FreeBSDShield is a
DShield.org∞ reporting client for
FreeBSD∞ and the
ipfw firewall. It allows you to report attempted security breaches to the DShield cooperative firewall logging effort, which in turn helps the
Internet Storm Center∞ (and netizens at large) track trends in network security and catch emerging vulnerabilities.
The current revision of
FreeBSDShield is
0.1, released on
February 17th, 2007. This is the initial release and testers are wanted. You can
view the changelog for detailed release information.
Download
FreeBSDShield is free software! It is available for download in a variety of formats:
- ZIP∞ - freebsdshield-0.1.zip
- TGZ∞ - freebsdshield-0.1.tar.gz
- 7z∞ - freebsdshield-0.1.7z
- Browse Source∞ with syntax highlighting
Features
- Written in PHP5 for fast execution
- Parses ipfw-style /var/log/security logs
- Formats incident reports and submits to DShield.org
Please note:
FreeBSDShield is
not a firewall and does not interact with
ipfw. This script
parses your existing firewall logs and reports security incidents to a worldwide collaborative intrusion logging effort.
Requirements
- FreeBSD and the ipfw firewall, or some other environment that generates identical logs
- PHP 5.x (the latest stable release∞ of PHP is always suggested).
- DShield.org user ID number - if you don't have one, just register at DShield∞
Usage
To use
FreeBSDShield, first extract the archive and then edit the
freebsdshield.php file. Set the configuration options at the top of the script as desired. To execute the script, run
php freebsdshield.php in the working directory. You should see output similar to this:
[root@agaliarept freebsdshield]# php freebsdshield.php
Last run: 1171746161 (Feb 17 15:02:41)
Processing /var/log/security.2.gz...
Processing /var/log/security.1.gz...
Processing /var/log/security.0.gz...
Processing /var/log/security...
12051 incidents noted.
Report sent to reports@dshield.org.
It is suggested that you create a cron job to run FreeBSDShield automatically. The periodicity of your cron job depends upon the volume of intrusion attempts made against the machine(s) under your control. For most home users, a once-daily execution should be fine; enterprise or high-profile users may wish to run FreeBSDShield more frequently to reduce processing time and report size. DShield.org asks that you do not submit a report more than once per hour; please don't inundate them with reports.
Known Issues
- 2007-02-20: A large number of incidents can cause the script to exceed the default memory_limit setting in PHP (8m). This is most likely to occur the first time that you run FreeBSDShield if you have lots of log files to scan. Workaround: temporarily or permanently raise the memory ceiling for PHP in /etc/php.ini. Planned fix: serialize incidents to a temporary file, and purge memory after parsing each log file. Thanks Martijn for the report!
Changelog
For a complete revision history, please see the
FreeBSDShieldChangelog document.
License
FreeBSDShield is distributed under the
BSD License∞. In other words, do whatever the heck you want with it. If you have fun, or if llamas are involved, send us pictures. If you redistribute it, include our original copyright notice. That's pretty much it. Ain't simplicity grand?
Contact
To report bugs, request features, or say thank-you, please send email to
freebsdshield {at} drunkwerks {dot} com. A response is not guaranteed but (nearly) all messages will be read.
Background
Prior to writing FreeBSDShield, I'd been using Frank W. Josellis' utility called
ipfw2dshield∞. The huge upside to Frank's client is that it's done entirely in shell script and builtins, so it will run on a bare bones FreeBSD install with no third party requirements. The disadvantage is that it's very slow to run. After nearly a year of submitting to DShield with this client, I decided that there's no good reason to spend 15 or 20 minutes to parse a few log files and send an email; thus was born FreeBSDShield, which tends to do the same amount of work in 15 or 20 seconds. Many thanks to Frank for the inspiration.
FreeBSDShield's
author is crazy and just plain stupid. He is frequently drunk as well. Donations in lieu of flowers may be sent to his bank account, and are not tax deductible.
There are no comments on this page. [Add comment]