If you're serious about the security of your servers (and desktops, for that matter), you know how important it is to be on the constant watch for malicious behavior. This can be a 24/7/365 task, and if you have a lot of machines, your job becomes next to impossible. Fortunately, there are a number of handy tools available, which go a long way to easing that burden. One such tool is Maltrail.
Maltrail is a malicious traffic detection system that utilizes publicly available blacklists (and other trails from various AV reports and user-defined lists) to help discover unknown threats by monitoring traffic against those lists. Maltrail is run from the command line, but does include a handy (and optional) web interface.
I want to show you how to install Maltrail on Ubuntu Server 18.04 and then add the web interface for easy malicious traffic detection.
SEE: Securing Linux policy (Tech Pro Research)
The first thing to do is update the server. Remember, should the kernel be upgraded, it will require a reboot (so the changes can take effect). Because of this, run the update/upgrade at a time when a reboot is feasible.
To update/upgrade your Ubuntu server, open a terminal window and issue the commands:
sudo apt-get update sudo apt-get upgrade
Once that completes, reboot the server (if needed). You are now ready to install.
First, we must take care of a couple of dependencies. From the terminal window, issue the command:
sudo apt-get install git python-pcapy python-setuptools
Once that command completes, it's time to clone Maltrail. This is done with the command:
git clone https://github.com/stamparm/maltrail.git
Change into the newly created maltrail directory and start the sensor with the command:
This will download all of the necessary lists for Maltrail and run the service. However, you won't be able to reach the web-based interface. Why? Although the service is running, the server is not. Log into the hosting server a second time (probably using SSH), change into the cloned maltrail directory, and issue the command:
At this point, both the service and server are running.
The web interface
Open a web browser and point it to http://SERVER_IP:8338 (where SERVER_IP is the IP address of the server hosting Maltrail). You should be prompted to login to the Maltrail web interface (Figure A).
The default credentials are admin/changeme! You will clearly want to change this. To do so, issue the command:
sudo nano mailtrail/maltrai.conf
In that file, you'll see the lines:
USERS admin:RANDOM_STRING_OF_CHARACTERS changeme!
You cannot simply change the password for the admin user. You have to add a new user and create a sha256 password with the command (run as the user you want to add):
echo -n 'PASSWORD' | sha256sum | cut -d " " -f 1
where PASSWORD is a strong password for the user.
That command will output a long string of characters. Copy that string, and then paste it in the USERS section of the configuration file like so:
where USERNAME is the username to be added and RANDOM_STRING_OF_CHARACTERS is the string you copied from output of the echo command. Save and close that file. Restart the Maltrails service/server, and you can log in with the new user. Once you've successfully logged in with that user, you can delete the admin user from the configuration file (for security purposes).
It will take some time for Maltrail to register events. Once it does, it will show up on the web interface (Figure B), and you can act accordingly.
A (somewhat) easy malicious event detection system
Although Maltrail isn't the simplest tool to run and use, it does make for a handy means of detecting malicious events on your Linux servers. Give it a try and see if you can make it work well for your needs.
- How to disable IPv6 through GRUB in Linux (TechRepublic)
- How to install Zentyal Server on Ubuntu Server 16.10 (TechRepublic)
- How to install the Netdata Monitor on Ubuntu 18.04 (TechRepublic)
- Why TENS is the secure bootable Linux you need (TechRepublic)
- Security warning: Attackers are using these five hacking tools to target you (ZDNet)
- Nextcloud 14 rolls out with two major security features (ZDNet)
Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.