Home

BitFire

enterprise grade firewall for PHP based websites.

Checkout the discord chat here: https://discord.gg/6xGFyw5td3

Visit the website at https://bitfire.co

Install Procedure:

• git clone, composer require or install script
• edit php.ini point auto_prepend_file to bitfire/startup.php
• restart php
• edit config.ini and set desired options
• review the config guide on this wiki

Example install via composer or github into /opt/bitfire:

$ composer require bitslip6/bitfire
or
$ git clone https://github.com/bitslip6/bitfire /opt/bitfire
$ /opt/bitfire/updatekeys.sh
BitFire 1.0.4 config: /home/cory/tools/bitfire-release/config.ini...
secure secrets, and encryption keys updated

/etc/php/7.2/cli/php.ini 
sudo sed -i 's/^.*auto_prepend_file.*$/auto_prepend_file = startup.php/' /etc/php/7.2/cli/php.ini
add BitFire support to /etc/php/7.2/cli/php.ini (y/n)? n

/etc/php/7.2/fpm/php.ini 
sudo sed -i 's/^.*auto_prepend_file.*$/auto_prepend_file = startup.php/' /etc/php/7.2/fpm/php.ini
add BitFire support to /etc/php/7.2/fpm/php.ini (y/n)? y
[sudo] password for cory:

Recommended configuration:

BitFire ships with sensible defaults and is disabled until enabled in the config.ini file. All BitFire configuration is in the config.ini file in the bitfire directory. settings bay be "block", "report" or false. "block" will stop the traffic and log it, "report" will allow the traffic and log it to another file.

By default all blocks are stored at /tmp/bitfire.block.json, all alerts (reports) are stored in /tmp/bitfire.

To begin inspecting traffic set bitfire_enabled = true in the bitfire/config.ini

TL;DR configuration

blocking settings

Setting	Effect	recommended setting
bitfire_enabled	completely turn on/off firewall	true
allow_ip_block	allow the firewall to blacklist ip addresses	true
enforce_ssl_1year	HSTS header, enforce SSL. breaks site if SSL certificate expires	true
feature_policy	set true to disallow all JavaScript APIs except listed	true
allowed_features[]	list of JavaScript APIs to allow and which scripts can use them	*
max_cache_age	maximum age for homepage caching, 0 disables caching	4200
decode_html	convert < to < before firewall inspection (recommended)	true
spam_filter_enabled	block all requests with phrases like "100% free", "free gift"	true
xss_block	block requests likely to be cross site scripting	true
sql_block	block requests likely to be sql injection	true
file_block	block attempts to upload various types of PHP scripts	true
block_profanity	replace profanity with !@#$!	true
filtered_logging[]	list of parameters to not log (credit card, passwords, etc)	*
botwhitelist[]	list of allowed bot crawlers	*
allowed_methods[]	list of allowed HTTP verbs	default
whitelist_enable	only allow robots that are listed in the whitelist	true
blacklist_enable	disallow any robots that appear in the blacklist	true
require_full_browser	require all web browsers to support JavaScript and cookies before access	true
honeypot_url	any request to this url will result in IP block	add to robots.txt as DENY
check_domain	only allow requests to these hosts, block all requests by IP	true
valid_domains[]	make sure to add all domain and host names to the list!	*
rr_1m	maximum 1 minute request rate before block, 0 to disable	0
rr_5m	maximum 5 minute request rate before block, 0 to disable	0

system settings

Setting	Effect	recommended setting
cache_type	in memory cache type, recommend shm or apcu	shmop
user_tracking_param	unique name of internal parameter to identify internal requests	unique
user_tracking_cookie	unique name of cookie for tracking browser legitimacy	unique
encryption_key	a unique key used to encrypt cookies	unique
secret	a unique secret for internal requests	unique
web_uid	the user id of the web user	www-data or similar
response_code	the HTTP response code for blocked pages	403 or 500
short_block_time	seconds to ban IP for small offenses	600
medium_block_time	seconds to ban IP for larger offenses	3600
long_block_time	seconds to ban IP for request floods	86400