DShield
DShield
I know csf allows you to use the DShield block list. Have you considered adding the ability to send firewall logs to DShield? I'm looking into doing this outside of csf, but it would be really nice if it were just a matter of enabling it in the configuration.
-
nabuhonodozor
- Junior Member
- Posts: 48
- Joined: 29 Oct 2007, 07:01
I second this. I would be really good if there would be an easy way, even manual, to send blocked IP list from CSF to Dshield.
I am encountering daily many attacks against php and mysql which are detected by mod_security. There are also many login attempts both pop3 and ftp.
Such a list of malicious IP is valuable and should be shared amongs other people.
Jonathan, its possible to add such a feature to CSF?
I mean something like an button "send to dsheild"?
Or maybe You think it would clog dshield/server or would be unwise from other point of view?
best regards,
Piotr
I am encountering daily many attacks against php and mysql which are detected by mod_security. There are also many login attempts both pop3 and ftp.
Such a list of malicious IP is valuable and should be shared amongs other people.
Jonathan, its possible to add such a feature to CSF?
I mean something like an button "send to dsheild"?
Or maybe You think it would clog dshield/server or would be unwise from other point of view?
best regards,
Piotr
As with anything where you allow people to participate, I am sure the answer is yes- someone could submit spoofed logs.
I'm not sure that would really poison the end results enough to make them useless without a huge coordinated effort.
The dshield block list is only the top 20 attacking networks. I believe this is based more on the number of targets than the number of packets. Currently the lowest number of attacks from an ip on that list is 870.
The other reports that dshield provides as well as the ability to search the database for information on a specific ip all include the number of targets that saw attacks from that ip. I don't know how other people use the information, but I tend to not worry about ip's that show only one or two targets.
I'm not sure that would really poison the end results enough to make them useless without a huge coordinated effort.
The dshield block list is only the top 20 attacking networks. I believe this is based more on the number of targets than the number of packets. Currently the lowest number of attacks from an ip on that list is 870.
The other reports that dshield provides as well as the ability to search the database for information on a specific ip all include the number of targets that saw attacks from that ip. I don't know how other people use the information, but I tend to not worry about ip's that show only one or two targets.
DShield log submission
In common with the others on this thread, I'm looking for a way to submit firewall logs to DShield. It's one of those areas where you are probably not going to make a huge difference at an individual server level because the majority of entries in your log are from your spotty Korean school boy who can't get a girlfriend, but perhaps if all the CSF installs collectively submit logs, there is a "mass effect" where genuine IP-based attacks are detected, and we contribute to DShield's effectiveness.
I had a look at "How to write a DShield client" :
https://secure.dshield.org/specs.html
and I thought it may be fun to have a go at this, but no point if someone else has already done it ?
I accept that there will be a small performance overhead to your CSF set-up, but probably not that much if log submission occurs (say) once per 24h.
Cheers
Grindlay
I had a look at "How to write a DShield client" :
https://secure.dshield.org/specs.html
and I thought it may be fun to have a go at this, but no point if someone else has already done it ?
I accept that there will be a small performance overhead to your CSF set-up, but probably not that much if log submission occurs (say) once per 24h.
Cheers
Grindlay