To setup Cheescloth do the following:


 - Untar into /usr/local/.  It should produce a path that looks like this
   /usr/local/chees   (NOT CHEESE!)  IT MUST RUN FROM THIS PATH!


 - Run ./ccmenu select option * 11 * to setup up Cheescloth


If you have followed the direction in the setup in ccmenu, cheescloth
should be running now.  Check out option #1 in ccmenu for stats.  It takes a
minute for cron to run cheesecloth for the first time and your stats will
pop up.


*** All entries are temporary. ***

Cheescloth does not change  your firewall scripts or config files.  The
IP's will clear out of your firewall once you manually flush it out with
option #9 - Reset Cheescloth, reboot your server, or let cheescloth rotate
them out of your firewall every 4 hours as set with the current defaults.


--------------------------------------

CCMENU - Stats

Brief description of what stats are in cheescloth. There are three pages of
stats

Page 1 - Current Week stats

 - This will show you what ips have been entered into the firewall in just
   the last minute.  The numbers at the left of the ip address is how many
   times it tried to send ghost email,ssh hacking attempt, RBL rejects or no
   domain name rejects.

 - Info on the last few ip's added is the next section of the monitor which
   will show you lookup information on the last few ip's.  Only ips that
   resolve will show here so there are times when the ips added in the last
   minute will NOT show up under the lookup info.

 - Total IP's in Current Archive - Total IP's that have been blocked.
 - Total SSH Attempts - Total IP's ssh wrong user name or password attempts.
 - Total RBL  Rejects - Total IP's RBL block.
 - Total QFDN Rejects - Total IP's no qualified domain attempt.
 - Total User Unknown - Total IP's user unknown attempts.
 - Total Re-Offenders - Total IP's that have reoffended.


 - You will see a countdown til the next rotation line that shows how many
    minutes until the next rotation of IP banks occurs again.

 - You will also see 5 lines that say Bank 1 thru Bank 4.  Each time a
   rotation occurs the total ip address for that countdown are stored in the
   next bank until they are cycled out.  The 5th line says - TORBK - .  This
   shows how many ip's are being blocked from the TOR NETWORK.

 - You will see what email addresses are being spammed since the last rotation
   of ip address as well as the current list and count totals.



PAGE 2 - Grand Total Stats


Page 2 is very much like Page 1 one but the stats that it displays are on a
weekly bases as well as a grand total bases.

 - Repeat offender list - will start to fill up after a day or so with
   repeat offeneer IP addresses as well as the number attempts. Use to spot a
   targeted attack against your mail server.

 - Popular email addresses this week - running total of email addresses that
   are being spammed this week. These probably aren't user accounts that you
   want to assign to users or move users out of if they are a high number
   and getting a lot of spam.

 - Weekly IP totals - This is the last few weeks of ip totals that have been
   caught by cheescloth and reported.

 - Total IP's in current archive repeated again.

 - Lifetime total of RBL,NQFDN,USRUKN - Lifetime total of IPs blocked.  The
   stats here like everywhere will reset if you do a factor default restory
   of Cheescloth.  Weekly run fresh_chees script only adds to these totals.
   The current totals DO NOT include the total IP's currently in the weekly
   total.



PAGE 3 - Country Total Stats

Page 3 is where you will find what countries are the most active as well as
the total of each country trying to get to access your server.

 

** Cheescloth could produce some errors that have not been suppressed yet when the script runs.  These errors are usually  just deleting tmp files that don't exist. Others errors are simple debug coding not removed yet.   Just ignore and suppress in crontab if you choose to. **

Last edited Feb 13, 2014 at 12:38 PM by vafirecracker, version 2