Contribute firewall logs to DShield to build a better picture of dangers on the Internet.
The
Internet can be a scary place, and given its sheer size it’s a probability that at any moment numerous attacks are being carried out against networks and hosts across the globe. But what does this mean for you and your network? Wouldn’t it be nice to know what the most commonly attacked services are? One project that seeks to gather this information is
DShield (http://www.dshield.org), a project sponsored by the SANS Institute (http://www.sans.org) that seeks to be a distributed IDS for the Internet.
DShield accomplishes its mission by allowing users across the globe to submit their firewall logs to be processed and correlated. This enables the project to determine what ports are attacked the most and where those attacks originate, and to inform the Internet community at large of these facts. In addition, it can let you know if your systems have been used to attack other systems that are participating in the project (though, hopefully, you already know if your system is being misused).
DShield includes a web interface (http://www.dshield.org/report.php) that you can use to manually upload log files, though it supports only a few formats: Linux ipchains and iptables, ZoneAlarm, SonicWall, and Raptor. If you want to submit your logs automatically, there are many more options to choose from (see http://www.dshield.org/howto.php). There are too many different types of logs that can be submitted to DShield to completely do justice to them all here, so we’ll focus on how to submit logs from a Linux iptables firewall.
First, you’ll need to decide if you want to register with DShield. Although registration isn’t required to submit logs, it is encouraged. One extra thing that registration allows is participation in DShield’s FightBack initiative, through which DShield submits reports to ISPs where attacks originate. By registering and electing to participate in FightBack, you allow DShield to use your logs for this purpose.
To submit logs for an iptables firewall, download the appropriate client (http://www.dshield.org/clients/framework/iptables.tar.gz). Then, create a user to run the client under (e.g., _dshield). When doing that, make sure to create a valid home directory for the user; this is a good place to put the log submission script and its accompanying configuration files.
After you’ve created the account, unpack the tarball and copy the submission script into the user’s bin directory (e.g., ~_dshield/bin):
#cd /tmp#tar xvfz iptables.tar.gz && cd iptables#cp iptables.pl ~_dshield/bin
Then, copy the dshield.cnf and .lst files into /etc:
# cp dshield.cnf *.lst /etc
Edit the configuration file, dshield.cnf, changing the from and userid lines to the email address you registered with and the ID that you received afterwards. If you didn’t register, you can leave these alone. You can also change the cc and bcc lines to send yourself copies of the submissions. If your firewall logs are stored in a file other than /var/log/messages, you’ll need to change the log line as well.
If you are using /var/log/messages, you’ll have log entries for things other than your firewall. These other entries are ignored via the line_filter variable in the configuration file, which lets you specify a regular expression to match the lines pertaining to the firewall. For most situations, the default should be fine. If you want to filter out some of the matching lines, set a regular expression for line_exclude.
To protect the information that’s leaving your network, you can also exclude entries by their source or destination IP address and port number. To exclude source and destination IP addresses, add individual IP addresses or CIDR ranges on separate lines to dshield-source-exclude.lst and dshield-target-exclude.lst, respectively. The dshield-source-exclude.lst file already excludes RFC 1918 private IP addresses. To exclude source and destination ports, add single ports or ranges (e.g., 21-25) to dshield-source-port-exclude.lst and dshield-target-port-exclude.lst, respectively.
Additionally, to prevent your network’s vulnerabilities from being revealed to a third party, you’ll probably want to set the obfus variable to Y. This will cause the submission script to substitute 10 for the first octet of the target IP addresses in your logs in order to obfuscate them. However, this will prevent the logs from being used in FightBack.
After you’ve finished editing the configuration file, add an entry to the DShield user’s crontab to run it periodically (once a day works well). For instance, this entry will cause it to run each day at 11:59 P.M.:
23 59 * * * cd /home/dshield/bin; \ ./iptables.pl > /home/dshield/bin/iptables_debug.txt
There are a few other options that can be configured, but this hack has covered the major ones. The dshield.cnf file is fully commented, so it’s pretty easy to figure out what to do. If you want to check up on the statistics that have been generated, go to http://www.dshield.org/reports.php.