OPNsense Forum
Archive => 20.1 Legacy Series => Topic started by: Ricardo on April 03, 2020, 11:55:06 am
-
Hello all,
tried to find answers for my questions on maltrail site (https://github.com/stamparm/maltrail ), but without success.
0) this is rather an improvement request: please make the password change for the admin maltrail account less painful, as it is currently via the main opnsense admin GUI
1) the maltrail creates their files under /.maltrail, and also writes to /root/var/log instead of /var. My /var and /tmp is on TMPFS to reduce the killing of the small SSD with constant log-related writes. Is there a plan to put maltrail pkg files under proper location, and utilize standard /var and /tmp for anything frequently written log files? I cannot really measure how much disk write traffic is generated to the rootfs due to maltrail writing their files there, MONIT most probably summarizes both true rootfs write traffic and tmpfs write traffic, so that can be misleading for me.
2) it seems memory usage has skyrocketed in the past days (uptime is currently around 1 month), even after I restarted the maltrail server service. Is there any way to see if the memory usage is "normal" or something is leaking memory / should I schedule a maintenance reboot of the whole router someday?
3) Can some maltrail threats marked manually to bypass, as those are false positives, and harmless? Due to the amount they are reported frequently and cause lot of noise.
In general, I am looking for some more in-depth tutorials, how to fine-tune maltrail. The official github page is talking about things from a different perspective, and dont help to solve the real-world questions one will ask about this software.
-
0) No, too much effort for such a quick process. if someone wants to do it, I'm ok with it
1) The problem is that maltrail is started by configd which has no homedirectory, so trails are in /.
But logs should be on /var/log/maltrail .. are you sure you are watching the correct folder?
2) Can you check via "top -SPa" whats happening?
3) I planned this months ago but forgot about it. Maybe when I find time. Miroslav sent my an email today that alienvault should be added to bypass list, I will add this soon.
-
0) To be honest, I didnt manage to perform that simple-looking password change sofar. If I copy-paste a calculated SHA256 hash of a simple string (without spaces or ENTER etc.) I am not allowed to login to the maltrail GUI on ROUTERIP:8338 with that new password. The default password lets me in though.
1)
root@FW01:/var/log # pwd
/var/log
root@FW01:/var/log # ls -l maltrail
lrwxr-xr-x 1 root wheel 22 Mar 6 20:00 maltrail -> /root/var/log/maltrail
root@FW01:/var/log #
root@FW01:/var/log # cd maltrail/
root@FW01:/var/log/maltrail # ls -l
total 1428
-rw-r--r-- 1 root wheel 2562 Feb 2 23:23 2020-02-02.log
-rw-r--r-- 1 root wheel 24497 Feb 3 20:50 2020-02-03.log
........
-rw-r--r-- 1 root wheel 27512 Apr 1 22:31 2020-04-01.log
-rw-r--r-- 1 root wheel 10968 Apr 2 22:17 2020-04-02.log
-rw-r--r-- 1 root wheel 3911 Apr 3 11:50 2020-04-03.log
-rw-rw-rw- 1 root wheel 728 Apr 3 15:33 error.log
lrwxr-xr-x 1 root wheel 22 Feb 2 06:26 maltrail -> /root/var/log/maltrail
2)
last pid: 24340; load averages: 0.96, 0.87, 0.83 up 27+18:31:48 15:32:24
68 processes: 2 running, 65 sleeping, 1 waiting
CPU 0: 4.7% user, 0.0% nice, 1.3% system, 2.4% interrupt, 91.7% idle
CPU 1: 9.9% user, 0.0% nice, 2.4% system, 0.0% interrupt, 87.7% idle
CPU 2: 10.2% user, 0.0% nice, 1.7% system, 0.3% interrupt, 87.7% idle
CPU 3: 8.5% user, 0.0% nice, 1.6% system, 0.2% interrupt, 89.8% idle
Mem: 205M Active, 1979M Inact, 995M Laundry, 547M Wired, 279M Buf, 192M Free
Swap:
PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND
11 root 4 155 ki31 0K 64K CPU0 0 2318.7 355.99% [idle]
68642 root 3 26 0 799M 746M select 3 84.1H 13.17% python3 /usr/local/share/maltrail/sensor.py (python3.7)
34290 root 3 26 0 799M 751M select 1 84.1H 13.15% python3 /usr/local/share/maltrail/sensor.py (python3.7)
65996 root 3 26 0 799M 748M select 0 84.1H 13.15% python3 /usr/local/share/maltrail/sensor.py (python3.7)
12 root 34 -56 - 0K 544K WAIT -1 829:41 2.02% [intr]
8285 root 3 20 0 1128M 1104M select 3 23.1H 1.99% python3 /usr/local/share/maltrail/sensor.py (python3.7)
15 root 1 -16 - 0K 16K pftm 3 27:25 0.08% [pf purge]
-
0) I have to check at the weekend, long time ago I implemented it
1) This must be something with ramdisk mode, maybe there is something wrong since it's copied to /root when shutting down
2) 13% is "normal" in maltrail ..
-
1) Maybe, I cannot say for sure, I use TMPFS on my main router for SSD write wear minimization.
2) I meant memory usage, not CPU usage.
-
Is there anybody else, who see similar symptoms under similar router config (TMPFS e.g.)?
-
Hello @mimugmail
did you manage to check the password change process?
-
Hm, I can reproduce .. have to talk to Miro from Maltrail
-
Strange thing: since the 20.1.4 installed last week, it now accepts the set new password. Maltrail plugin is 1.5 and maltrail package is 0.17
-
There was an update to the plugin, but it was not related to this .. strange