enterprise class security for everyone
BitFire Install Guide »
Report Bug
·
Request Feature
Table of Contents
There are many choices for PHP firewalls to protect your webservers, most can be easily bypassed.
Here's How BitFire is different:
Speed. <1 ms block times - BitFire is up to 100x faster than the most popular PHP Firewalls
Bot authentication. Authenticates good bots like google, facebook, bing, ahrefs, by source network
Browser verification. Transparant JavaScript browser verification ensures user's are real
Client Integrity. Automatically generate browser policy preventing browser takeover
Server Integrity. Prevent atackers from modifying server files with Operating System locks
Grammer based firewall. Parses SQL, HTTP, HTML for the most accurate blocking
BitFire is built from pure PHP and has no external dependencies. BitFire can take advantage of several PHP shared memory caches including APCu, SHM, shmop and OpCache
Security from F to A in 5 minutes https://www.youtube.com/watch?v=DHhEW2otdng Install Guide: https://bitfire.co/bitfire-install
You will need: a webserver (apache, nginx), PHP >= 7.1, a login, text editor, sudo access to edit php.ini.
-
Install via GitHub
git clone https://github.com/bitslip6/bitfire.git ./bitfire/updatekeys.sh
-
or Install via Composer
composer require bitslip6/bitfire ./vendor/bin/updatekeys.sh -
be sure to allow updatekeys to install in your fpm and apache php.ini files when prompted.
-
Bitfire is now installed! The default config will not block anything until enabled. set bitfire_enabled in
config.iniand see the quickstart in this readme.bitfire_enabled = true;
-
Congratulations! Time for a beer
-
You may also install by-hand. set config.ini.php and cache to web writeable, update encryption_key and secret in config.ini then, in php.ini update auto_prepend_file
auto_prepend_file ='/full/path/to/bitfire/startup.php';Detailed configuration is available on our Wiki
The default configuration is very conservative and will only block
bots identifying themselves as malicious scripts. The configuration is stored in config.ini in the BitFire
home directory (your github checkout location, or for composer vendor/bitslip6/bitfire/config.ini)
- false: disable the feature
- report: don't block the traffic but add an entry to the report_file (config.ini setting)
- block: block the request, server response_code (config.ini) from views/block.php we recommend beginning with report and then moving to block only after verifying that you would not be blocking good traffic. https://github.com/bitslip6/bitfire/wiki/block_reporting for details.
1. First setup your in-memory cache type. BitFire stores server state in memory for fast response
time and supports all PHP in memory caches. We preefeer in order: shmop, apcu . If you
are unsure which cache your server supports, see php_info() output. Look for "shmop", and "apcu"
and set cache_type in config.ini to your chosen cache or 'nop' for no cache.
2. Next configure a browser honey pot. Set _honeypot_url_ in config.ini to anything you like,
or leave the default. Malicious bots looking for secure areas of your site will read this, request
the url and get banned for 24 hours. Good bots will respect the Disallow and not be effected. Add
your url to your robots.txt file:
honeypot_url = '/not_important/contact'User-agent: *
Disallow: /not_important/contact3. Require full browser. If your website uses JavaScript and cookies (99% of all websites) you can require all web browers to prove they support both by enabling require_full_browser. Since >95% of all exploit scripts and worms do not support JavaScript or cookies this is the single best protection you can install to prevent breakins. This cookie is non user-identifying and so is fully GDPR compliant and does not require a GDPR notification.
require_full_browser = report | block4. Enable bot whitelist. Futher limit bots by allowing only verified whitelisted robots. A preconfigured list of common bots included with BitFire. Refer to our wiki for how to add additional bots.
whitelist_enable = report | block5. Enable core web filter. The web filter blocks malicious requets like XSS, LFI, RCE and SQLi as well as many others. The entire web filter can be enabled or disabled with the web_filter_enabled parameter. We recommend the following configuration:
web_filter_enabled = report | block
xss_block = report | block
web_block = report | block
file_block = report | block
sql_block = report | block6. Enable IP blocking. By default BitFire will not black list IP addresses. We recommend you enable this feature which allows for the fastest possbile drop of HTTP floods.
allow_ip_block = trueFor detailed documentation, please refer to the Documentation
See the open issues for a list of proposed features (and known issues).
Additions to the bot whitelist and additional attack signatures or bypasses are greatly appreciated. If your contributions are included you will recieve discounts on comercial licencing for BitFire Pro.
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature) - Commit your Changes (
git commit -m 'Add some AmazingFeature') - Push to the Branch (
git push origin feature/AmazingFeature) - Open a Pull Request
Distributed under the Apache 2.0 License. See LICENSE for more information.
Cory - @bitslip6 - [email protected]
Project Link: https://github.com/bitslip6/bitfire