The Maltrail malicious behavior detection system eases the burden of constant vigilance on your Linux server.

Image: Jack Wallen

If you're serious about the security of your servers (and desktops, for that matter), you know how important it is to be on the constant watch for malicious behavior. This can be a 24/7/365 task, and if you have a lot of machines, your job becomes next to impossible. Fortunately, there are a number of handy tools available, which go a long way to easing that burden. One such tool is Maltrail.

Maltrail is a malicious traffic detection system that utilizes publicly available blacklists (and other trails from various AV reports and user-defined lists) to help discover unknown threats by monitoring traffic against those lists. Maltrail is run from the command line, but does include a handy (and optional) web interface.

I want to show you how to install Maltrail on Ubuntu Server 18.04 and then add the web interface for easy malicious traffic detection.

SEE: Securing Linux policy (Tech Pro Research)

Update/upgrade

The first thing to do is update the server. Remember, should the kernel be upgraded, it will require a reboot (so the changes can take effect). Because of this, run the update/upgrade at a time when a reboot is feasible.

To update/upgrade your Ubuntu server, open a terminal window and issue the commands:

sudo apt-get update sudo apt-get upgrade

Once that completes, reboot the server (if needed). You are now ready to install.

Installation

First, we must take care of a couple of dependencies. From the terminal window, issue the command:

sudo apt-get install git python-pcapy python-setuptools

Once that command completes, it's time to clone Maltrail. This is done with the command:

git clone https://github.com/stamparm/maltrail.git

Change into the newly created maltrail directory and start the sensor with the command:

python sensor.py

This will download all of the necessary lists for Maltrail and run the service. However, you won't be able to reach the web-based interface. Why? Although the service is running, the server is not. Log into the hosting server a second time (probably using SSH), change into the cloned maltrail directory, and issue the command:

python server.py

At this point, both the service and server are running.

The web interface

Open a web browser and point it to http://SERVER_IP:8338 (where SERVER_IP is the IP address of the server hosting Maltrail). You should be prompted to login to the Maltrail web interface (Figure A).

Figure A

The default credentials are admin/changeme! You will clearly want to change this. To do so, issue the command:

sudo nano mailtrail/maltrai.conf

In that file, you'll see the lines:

USERS admin:RANDOM_STRING_OF_CHARACTERS changeme!

You cannot simply change the password for the admin user. You have to add a new user and create a sha256 password with the command (run as the user you want to add):

echo -n 'PASSWORD' | sha256sum | cut -d " " -f 1

where PASSWORD is a strong password for the user.

That command will output a long string of characters. Copy that string, and then paste it in the USERS section of the configuration file like so:

USERNAME:RANDOM_STRING_OF_CHARACTERS:0:0.0.0.0/0

where USERNAME is the username to be added and RANDOM_STRING_OF_CHARACTERS is the string you copied from output of the echo command. Save and close that file. Restart the Maltrails service/server, and you can log in with the new user. Once you've successfully logged in with that user, you can delete the admin user from the configuration file (for security purposes).

It will take some time for Maltrail to register events. Once it does, it will show up on the web interface (Figure B), and you can act accordingly.

Figure B

A (somewhat) easy malicious event detection system

Although Maltrail isn't the simplest tool to run and use, it does make for a handy means of detecting malicious events on your Linux servers. Give it a try and see if you can make it work well for your needs.

Cybersecurity Insider Newsletter Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays Sign up today

Also see