fun. -- ccr/TNSP