Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user-defined lists, where the trail can be anything from a domain name (e.g. zvpprsensinaix.com for Banjori malware), URL (e.g. hXXp://109.162.38.120/harsh02.exe for known malicious executable), IP address (e.g. 185.130.5.231 for a known attacker) or HTTP User-Agent header value (e.g. sqlmap for automatic SQL injection and database takeover tool). Source (Maltrail GitHub Page)
Nevertheless, Maltrail uses (optional) advanced heuristic mechanisms that can help in the discovery of unknown threats.
Maltrail is based on the Traffic -> Sensor <-> Server <-> Client architecture. Sensor(s) is a standalone component running on the monitoring node or at the standalone machine (e.g. Honeypot) where it “monitors” the passing Traffic for blacklisted items/trails (i.e. domain names, URLs and/or IPs) Source (Maltrail GitHub Page). More about Maltrail can be found at Maltrail GitHub Page.
This installation is done on Debian 10 (Buster) Linux system. So let’s install Maltrail Malicious Traffic Detection System on Debian 10 (Buster) Linux.
Step 1: Update and upgrade your server
Updating and upgrading your server ensures that we start at a point where all the latest software is on our server. Issue the command below.
sudo apt update && sudo apt updateStep 2: Install Maltrail Sensor and schedtool
Sensor(s) is a standalone component running on the monitoring node or at the standalone machine where it “monitors” the passing Traffic for blacklisted items/trails. Install it by running the commands below.
Install ‘schedtool‘ for better CPU scheduling
schedtool assists in better CPU scheduling
sudo apt-get install schedtool
The following will install git and python-pcapy, pull the files from Maltrail GitHub page then install it.
sudo apt-get install git python-pcapy -y
git clone https://github.com/stamparm/maltrail.git
cd maltrail
sudo python sensor.py &After the last command, you should see something like below as it downloads and updates the Maltrail lists related to Malicious traffic.
Cloning git files
Downloading and updating the Maltrail lists related to Malicious traffic
Step 3: Start Server on the same machine (optional)
The Server‘s primary role is to store the event details and provide back-end support for the reporting web application. In the default configuration, the server and sensor will run on the same machine. To start the server on the same machine, run the commands below.
[[ -d maltrail ]] || git clone https://github.com/stamparm/maltrail.git
cd maltrail
python server.py &
You can access its web user interface by typing http://<ip or FQDN>:8338. The default credentials are Username: admin Password: changeme!
Step 4: Fine-tune Sensor and Server configurations
For those who would wish to fine-tune their server and sensor configurations, there is a file for you to do just that. Simply dive into the directory that you cloned maltrail into and look for “maltrail.conf“
sudo vim /home/tech/maltrail/maltrail.confInside the file, you will find various categories inside square brackets. For the server, look for #[Server] and for the sensor settings, look for #[Sensor] category. As an example, let us change the default IP you would wish the Server to listen from.
#[Server]
#Listen address of (reporting) HTTP server
HTTP_ADDRESS 172.17.196.57
#HTTP_ADDRESS ::
#HTTP_ADDRESS fe80::12c3:7bff:fe6d:cf9b%eno1
#Listen port of (reporting) HTTP server
HTTP_PORT 8338
#Use SSL/TLS
USE_SSL false
#SSL/TLS (private/cert) PEM file (e.g. openssl req -new -x509 -keyout server.pem -out server.pem -days 1023 -nodes)
#SSL_PEM misc/server.pem
#User entries (username:sha256(password):UID:filter_netmask(s))
#Note(s): sha256(password) can be generated on Linux with: echo -n 'password' | sha256sum | cut -d " " -f 1
#UID >= 1000 have only rights to display results (Note: this moment only functionality implemented at the client side)
#filter_netmask(s) is/are used to filter results
USERS
admin:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:0: # changeme!
#local:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:1000:192.168.0.0/16 # changeme!
To change the default password, look for “USERS”. Under it, you will notice admin and a long string that represents the password. To create a new password, use the command below. It should produce a string similar to the one we saw in the file. Before it, you can place any username. At the end of the password, do not forget to add parameters(:0:).
$ echo -n 'StrongPassword' | sha256sum | cut -d " " -f 1
05a181f00c157f70413d33701778a6ee7d2747ac18b9c0fbb8bd71a62dd7a223
The string produced represents StrongPassword as the passwordOpen the same file and edit it to set the new credentials
$ sudo vim /home/tech/maltrail/maltrail.conf
#[Server]
#Listen address of (reporting) HTTP server
HTTP_ADDRESS 172.17.196.57
#HTTP_ADDRESS ::
#HTTP_ADDRESS fe80::12c3:7bff:fe6d:cf9b%eno1
#Listen port of (reporting) HTTP server
HTTP_PORT 8338
#Use SSL/TLS
USE_SSL false
#SSL/TLS (private/cert) PEM file (e.g. openssl req -new -x509 -keyout server.pem -out server.pem -days 1023 -nodes)
#SSL_PEM misc/server.pem
#User entries (username:sha256(password):UID:filter_netmask(s))
#Note(s): sha256(password) can be generated on Linux with: echo -n 'password' | sha256sum | cut -d " " -f 1
#UID >= 1000 have only rights to display results (Note: this moment only functionality implemented at the client side)
#filter_netmask(s) is/are used to filter results
#filter_netmask(s) is/are used to filter results
USERS
#admin:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:0: # changeme!
#local:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:1000:192.168.0.0/16 # changeme!
Admin:05a181f00c157f70413d33701778a6ee7d2747ac18b9c0fbb8bd71a62dd7a223:0: ## New credentials
After you’ve made those changes, start and stop maltrail.
cd /home/tech/maltrail
pkill -f server.py
python server.py &Step 5: Test that everything is up and running
To test that everything is up and running execute the following:
ping -c 1 136.161.101.53
cat /var/log/maltrail/$(date +"%Y-%m-%d").logAlso, to test the capturing of DNS traffic you can try the following:
nslookup morphed.ru
cat /var/log/maltrail/$(date +"%Y-%m-%d").logTo see the requests made on the web interface, simply refresh that page and you should get something similar to the one illustrated below.
Conclusion
Maltrail is a wonderful tool that can really boost your network monitoring and keep your infrastructure safe at all times. Even though 100 percent security is not guaranteed, mitigation is always wise. Take a look at the tool and test it if it befits your needs. Otherwise, we would wish to thank you for visiting and staying through to the end.
You can take a look at other guides in the blog, some of which are shared below.
- Security Tips To Protect Your Website From Hackers
- Using Free WordPress Security Scanner – WPSeku
- Install Metasploit Framework on Kali Linux
- Install Metasploit Framework on CentOS 8 / CentOS 7
- Install Cacti Monitoring Server on Debian 10 (Buster) with Nginx
