bitslip6 / bitfire
Enterprise firewall, stop all bot/spam and manual attacks. OWASP top 10, with bot whitelist in <2ms
Requires
- php: ^7.0.33
- dev-master
- 2.2.2
- 1.8.1
- 1.7.3
- 1.7.2
- 1.7.1
- 1.6.8
- 1.6.3
- 1.6.2
- 1.6.1
- 1.6.0
- 1.5.9
- 1.5.8
- 1.5.7
- 1.5.6
- 1.5.5
- 1.5.4
- 1.5.3
- 1.5.2
- 1.5.1
- 1.5.0
- 1.4.9
- 1.4.8
- 1.4.7
- 1.4.6
- 1.4.5
- 1.4.4
- 1.4.3
- 1.4.2
- 1.2.8
- 1.2.7
- 1.2.6
- 1.2.2
- 1.2.1
- 1.2.0
- 1.1.9
- 1.1.8
- 1.1.3
- 1.1.2
- 1.1.1
- 1.0.5
- 1.0.4
- 1.0.3
- 1.0.1
- dev-exceptions
- dev-ex-merge
- dev-feature/reporting
- dev-add-code-of-conduct-1
- dev-refactor/cache1
- dev-add-license-1
This package is auto-updated.
Last update: 2024-04-30 00:45:36 UTC
README
BitFire RASP Firewall for PHP
enterprise class security for everyone
BitFire Install Guide »
Report Bug
·
Request Feature
Table of Contents
File-System Protection RASP Database Protection RASP Automated Bot Protection RASP Getting Started Additional InformationRuntime Application Self Protection firewall for PHP
BitFire is a Runtime Application Self Protection (RASP) based firewall for PHP servers. BitFire's RASP for PHP works differently than a traditional Web Application Firewall (WAF), by providing a security sandbox for all database and filesystem access, BitFire can prevent malware infections and account takeover for vulnerable plugins, themes and custom PHP code, regardless of of the stack.
Video Demonstration:
FileSystem RASP
Consider the following PHP vulnerability: This vulnerability allows uploading or overwriting any PHP file.
<?php file_put_contents($_GET['filename'], $_GET['content']);
BitFire's RASP filesystem sandbox runs for all non-administrator users and will intercept this file write, and check both $_GET['filename'] and $_GET['content'] for any attempt to access a php file. When detected the malware infection fails and a blocking page is immediately displayed.
BitFire natively understands WordPress administrators, and you can add support for any CMS by implementing this simple function:
namespace BitFire\Plugin function is_admin() : bool { if (my_custom_acl_check($_COOKIE)) { return true; } return false; // OR simply: return my_custom_acl_check(); }
Database RASP
Hacker's exploit security vulnerabilities to create backdoor administrator accounts. These accounts are then used later to install malware or other spam content. BitFire secures this vulnerability by inspecting all database updates and checking for privilege escalation.
Consider the following wordpress vulnerability: This vulnerability can allow an attacker to set privilege level to any value including "administrator" without any verification.
$user = get_current_user(); $user->setRole($_GET['user_role']);
When the BitFire Database sandbox inspects the underlying database update, it will compare the user privilege being set against the the user privilege making the change. If the user does not have the permission to grant administrator access, the database write is denied and a block page is served to the user.
BitFire comes pre-configured for popular CMS's including WordPress, Joomla and Drupal.
You can implement your own database checks as well:
QueryBlockList::new("table_name", "insert/update/delete", ["matching", "query", "criteria"], 'privilege_check_function');
This would trigger on any update of the table_name table with matching criteria to authenticate the SQL query using the PHP function privilege_check_function().
Example query blocked:
UPDATE table_name SET wp_capabilities = 'a:1:{s:13:"administrator";b:1;}' WHERE umeta_id = 20;
Bot Protect RASP
99% of web attacks come from automated scripts. BitFire RASP protects your site from automated attacks in 2 ways. First, it allows good bots like google and bing by authenticating their network origin. Google bot only connects from google owned IP addresses, and bing from Microsoft. BitFire has a list of over 150 known and approved bots, SEO tools and their origin networks.
Second, for web browsers like Chrome, Safari, etc, BitFire sends a transparent JavaScript challenge. This JavaScript challenge takes only milliseconds to complete and verifies that the client is a real browser and not a hacking tool. This way your website only sees the verified browser traffic. This is similar to Cloudflare's Super Bot Fight Mode.
Here's How BitFire is different:
Speed. <2 ms block times - BitFire is up to 100x faster than the most popular PHP Firewalls
Bot authentication. Authenticates good bots like google, facebook, bing, ahrefs, by source network
Browser verification. Transparent JavaScript browser verification ensures user's are real
Client Integrity. Automatically generate browser policy preventing browser takeover
Server Integrity. Authenticated file access prevents server code modification
Grammar based firewall. Parses SQL, HTTP, HTML for the most accurate blocking
Built With
BitFire is built from pure PHP and has no external dependencies. BitFire can take advantage of several PHP shared memory caches including APCu, SHM, shmop and OpCache
Prerequisites
You will need: a web-server (apache, nginx), PHP >= 7.1, a login, and a text editor.
Installation
-
Install via GitHub
git clone https://github.com/bitslip6/bitfire.git add: auto_prepend_file = "/path/to/bitfire/startup.php" to root .user.ini file -
or Install via Composer
composer require bitslip6/bitfire add: auto_prepend_file = "/path/to/bitfire/startup.php" to root .user.ini file -
Bitfire is now installed! Open the configuration wizard to enable the firewall by visiting /bitfire/startup.php in your web browser. If you installed BitFire outside your web_root, you can access the dashboard by visiting the url /bitfire-admin which is defined in /bitfire/config.ini.
-
Congratulations! Time for a beer
Detailed configuration and installation is available on our Support Center
Setup / Configuration Quick-start
The default configuration is very conservative and will only block bots identifying themselves as malicious scripts. The configuration is stored in config.ini in the BitFire home directory (for composer: vendor/bitslip6/bitfire/config.ini)
Now visit your website at path "your_domain.com/bitfire_dashboard" enter the password when prompted, then click on "Settings" and configure the settings you want to use.
On first page view BitFire will auto configure itself for your server and rarely needs to be adjusted.
Feature flags support 3 values:
- false: disable the feature
- report: don't block the traffic but add an entry to the report_file (config.ini setting)
- block: block the request, server response_code (config.ini) from views/block.php we recommend beginning with report and then moving to block only after verifying that you would not be blocking good traffic. https://github.com/bitslip6/bitfire/wiki/block_reporting for details.
1. Require full browser. If your website uses JavaScript and cookies (99% of all websites) you can require all web browers to prove they support both by enabling require_full_browser. Since >95% of all exploit scripts and worms do not support JavaScript or cookies this is the single best protection you can install to prevent breakins. This cookie is non user-identifying and so is fully GDPR compliant and does not require a GDPR notification.
require_full_browser = report | block
2. Enable bot whitelist. Futher limit bots by allowing only verified whitelisted robots. A preconfigured list of common bots included with BitFire. Refer to our wiki for how to add additional bots.
whitelist_enable = report | block
3. Enable core web filters. The web filter blocks malicious requets like XSS, LFI, RCE and SQLi as well as many others. The entire web filter can be enabled or disabled with the web_filter_enabled parameter. We recommend the following configuration:
web_filter_enabled = report | block xss_block = report | block web_block = report | block file_block = report | block sql_block = report | block
4. Enable IP blocking. By default BitFire will not black list IP addresses. We recommend you enable this feature which allows for the fastest possbile drop of HTTP floods.
allow_ip_block = true
For detailed documentation, please refer to the Documentation
Roadmap
See the open issues for a list of proposed features (and known issues).
Contributing
Additions to the bot whitelist and additional attack signatures or bypasses are greatly appreciated. If your contributions are included you will recieve discounts on comercial licencing for BitFire Pro.
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature) - Commit your Changes (
git commit -m 'Add some AmazingFeature') - Push to the Branch (
git push origin feature/AmazingFeature) - Open a Pull Request
License
Distributed under the Apache 2.0 License. See LICENSE for more information.
Contact
Cory - @bitslip6 - info@bitslip6.com
Project Link: https://github.com/bitslip6/bitfire