Maltrail on Opnsense

[crissi]

Hello,

i installed Maltrail Server / Sensor on OPNsense 21.7.7 . Under Maltrail - Sensor - Remote Port Help, if i left the setting empty (as Sensor / Server) on the same Device, i get the error when saving "Field remoteport is required"


The Auto Generated Alias BlocklistMaltrail , and added to a Rule from my side. But the Content in the Alias is empty, nothing loaded, even after reapplying the settings.

Also, in the Gui Settings, is there not yet the possibility to change Gui Access Port Protocol to https?

Any Idea how to Fix this?

Is Maltrail in general Production ready?

Thx!

[BernhardMM]

Maltrail is at 0.41 now (https://github.com/stamparm/maltrail/releases) and OPNSense packages an older version (1.8 correlates to?), apparantly - there is a small problem with detection of it's own access/location of blacklist, see https://github.com/stamparm/maltrail/issues/19044 - updating it would likely help.

[mimugmail]

Maybe you need to remove the trails manually and restart.
You can see the current installed version in System : Firmware : Packages

[skyfighter]

Will there be an update for Maltrail plugin on opnsense in the next time?

[mimugmail]

No need for this to update the plugin. The pkg itself is enough

[defaultuserfoo]

Will maltrail do anything other than providing statistics, like block access to malware sites?

[mimugmail]

There is an option to add those hosts to an external alias

[defaultuserfoo]

Hmmm ...

You mean "Adds firewall alias "BlocklistMaltrail" referencing Maltrail's "/fail2ban" IP list. You can use this alias to block IPs that Maltrail detected as malicious."?

Ok I added a rule to block all IPv4 and IPv6 traffic coming from the alias to the WAN interface which maltrail is listening on.

Where/how do I see which addresses are on the list and how would I remove addresses if I need to?

Can/should I make a rule that rejects all traffic to the alias from any interface that allows internet access without making such a rule for each interface?

[mimugmail]

Firewall : Diagnostics : Alias there you can check the content

[defaultuserfoo]

Cool, thank you :)

[sanscorp]

Can someone please explain how to auto block the maltrail detections?
As an absolute beginner it is hard to find some info on this subject.

Few questions:
Is an alias just a name for a group to keep it manageable?
I do see an auto generated alias named "BlocklistMaltrail" but it does not contain any addresses.

It would be nice to only auto block medium and high security threads.
Running OPNsense version 22.1.8_1 and Mailtrail version 1.8

Thanks!

[meelokun]

Bump - I too have the same questions.

Can someone please explain how to auto block the maltrail detections?
As an absolute beginner it is hard to find some info on this subject.

Few questions:
Is an alias just a name for a group to keep it manageable?
I do see an auto generated alias named "BlocklistMaltrail" but it does not contain any addresses.

It would be nice to only auto block medium and high security threads.
Running OPNsense version 22.1.8_1 and Mailtrail version 1.8

Thanks!

[mimugmail]

If you enable the feature you'll have an Alias with type "External" which you can use in your filter rules :)

[meelokun]

When enabling "Add Blocklist Alias", I do see an auto generated alias named "BlocklistMaltrail", however it's type was instead "URL Table (IPs)", and when I visit "Firewall -> Diagnostics -> Aliases", it did not contain any addresses, despite maltrail already accumulating well over 20 malware threats of high severity.

What's gone wrong?

If you enable the feature you'll have an Alias with type "External" which you can use in your filter rules :)

[virtualdimension]

I always have 0 lines of Maltrail/Fail2ban. Why don't download any lists?