Hi folks, happy new year!
I saw a couple of month ago, a new awesome tool on GitHub: Maltrail.
This tool will help us to create a autoban script for known attackers or suspicous client.
Maltrail will listen all the incoming traffic to analyse it and detect malicious traffic.
Requirements
We will need Fail2ban installed of course. The blog post will not explain how to install it.
To properly run the Maltrail, Python 2.6.x or 2.7.x is required, together with pcapy.
Maltrail installation
sudo apt-get install python-pcapy
git clone https://github.com/stamparm/maltrail.git
cd maltrail
sudo python sensor.py
Setup WEB server (optionnal)
python server.py
Setup Fail2Ban
# /etc/fail2ban/filter.d/maltrail.conf
[Definition]
failregex = ^.*hostname\.com <HOST> \d+ x\.x\.x\.x .*(attacker|scanner|reputation).*
ignoreregex =
You have to replace "hostname.com" with your server hostname and x.x.x.x with your server IP.
This filter will search for known attacker, scanner, and bad reputation client in the Maltrail log.
If you only want to watch a specific port, you can edit the filter and replace \d+ expression with your port number.
# /etc/fail2ban/jail.conf
[maltrail]
enabled = true
filter = maltrail
logpath = /var/log/maltrail/*-*-*.log
port = all
banaction= iptables-allports
port = anyport
maxretry = 1
bantime = 864000
Here I setup an high ban time but you can change it.
As a bonus, here is my custom jail for the shrunk window attack.
# /etc/fail2ban/filter.d/shrunk-window.conf
[Definition]
failregex = Peer <HOST>\:.* unexpectedly shrunk window.*repaired+
ignoreregex =
# /etc/fail2ban/jail.conf
[shrunk-window]
enabled = true
filter = shrunk-window
logpath = /var/log/kern.log
port = all
banaction= iptables-allports
port = anyport
maxretry = 1
bantime = 864000
