The Sound of Your Firewall
upside writes "It had to be done. Once The Spinning Cube of Potential Doom gave us a 3D visualization of a firewall, someone was bound to ask themselves 'What does your firewall sound like?'."
← Back to Stories (view on slashdot.org)
I really like these concepts for alternate ways to visualize large amounts of data. Reminds me of Douglas Adam's Dirk Gently books. There was a character who wrote a program called Anthem that would interpret a company's stock data and vital statistics and play a tune based on that data.
Rather than using a Wav. file, maybe this could be written to play a variety MIDI tones to account for all kinds of activity on your network!
Urge to post... fading... fading... RISING!... fading... fading... gone.
moudulating the pitch on the dropped/blocked port numbers? I bet it could sound like a windchime with the proper modulus.
I've been doing exactly this same thing for a while. I found that it got extrememly obnoxious, so I dumbed mine down to just play a wave file whenever I get pinged by someone pinging me from a command line ping. I don't know why the length is different than the crap pings that come in every 8 or 9 seconds, but with this swatch definition below, it seems to trigger only when I am pinged by hand.
/firewall-ping.*LEN=84/
/etc/pingwatch.lock 1>/dev/null` /etc/pingwatch.lock) && (/usr/bin/play /usr/local/site/etc/soun /etc/pingwatch.lock)
.wav
/etc/crontab or whatever:
/usr/local/site/bin/arp-watch
/etc/arptable 1>/dev/null : /usr/bin/play /usr/local/site/etc/sounds/new.arp.entry.wav && echo $each >> /etc/arptable
:D
So, put this in your swatch file that watches your firewall log:
watchfor
exec "/usr/local/site/bin/ping-wave.sh ping.wav"
That script just locks the darned thing so it doesnt pop and crack if i get pinged twice:
ping-wave.sh:
if `grep OPEN
then (echo -n >
ds/$1) && (echo OPEN >
fi
And here's a link to my ping wave for you to use:
ping
I also used the naturalvoices website to make a nerdy computer lady announcing new entries in my arp table. You can grab wave file too if you want. Here's the script I have for that:
put this in your
0-59 * * * * root
and then make the above command contain this:
#!/bin/bash
for each in `arp -n |grep -v "Address"|grep -v "eth0"|awk '{print $3}'`
do
if grep $each
then
else
fi
done
if anyone can improve upon my bash, please, i have no ego.
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
I'd rather have a silent firewall... I'm not the kind of people who likes having a big warning everytime some script kiddy scans my port 31337 or pings me... hell ZoneAlarm will warn you if there's a DHCP server on your network... and people who don't know better think that OMG IT'S A HAX!!!!!!11111111...
Maybe it could be nice on an IDS system though..
I send firewall logs to DShield.org, and you should to. The firewall is set to only log 100 denied packets at a time, so lazy bastard that I am I set a cronjob to reset the counters every hour. That was a few months ago.
Last week I happened to be looking at the logfiles, and I noticed something: an hour was no longer enough. The counter hits 100 within 10 or 15 minutes. I can watch the hits come in, and it's all Windows crap: Port 445. Port 137. Port 139. Port 1026. That's it. Nothing interesting -- you know, no stealthy scans by l33t cr5X0rZ, no probing for open relays, nothing.
Two thoughts before I go:
First, this makes for excellent demonstration material. A coworker mentioned that he was considering moving from Windows to Linux because he was tired of all the viruses and worms. I showed him what tail -f on my firewall logs looked like, pointed out that it was all Windows junk, and he was convinced. Gave him a Knoppix CD and made another notch on my belt. :-)
Second, I'm lucky: my ISP has not yet started firewalling ports yet. A friend's ISP just started, and now his web and mail server, which I'm doing DNS for, are no longer available from outside -- they've started blocking those along with 445, 137, 139, and so on. Sadly, it looks like the ISP has no provision for lifting this if you can prove you're l33t enough, so it looks like he's screwed.
Honestly, though, I'm not surprised. Yeah, it sucks that the Internet is no longer open -- but it sucks that the Internet is no longer friendly, too, and the one is a consequence of the other. As much as I bitch about Windows and Microsoft, I don't think they're entirely to blame...you get that many people joining something, and you're going to have enough asshats to ruin it pretty quickly.
Carousel is a lie!
What you need to ear is not the DROPed packets, but the ACCEPTed ones.
If you make a diferent sound for every port/address/whatever packet you receive it becomes easy to recognice when the traffic is anormal.