16 C
Texas

How To Install Maltrail Malicious Traffic Detection System on Linux

In this article you will cover the installation of maltrail malicious traffic detection system on Linux. Maltrail uses the Traffic sensors in between the Servers and clients to detect the malicious URL’s or sources and monitor the traffic. So, let’s move towards the installation of Maltrail on Debian 10 Linux.

Step 1: Update Your System

Run the below command to update and upgrade your system.

sudo apt update && sudo apt upgrade

Step 2: Install Maltrail Sensors & Schedtool

As sensor will operate for tracking the traffic and monitor the malicious trails so install it by

- Advertisement -
sudo apt-get install schedtool

This tool will help you in improving your CPU scheduling.

And hit the following command in your terminal to get the following packages from Maltrail Github page.

sudo apt-get install git python-pcapy -y

Then clone the maltrail

git clone https://github.com/stamparm/maltrail.git

Now, switch to the maltrail directory

cd maltrail

Then run the below command to download the files.

sudo python sensor.py &

Step 3: Get Started with your Server

Server will provide the event happening informations & the back end support. Here I’m going to set up the Server and the sensor on the same machine. You can do this by typing

[[ -d maltrail ]] || git clone https://github.com/stamparm/maltrail.git
cd maltrail
python server.py &

Step 4: Access Maltrail Dashboard

Open your browser and visit http://ip:8338 to access the web dashboard of Maltrail.

By default the Username is admin
And the password is changeme!

So, provide these to login.

How To Install Maltrail Malicious Traffic Detection System on Linux

Step 4: Fine-tune Sensor & Server configuration

If you want to fine tune the Maltrail Server and the sensor settings then you can do so by configuring the maltrail.conf file.

This file can be located where you’ve cloned the package. So, simply go to that folder and search for the maltrail.conf file.

sudo nano /home/tech/maltrail/maltrail.conf

Here you can find the [Server] and [Sensor] categories inside the file so that you can edit them easily. In my case, I’m going to change the IP upon which Server is listening from (Default IP).

[Server]
Listen address of (reporting) HTTP server
HTTP_ADDRESS 104.37.24.109
HTTP_ADDRESS ::
HTTP_ADDRESS fe80::12c3:7bff:fe6d:cf9b%eno1
Listen port of (reporting) HTTP server
HTTP_PORT 8338
Use SSL/TLS
USE_SSL false
SSL/TLS (private/cert) PEM file (e.g. openssl req -new -x509 -keyout server.pem -out server.pem -days 1023 -nodes)
SSL_PEM misc/server.pem
User entries (username:sha256(password):UID:filter_netmask(s))
Note(s): sha256(password) can be generated on Linux with: echo -n 'password' | sha256sum | cut -d " " -f 1
UID >= 1000 have only rights to display results (Note: this moment only functionality implemented at the client side)
filter_netmask(s) is/are used to filter results
USERS
admin:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:0: # changeme!
#local:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:1000:192.168.0.0/16 # changeme!

Now if you wish to change the Default credentials, simply search for the “USERS” section and you will see the admin details. Here you can change the pass by running the below command.

Note: Add the (:0) parameters at the end of the password.

echo -n 'StrongPassword' | sha256sum | cut -d " " -f 1
05a181f00c157f70413d33701778a6ee7d2747ac18b9c0fbb8bd71a62dd7a223
The string produced represents StrongPassword as the password

Now, again open the above file & edit it to set up the new credentials you’ve applied.

[Server]
Listen address of (reporting) HTTP server
HTTP_ADDRESS 104.37.24.109
HTTP_ADDRESS ::
HTTP_ADDRESS fe80::12c3:7bff:fe6d:cf9b%eno1
Listen port of (reporting) HTTP server
HTTP_PORT 8338
Use SSL/TLS
USE_SSL false
SSL/TLS (private/cert) PEM file (e.g. openssl req -new -x509 -keyout server.pem -out server.pem -days 1023 -nodes)
SSL_PEM misc/server.pem
User entries (username:sha256(password):UID:filter_netmask(s))
Note(s): sha256(password) can be generated on Linux with: echo -n 'password' | sha256sum | cut -d " " -f 1
UID >= 1000 have only rights to display results (Note: this moment only functionality implemented at the client side)
filter_netmask(s) is/are used to filter results
filter_netmask(s) is/are used to filter results
USERS
admin:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:0: # changeme!
local:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:1000:192.168.0.0/16 # changeme!
Admin:05a181f00c157f70413d33701778a6ee7d2747ac18b9c0fbb8bd71a62dd7a223:0: ## New credentials

Then exit and restart the Maltrail.

cd /home/tech/maltrail
pkill -f server.py
python server.py &

Step 5: Testing the Maltrail

Run the below command to verify the testing of Maltrail.

ping -c 1 136.161.101.53
cat /var/log/maltrail/$(date +"%Y-%m-%d").log

For DNS traffic, simply run the below command

nslookup morphed.ru
cat /var/log/maltrail/$(date +"%Y-%m-%d").log

Further, if you want to look up over the requests just refresh the page and you’ll get results like this.

So, this is how you can install Maltrail Traffic Detection System on Linux.

- Advertisement -
Everything Linux, A.I, IT News, DataOps, Open Source and more delivered right to you.
Subscribe
"The best Linux newsletter on the web"

LEAVE A REPLY

Please enter your comment!
Please enter your name here



Latest article