Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Cyrus Bharda on May 26, 2003, 02:58:55 AM
-
Just wondering if anyone has worked on a client for dshield on the SME:
http://www.dshield.org/
DShield provides a platform for users of firewalls to share intrusion information. DShield is a free and open service.
Thanks,
Cyrus Bharda
-
Forgot to mention why having a client for this is a good thing, I was at a friends place and he uses IPCOP and I was explaining how SME was better when he asked if he could use this feature from dshield that he currently uses with his IPCOP box:
FightBack
DShield.org is now helping users to fight back against attackers. We will analyse submitted log reports and pick a number of strong cases to forward them to the ISP from which the attack originated. A copy of the abuse report will be forwarded to the user.
You have to sign up for 'Fightback'. We will not forward any of your log submissions unless you agree to by using the fightback option.
The user that submitted the log report will be copied on all correspondence. The ISP will receive all relevant log excerpts and we will include the e-mail address registered with DShield.org, in order to allow the ISP to contact the victim directly.
We steadily increased the number of e-mail we sent to ISPs. Almost all of them respond with a quick 'auto reply' indicating that they received the message and 'are working on it'. In a few cases, we get a little more details, sometimes within a day. Most ISPs will not confirm an action against a user.
It is pretty cool, just thought it would be great for you not even have to lift a finger to be able to pursue would be attackers back to their ISP? See http://www.dshield.org/fightback_results.php for some ISP responses.
I am looking at creating a client but only for SME 5.5 as I do not use 5.6 yet, but am finding it hard as I am not the best coder :-) there are all written in Perl, from http://www.dshield.org/framework.php All clients here are built using a common framework. The only difference is the actual log parser subroutine. The clients are written in Perl. A minimum Perl installation should work for each of them. No extra modules are required.
They do provide a framework development kit, but its all Chinese to me, just wondering if there were any bidding developers out there that would be interested in changing these scripts to work for SME 5.5 and 5.6, if so please contact me and we can work on it together :-)
Cyrus Bharda
-
OK I got the ipchains client working, only problem is that it looks for lines starting with "input DENY" in the messages log, well I looked though mine, but there are none, is there another log that shows these?
Thanks,
Cyrus Bharda
-
I think you have to enable logging, and perhaps they are in /var/log/secure?
(A complete shot in the dark)
-
Nathan,
hmmm I tyred a grep "input DENY" from / , which I might add took FRICKEN AGES, and could not find it anywhere so I might take this disscussion to the developers list, thanks though :-)
Cyrus Bharda