How To Install Maltrail Malicious Traffic Detection System on Linux

sabi — Tue, 28 Apr 2020 11:58:23 +0000

In this article you will cover the installation of maltrail malicious traffic detection system on Linux. Maltrail uses the Traffic sensors in between the Servers and clients to detect the malicious URL’s or sources and monitor the traffic. So, let’s move towards the installation of Maltrail on Debian 10 Linux.

Step 1: Update Your System

Run the below command to update and upgrade your system.

sudo apt update && sudo apt upgrade

Step 2: Install Maltrail Sensors & Schedtool

As sensor will operate for tracking the traffic and monitor the malicious trails so install it by

sudo apt-get install schedtool

This tool will help you in improving your CPU scheduling.

And hit the following command in your terminal to get the following packages from Maltrail Github page.

sudo apt-get install git python-pcapy -y

Then clone the maltrail

git clone https://github.com/stamparm/maltrail.git

Now, switch to the maltrail directory

cd maltrail

Then run the below command to download the files.

sudo python sensor.py &

Step 3: Get Started with your Server

Server will provide the event happening informations & the back end support. Here I’m going to set up the Server and the sensor on the same machine. You can do this by typing

[[ -d maltrail ]] || git clone https://github.com/stamparm/maltrail.git
 cd maltrail
 python server.py &

Step 4: Access Maltrail Dashboard

Open your browser and visit http://ip:8338 to access the web dashboard of Maltrail.

By default the Username is admin
And the password is changeme!

So, provide these to login.

Step 4: Fine-tune Sensor & Server configuration

If you want to fine tune the Maltrail Server and the sensor settings then you can do so by configuring the maltrail.conf file.

This file can be located where you’ve cloned the package. So, simply go to that folder and search for the maltrail.conf file.

sudo nano /home/tech/maltrail/maltrail.conf

Here you can find the [Server] and [Sensor] categories inside the file so that you can edit them easily. In my case, I’m going to change the IP upon which Server is listening from (Default IP).

[Server]
 Listen address of (reporting) HTTP server
 HTTP_ADDRESS 104.37.24.109
 HTTP_ADDRESS ::
 HTTP_ADDRESS fe80::12c3:7bff:fe6d:cf9b%eno1
 Listen port of (reporting) HTTP server
 HTTP_PORT 8338
 Use SSL/TLS
 USE_SSL false
 SSL/TLS (private/cert) PEM file (e.g. openssl req -new -x509 -keyout server.pem -out server.pem -days 1023 -nodes)
 SSL_PEM misc/server.pem
 User entries (username:sha256(password):UID:filter_netmask(s))
 Note(s): sha256(password) can be generated on Linux with: echo -n 'password' | sha256sum | cut -d " " -f 1
 UID >= 1000 have only rights to display results (Note: this moment only functionality implemented at the client side)
 filter_netmask(s) is/are used to filter results
 USERS
      admin:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:0:                        # changeme!      
  #local:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:1000:192.168.0.0/16       # changeme!

Now if you wish to change the Default credentials, simply search for the “USERS” section and you will see the admin details. Here you can change the pass by running the below command.

Note: Add the (:0) parameters at the end of the password.

echo -n 'StrongPassword' | sha256sum | cut -d " " -f 1
 05a181f00c157f70413d33701778a6ee7d2747ac18b9c0fbb8bd71a62dd7a223
 The string produced represents StrongPassword as the password

Now, again open the above file & edit it to set up the new credentials you’ve applied.

[Server]
 Listen address of (reporting) HTTP server
 HTTP_ADDRESS  104.37.24.109 
 HTTP_ADDRESS ::
 HTTP_ADDRESS fe80::12c3:7bff:fe6d:cf9b%eno1
 Listen port of (reporting) HTTP server
 HTTP_PORT 8338
 Use SSL/TLS
 USE_SSL false
 SSL/TLS (private/cert) PEM file (e.g. openssl req -new -x509 -keyout server.pem -out server.pem -days 1023 -nodes)
 SSL_PEM misc/server.pem
 User entries (username:sha256(password):UID:filter_netmask(s))
 Note(s): sha256(password) can be generated on Linux with: echo -n 'password' | sha256sum | cut -d " " -f 1
 UID >= 1000 have only rights to display results (Note: this moment only functionality implemented at the client side)
 filter_netmask(s) is/are used to filter results
 filter_netmask(s) is/are used to filter results
 USERS
 admin:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:0:                        # changeme!
 local:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:1000:192.168.0.0/16       # changeme!
 Admin:05a181f00c157f70413d33701778a6ee7d2747ac18b9c0fbb8bd71a62dd7a223:0:  ## New credentials

Then exit and restart the Maltrail.

cd /home/tech/maltrail
 pkill -f server.py
 python server.py &

Step 5: Testing the Maltrail

Run the below command to verify the testing of Maltrail.

ping -c 1 136.161.101.53

cat /var/log/maltrail/$(date +"%Y-%m-%d").log

For DNS traffic, simply run the below command

nslookup morphed.ru
cat /var/log/maltrail/$(date +"%Y-%m-%d").log

Further, if you want to look up over the requests just refresh the page and you’ll get results like this.

So, this is how you can install Maltrail Traffic Detection System on Linux.

The post How To Install Maltrail Malicious Traffic Detection System on Linux appeared first on Linux Windows and android Tutorials.