What is DShield and why would I send them my logs?
According to the SANS Internet Storm Center (ISC), “DShield provides a platform for users of firewalls to share intrusion information. DShield is a free and open service.” While DShield is often referred to generically as a “collaborative firewall log correlation system,” for all practical purposes, it is a bit of threat intelligence well before threat intelligence was cool or an overused buzzword. 😉 The truth is many folks across the internet provide data to the ISC and it really is a community-based effort. DShield aggregates/parses the data and determines different attack vectors and trends. This information then gets filtered back down to the community and it is often found in many of the threat/IP blacklist feeds used by security products. How cool is that? So the bottom line is that if you are a consumer of this data, why not help out the cause and contribute to it? You also get the added bonus of seeing firewall reports on your own last 30 days of data via your account portal. I’ve included one example of the many reports you might expect at the bottom as well. Did I mention it’s free?!?!
DShield account creation
Get started by creating an account on DShield. Once again, it’s free.
After your account is created, go to ‘my account’ and you will see the information we need. Namely, the API key and the user ID. I would recommend just leaving this page up and copying/pasting these when we need them later.
pfSense web config
To get started, we’ll need to add in a notification email address on pfSense. You can do this by going to Systems->Advanced->Notifications. If you already have an account configured here, great! Just remember you will need to use that same email address later when configuring the script. If you don’t have anything configured here, you will need to add one. I chose to use a Gmail address and if you want to do the same, make the modifications as shown in the picture below. Don’t forget to send a test after saving your contents!
Note: I used a different Gmail address than my standard use one for the simple fact you can’t use an account that has 2-factor authentication enabled.
SSH on pfSense is not enabled by default. You can easily turn it on via the System->Advanced menu.
Command line config
Now, SSH to your pfSense box using PuTTY or another SSH client. Don’t forget your username is root, not admin.
Once you are logged in, go to option 8, which drops you to a standard command line. Create a bin directory under root and then change to that directory
mkdir bin cd bin
Next, download the config file from DShield renaming it with a php extension. Then, make the file executable.
curl -o dshieldpfsense.php https://isc.sans.edu/clients/dshieldpfsense.txt chmod +x dshieldpfsense.php
Edit the script to modify your authkey, fromaddr, and uid. As stated earlier, it is far easier to copy/paste the authkey and uid values from the DShield page.
Note: double-check the interface if you are using anything other than WAN.
Once those 3 lines are changed, go ahead and exit vi. Perform a quick test run using the command below.
If everything is configured correctly, you should receive something similar to the line below stating X amount of information was uploaded to DShield. If you receive nothing back (no errors either), wait a bit and try again.
send XXXX lines to DShield OK
If that worked, you just need to automate it. Do this by typing in ‘crontab -e’ from the command line and copying in the cronjob below. I would recommend making these values (25,55) somewhat random and leave them 30 minutes apart from one another.
25,55 * * * * /root/bin/dshieldpfsense.php
Exit as you would with vi and that should give you a message of ‘crontab: installing new crontab’
And now you wait… After your cronjob runs a few times and enough data is collected, you can take a look at your data as aggregated by DShield.
If you or any feeds you use consume data from DShield, contributing to the cause is really the right thing to do! Keep in mind that other firewalls can send their data as well and it is not just limited to pfSense. For a complete rundown on additional clients and other in’s and out’s of the DShield project, visit the link below.