Detect attacks on your network with Maltrail
Watch and Guess
If the investigated data stream does not match any blocking list, Maltrail has to dig deeper into its bag of tricks and use heuristics. Maltrail looks for hints of malicious behavior, such as unusual user agents in the web requests, port scans, long domain names, and web access with code injection.
The results of these checks are not always precise and can lead to false positives. Whether or not a message made it into the web page due to the heuristics is shown in the reference column. If you see an accumulation of the heuristic label, you can use the USE_HEURISTICS
configuration statement to disable this method.
Initiating Countermeasures
Maltrail can report, but it can't fight back. To block IP packets, Linux has iptables/nftables, FreeBSD has Pf, and Windows relies on the Microsoft Defender firewall. At least the Maltrail server provides its findings as a list of suspicious IP addresses via HTTP. The project page describes how to feed this information to the local iptables policy with a script. Basically, the IP list can be used to extend any firewall accessible via API or scripting, for example OPNsense and even the Windows firewall.
Limitations
Maltrail is not a full-fledged IDS but merely a packet scanner that makes use of public blacklists. Maltrail cannot detect complex, application-level attacks, which means it won't come close to the detection rate of a real IDS.
Another shortcoming is the communication between the sensor and server, which relies on the unencrypted UDP protocol. A man-in-the-middle attack could sniff, manipulate, or delete alerts to hide malicious activity. For undisturbed transport over the Internet, the admin needs to harden the alert packets with IPsec or SSH. Access to the Maltrail server's web interface uses TLS and a server certificate, which provides sufficient security.
« Previous 1 2 3 4 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.
-
ZorinOS 17.1 Released, Includes Improved Windows App Support
If you need or desire to run Windows applications on Linux, there's one distribution intent on making that easier for you and its new release further improves that feature.
-
Linux Market Share Surpasses 4% for the First Time
Look out Windows and macOS, Linux is on the rise and has even topped ChromeOS to become the fourth most widely used OS around the globe.
-
KDE’s Plasma 6 Officially Available
KDE’s Plasma 6.0 "Megarelease" has happened, and it's brimming with new features, polish, and performance.
-
Latest Version of Tails Unleashed
Tails 6.0 is based on Debian 12 and includes GNOME 43.
-
KDE Announces New Slimbook V with Plenty of Power and KDE’s Plasma 6
If you're a fan of KDE Plasma, you'll be thrilled to hear they've announced a new Slimbook with an AMD CPU and the latest version of KDE Plasma desktop.
-
Monthly Sponsorship Includes Early Access to elementary OS 8
If you want to get a glimpse of what's in the pipeline for elementary OS 8, just set up a monthly sponsorship to help fund its continued existence.
-
DebConf24 to be Held in South Korea
Busan will be the location of the latest DebConf running July 28 through August 4