Setting up Maltrail malicious traffic detection system on Linux

Ranch
You can support us by downloading this article in PDF format via the link below.

Download the guide as a PDF

turn off
Ranch

Ranch
Ranch

Introduction

Maltrail is a malicious traffic detection system that utilizes publicly available (black) lists containing malicious and / or generally suspicious paths, as well as static paths compiled from various AV reports and custom user-defined lists, where the path can be in the domain name Any content (for example, zvpprsensinaix.com for Banjori malware), URL (for example, hXXp for known malicious executables: //109.162.38.120/harsh02.exe), IP address (for example for known attackers 185.130.5.231) or HTTP User-Agent header value (such as sqlmap for automatic SQL injection and database takeover tools). Resources (Maltrail GitHub page)

Nevertheless, Maltrail uses (optional) advanced heuristics to help discover unknown threats.

Maltrail based Traffic -> sensor <-> server <-> client building. A sensor is a separate component that runs on a monitoring node or on a separate computer, such as Honeypot, where “monitor“Blacklisted items / tracking (i.e. domain name, URL and / or IP) through traffic (Maltrail GitHub page). For more information about Maltrail, visit: Maltrail GitHub page.

This installation was completed at Debian 10 (Buster) Linux system. So let’s install Maltrail malicious traffic detection system on Debian 10 (Buster) Linux.

Step 1: Update and upgrade the server

Updating and upgrading your server ensures that we start where all the latest software on the server starts. Issue the following command.

sudo apt update && sudo apt update

Step 2: Install Maltrail sensors and schedtool

A sensor is a separate component that runs on a monitoring node or on a stand-alone computer where it “monitors” blacklisted items / tracked passing traffic. Install by running the following command.

Install “schedtool” for better CPU scheduling

schedtool helps better CPU scheduling

sudo apt-get install schedtool

The following will install git and python-pcapy, extract files from the Maltrail GitHub page, and install.

sudo apt-get install git python-pcapy -y
git clone https://github.com/stamparm/maltrail.git
cd maltrail
sudo python sensor.py &

After executing the last command, you will see something like below when downloading and updating the Maltrail list related to malicious traffic.

Clone git file

Download and update Maltrail list related to malicious traffic

Step 3: Start the server on the same computer (optional)

of server‘S main role is to store event details and provide back-end support for reporting web applications. In the default configuration, the server and sensor will run on the same computer. To start the server on the same computer, run the following command.

[[ -d maltrail ]] || git clone https://github.com/stamparm/maltrail.git
cd maltrail
python server.py &

You can access its web user interface by typing http: //.: 8338. The default credentials are username: Administrator password: Change myself!

Step 4: Fine-tune sensor and server configuration

For those who wish to fine-tune their server and sensor configuration, here is a file you can perform. Just jump into the directory where maltrail was cloned and look for “maltrail.conf”

sudo vim /home/tech/maltrail/maltrail.conf

Within the file, you will find various categories in square brackets. For the server, look for #[Server] For sensor settings, look for #[Sensor] category. For example, let’s change the default IP you want the server to listen on.

#[Server]

#Listen address of (reporting) HTTP server
 HTTP_ADDRESS 172.17.196.57
#HTTP_ADDRESS ::
#HTTP_ADDRESS fe80::12c3:7bff:fe6d:cf9b%eno1

#Listen port of (reporting) HTTP server
 HTTP_PORT 8338
#Use SSL/TLS
 USE_SSL false
#SSL/TLS (private/cert) PEM file (e.g. openssl req -new -x509 -keyout server.pem -out server.pem -days 1023 -nodes)
#SSL_PEM misc/server.pem

#User entries (username:sha256(password):UID:filter_netmask(s))
#Note(s): sha256(password) can be generated on Linux with: echo -n 'password' | sha256sum | cut -d " " -f 1
#UID >= 1000 have only rights to display results (Note: this moment only functionality implemented at the client side)
#filter_netmask(s) is/are used to filter results
 USERS
     admin:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:0:                        # changeme!      
 #local:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:1000:192.168.0.0/16       # changeme!

To change the default password, look for “USERS”. Below it you will notice the admin and the long string representing the password. To create a new password, use the following command. It should produce a string similar to what we saw in the file. Until then, you can place any username. At the end of the password, don’t forget to add parameters (: 0).

echo -n 'StrongPassword' | sha256sum | cut -d " " -f 1

05a181f00c157f70413d33701778a6ee7d2747ac18b9c0fbb8bd71a62dd7a223

The string produced represents StrongPassword as the password

Open the same file and edit it to set new credentials

sudo vim /home/tech/maltrail/maltrail.conf
#[Server]

#Listen address of (reporting) HTTP server
 HTTP_ADDRESS 172.17.196.57
#HTTP_ADDRESS ::
#HTTP_ADDRESS fe80::12c3:7bff:fe6d:cf9b%eno1

#Listen port of (reporting) HTTP server
 HTTP_PORT 8338

#Use SSL/TLS
 USE_SSL false
#SSL/TLS (private/cert) PEM file (e.g. openssl req -new -x509 -keyout server.pem -out server.pem -days 1023 -nodes)
#SSL_PEM misc/server.pem

#User entries (username:sha256(password):UID:filter_netmask(s))
#Note(s): sha256(password) can be generated on Linux with: echo -n 'password' | sha256sum | cut -d " " -f 1
#UID >= 1000 have only rights to display results (Note: this moment only functionality implemented at the client side)
#filter_netmask(s) is/are used to filter results
#filter_netmask(s) is/are used to filter results
 USERS
#admin:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:0:                        # changeme!
#local:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:1000:192.168.0.0/16       # changeme!
 Admin:05a181f00c157f70413d33701778a6ee7d2747ac18b9c0fbb8bd71a62dd7a223:0:  ## New credentials

After making these changes, start and stop Maltrail.

cd /home/tech/maltrail
pkill -f server.py
python server.py &

Step 5: Test if everything works

To test that everything is up and running:

ping -c 1 136.161.101.53
cat /var/log/maltrail/$(date +"%Y-%m-%d").log

Also, to test capturing DNS traffic, you can try the following:

nslookup morphed.ru
cat /var/log/maltrail/$(date +"%Y-%m-%d").log

To view the request on the web interface, simply refresh the page and you will get something similar to the following illustration.

in conclusion

Maltrail is a great tool that can really enhance your network monitoring and always keep your infrastructure secure. Even if 100% security cannot be guaranteed, mitigation is always wise. Review the tool and test if it meets your needs. Otherwise, we want to thank you for visiting and continuing to the end.

You can check out other guides in the blog, some of which are shared below.

Security tips to protect your website from hacking

Use Free WordPress Security Scanner – WPSeku

Install Metasploit framework on Kali Linux 2020.x

Install Metasploit framework on CentOS 8 / CentOS 7

Install Cacti Monitoring Server on Debian 10 (Buster) using Nginx

Ranch
You can support us by downloading this article in PDF format via the link below.

Download the guide as a PDF

turn off
Ranch

Ranch
Ranch

Related Posts