monitor network traffic with the tool Maltrail
Image: Adobe Stock

The security of your network — and the traffic flowing back and forth — is crucial to keeping your data and the data of your customers and clients out of the hands of bad actors. To that end, there are several tools you can use. One such tool is the open-source Maltrail traffic detection system.

Maltrail offers a web-based interface and works with publicly-available blacklists, reports, and user-defined lists to help security admins discover unknown threats on your network. Maltrail is run from the command line but offers a user-friendly web-based interface.

I want to walk you through the installation of Maltrail on Ubuntu Server 22.04, so you can start monitoring for malicious traffic right away.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

What you’ll need

To successfully install Maltrail, you’ll need an instance of Ubuntu Server 22.04 and a user with sudo privileges. That’s it, let’s get to work.

How to install Maltrail

1. Install dependencies

The first thing you must do is install the necessary dependencies. Log in to your Ubuntu Server instance and install the dependencies with the command:

sudo apt-get install python3 python-setuptools python3-pcapy git -y

2. Clone and change the Maltrail repository

Once the installation completes, you’ll then need to clone the required Maltrail repository with:

git clone https://github.com/stamparm/maltrail.git

After the repository has been cloned, change into the newly-created directory with:

cd maltrail

3. Start Maltrail

Start the Maltrail service with:

sudo python3 sensor.py

The above command downloads all of the necessary files for Maltrail, but it doesn’t actually start the server for the web-based interface. For that, SSH into the hosting server again (leaving the above command still running), change into the maltrail directory, and start the server with:

sudo python3 server.py

How to access the Maltrail web-based interface

1. Sign in to Maltrail

Open a web browser and point it to http://SERVER:8338 (where SERVER is the IP address of the server hosting Maltrail). You will be greeted by the Maltrail sign-in page, where the default credentials are admin/changeme!.

2. Change the admin password

You’ll want to change the admin password. To do that, log into the hosting server yet again and issue the command:

echo -n 'PASSWORD' | sha256sum | cut -d " " -f 1

Where PASSWORD is a strong/unique password. Copy the output of that command and then open the configuration file with:

nano ~/mailtrail/maltrail.conf

3. Make a new user

In that configuration file, you’ll see the lines:

USERS
admin:RANDOM_STRING_OF_CHARACTERS #changeme!

Add a new entry under the USERS section that looks like this:

USERNAME:RANDOM:1000:0:0.0.0.0/0

Where USERNAME is the user used to create the random password and RANDOM is the random string of output when you created the random string above.

4. Save, close, restart Maltrail

Save and close the file and restart the Maltrail service and server by stopping them with the [Ctrl]+[c] keyboard combination and restarting both with the commands:

python3 sensor.py
python3 server.py

5. Log into Maltrail

You can now log into Maltrail with the new credentials you created. Once you’re on the Maltrail interface (Figure A), the service will take some time to locate and register any events.
Figure A

Maltrail set up and logged in.
The Maltrail web-based interface is waiting to capture its first instance of malicious traffic.

Congratulations, you now have a malicious traffic detection system running on your network. Once you start seeing malicious traffic appear, you can act on it before anything bad happens.

Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday