In this article you will cover the installation of maltrail malicious traffic detection system on Linux. Maltrail uses the Traffic sensors in between the Servers and clients to detect the malicious URL’s or sources and monitor the traffic. So, let’s move towards the installation of Maltrail on Debian 10 Linux.
Step 1: Update Your System
Run the below command to update and upgrade your system.
sudo apt update && sudo apt upgrade
Step 2: Install Maltrail Sensors & Schedtool
As sensor will operate for tracking the traffic and monitor the malicious trails so install it by
sudo apt-get install schedtool
This tool will help you in improving your CPU scheduling.
And hit the following command in your terminal to get the following packages from Maltrail Github page.
sudo apt-get install git python-pcapy -y
Then clone the maltrail
git clone https://github.com/stamparm/maltrail.git
Now, switch to the maltrail directory
cd maltrail
Then run the below command to download the files.
sudo python sensor.py &
Step 3: Get Started with your Server
Server will provide the event happening informations & the back end support. Here I’m going to set up the Server and the sensor on the same machine. You can do this by typing
[[ -d maltrail ]] || git clone https://github.com/stamparm/maltrail.git
cd maltrail
python server.py &
Step 4: Access Maltrail Dashboard
Open your browser and visit http://ip:8338 to access the web dashboard of Maltrail.
By default the Username is admin
And the password is changeme!
So, provide these to login.
Step 4: Fine-tune Sensor & Server configuration
If you want to fine tune the Maltrail Server and the sensor settings then you can do so by configuring the maltrail.conf file.
This file can be located where you’ve cloned the package. So, simply go to that folder and search for the maltrail.conf file.
sudo nano /home/tech/maltrail/maltrail.conf
Here you can find the [Server] and [Sensor] categories inside the file so that you can edit them easily. In my case, I’m going to change the IP upon which Server is listening from (Default IP).
[Server]
Listen address of (reporting) HTTP server
HTTP_ADDRESS 104.37.24.109
HTTP_ADDRESS ::
HTTP_ADDRESS fe80::12c3:7bff:fe6d:cf9b%eno1
Listen port of (reporting) HTTP server
HTTP_PORT 8338
Use SSL/TLS
USE_SSL false
SSL/TLS (private/cert) PEM file (e.g. openssl req -new -x509 -keyout server.pem -out server.pem -days 1023 -nodes)
SSL_PEM misc/server.pem
User entries (username:sha256(password):UID:filter_netmask(s))
Note(s): sha256(password) can be generated on Linux with: echo -n 'password' | sha256sum | cut -d " " -f 1
UID >= 1000 have only rights to display results (Note: this moment only functionality implemented at the client side)
filter_netmask(s) is/are used to filter results
USERS
admin:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:0: # changeme!
#local:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:1000:192.168.0.0/16 # changeme!
Now if you wish to change the Default credentials, simply search for the “USERS” section and you will see the admin details. Here you can change the pass by running the below command.
Note: Add the (:0) parameters at the end of the password.
echo -n 'StrongPassword' | sha256sum | cut -d " " -f 1
05a181f00c157f70413d33701778a6ee7d2747ac18b9c0fbb8bd71a62dd7a223
The string produced represents StrongPassword as the password
Now, again open the above file & edit it to set up the new credentials you’ve applied.
[Server]
Listen address of (reporting) HTTP server
HTTP_ADDRESS 104.37.24.109
HTTP_ADDRESS ::
HTTP_ADDRESS fe80::12c3:7bff:fe6d:cf9b%eno1
Listen port of (reporting) HTTP server
HTTP_PORT 8338
Use SSL/TLS
USE_SSL false
SSL/TLS (private/cert) PEM file (e.g. openssl req -new -x509 -keyout server.pem -out server.pem -days 1023 -nodes)
SSL_PEM misc/server.pem
User entries (username:sha256(password):UID:filter_netmask(s))
Note(s): sha256(password) can be generated on Linux with: echo -n 'password' | sha256sum | cut -d " " -f 1
UID >= 1000 have only rights to display results (Note: this moment only functionality implemented at the client side)
filter_netmask(s) is/are used to filter results
filter_netmask(s) is/are used to filter results
USERS
admin:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:0: # changeme!
local:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:1000:192.168.0.0/16 # changeme!
Admin:05a181f00c157f70413d33701778a6ee7d2747ac18b9c0fbb8bd71a62dd7a223:0: ## New credentials
Then exit and restart the Maltrail.
cd /home/tech/maltrail
pkill -f server.py
python server.py &
Step 5: Testing the Maltrail
Run the below command to verify the testing of Maltrail.
ping -c 1 136.161.101.53
cat /var/log/maltrail/$(date +"%Y-%m-%d").log
For DNS traffic, simply run the below command
nslookup morphed.ru
cat /var/log/maltrail/$(date +"%Y-%m-%d").log
Further, if you want to look up over the requests just refresh the page and you’ll get results like this.
So, this is how you can install Maltrail Traffic Detection System on Linux.
