PHPIPS activated in this WordPress Installation
Hi,
today I started coding again on PHPIDS.
I implemented it in this wordpress installation. Each attack is logged into a mysql table and the system is in so called "kick ass mode".
So if you inject some stuff you will soon or later mess up your session.
If you reset your session you are back on 0 and can inject other attacks or just leave me a comment. :)
Feel free to play a little bit around with the search or the admin login and inject some attacks.
A low level attack e.g.
'>XXX
If you need some higher impact values try to search for
'>XXX javascript:alert(1) SELECT DISTINC ;
The coding itself was cleaning up codebase, so no new feature is in the code, just a few modified commands for mysql logging and sending mails.
I really need some attack requests and some more testing to further implement new functionality. So feel free to suggest wishes, what you would like to see or to have.
Because most coding effort is currently framework stuff, it will take some time for a new version because till now everything works quite fine.
Oh, and please don't hurt this system, or at least try to :)
Mid February phpips coding will continue…
Hi there,
the last 3 months, I had so much work to do, I wasn't able to write a single line of code for this project.
I plan to continue coding mid February again, so stay tuned.
If anyone wants to contribute, in whatever way, just let me know.
Creating custom modules for phpips
Hi,
as promised I will explain how you can create custom modules for the ips system today.
At first you should get the latest version from the svn reposatory from sourcforge.
svn co https://php-ips.svn.sourceforge.net/svnroot/php-ips/trunk/ php-ips
To add a new module, you just need to create a new directory under phpids/lib/Modules
We will name it Example.
mkdir phpids/lib/Modules/Example
This is you new Module Directory. Now we need a place where we can add Commands for our Module.
The Directory name, the system searches Commands is named, well "Command" :)
mkdir phpids/lib/Modules/Command
Our first command, we will implement is a modified version of the log command.
The default command just opens a file and writes logging messages to it.
This is fine, but we are logs going in a database, so wa can do some analysing logfiles more easily with a nice backend. To simplify this example much, I will use a SQLite Database. If you want another Database, like MySQL, PGSQL or even Microsoft SQL Server you can do this on your own.
Further I will use the PDO php package doing the Database stuff, so forgive me, its my second time working with it, so hopefully I don't mess up my code to much. (We will see if Zend Framework spoiled me too much :))
To create the Command, all we have to do is add a new file. With the name Log.php. Lets do it.
touch phpids/lib/Modules/Command/Log.php
In the file itself you need to insert the following code, before we begin.
class Module_Example_Command_Log extends Ips_Command_Abstract {
private static $_instance=null;
public static function getInstance() {
if (self::$_instance==null)
self::$_instance=new self();
return self::$_instance;
}
protected function realExecute() {
}
protected function realSimulate($fileHandle) {
}
}
From the frameworks point of view, thats all. Just implement the methods and you are done. (Well you need to configure the system, using the new Module Directory, furthermore it makes no sense to only implement one command in a module. So you have to implement all commands you need in this module.
I will show the configuration Part at the end. )
Ok, forget the last note, we implement the code now here, cause I wann show some things you probably need while you are implementing your own commands.
As I said, we wanna log to a sqlite database. So first of all, we need to create it. (We will use sqlite3, so moke sure you got the sqlite3 package of your distribution. Further you need php5-sqlite php module)
First the table definition:
CREATE TABLE [loggertable] (
[id] INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
[time] TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL,
[affected_tags] VARCHAR(256) NULL,
[impact] INTEGER NOT NULL,
[session_impact] INTEGER NOT NULL,
[attacker_ip] VARCHAR(128)
);
Just open a new file, called create_loggerdb.sql and insert the sql code in it. Than use the following commands
sqlite3 logger.db < create_loggerdb.sql
chown www-data logger.db
chmod u+rw logger.db
(www-data is the user running the httpd server at debian based systems. So you have to use your user who run the httpd server on your host)
Now we have our database finished. Just put the file to a place where you httpd server can reach it. I willt put it in the directory /var/www/path/to/webroot/phpips/examples/logger.db
If you downloaded a package greater alpha_01 you already have such a file in the examples directory. You can use it if you like.
Now lets go back to our logger command.
I will now add some methods to the class, you can just copy and paste the following code or do it on your own.
I created a method called dbInsert, here the code:
private function dbInsert(){
$this->_dbPath=$this->_dbPath=$this->_registry->getBasePath().
"phpips/examples/db/logger.db";
$this->_dbTableName="loggertable";
$db=new PDO('sqlite:'.$this->_dbPath);
$idsReport=$this->_registry->getidsReport();
$session_impact=$this->_registry->getHighestSessionImpact();
$impact=$idsReport->getImpact();
$attacker_ip=$_SERVER['REMOTE_ADDR'];
$affected_tags=$idsReport->getTags();
$affected_tags_text="";
foreach ($affected_tags as $tag){
$affected_tags_text.="[".$tag."]";
}
$values=array($impact,$affected_tags_text,
$session_impact,$attacker_ip);
$insert=$db->prepare("INSERT INTO ".
$this->_dbTableName." ( impact,
affected_tags,
session_impact,
attacker_ip
)
values (?,?,?,?);"
)->execute($values);
}
I modified the realExecute method like this:
protected function realExecute() {
$this->dbInsert();
}
The realSimulate method I just copied from an existing one.
protected function realSimulate($fileHandle) {
$logText = "\n-------\n";
$logText.= "SIMULATING LOGGING COMMAND\n";
$logText.= "Logging to Database\n";
$logText.= "-------\n";
$this->_registry->add("SimulationOutputBuffer", $this->_registry->
get("SimulationOutputBuffer").$logText);
fwrite($fileHandle, $logText);
}
To get the full code I post it here again:
class Module_Example_Command_Log extends Ips_Command_Abstract {
/*
* This is the sample command descripted implementing in my blog.
* http://ra23.net/wop/category/phpips/
*
*/
private static $_instance=null;
private $_dbPath=null;
private $_dbTableName=null;
public static function getInstance() {
if (self::$_instance==null)
self::$_instance=new self();
return self::$_instance;
}
protected function realExecute() {
$this->dbInsert();
}
protected function realSimulate($fileHandle) {
$logText = "\n-------\n";
$logText.= "SIMULATING LOGGING COMMAND\n";
$logText.= "Logging to Database\n";
$logText.= "-------\n";
$this->_registry->add("SimulationOutputBuffer", $this->_registry->
get("SimulationOutputBuffer").$logText);
fwrite($fileHandle, $logText);
}
private function dbInsert(){
$this->_dbPath=$this->_dbPath=$this->_registry->getBasePath().
"phpips/examples/db/logger.db";
$this->_dbTableName="loggertable";
$db=new PDO('sqlite:'.$this->_dbPath);
$idsReport=$this->_registry->getidsReport();
$session_impact=$this->_registry->getHighestSessionImpact();
$impact=$idsReport->getImpact();
$attacker_ip=$_SERVER['REMOTE_ADDR'];
$affected_tags=$idsReport->getTags();
$affected_tags_text="";
foreach ($affected_tags as $tag){
$affected_tags_text.="[".$tag."]";
}
$values=array($impact,$affected_tags_text,
$session_impact,$attacker_ip);
$insert=$db->prepare("INSERT INTO ".
$this->_dbTableName." ( impact,
affected_tags,
session_impact,
attacker_ip
)
values (?,?,?,?);"
)->execute($values);
}
The other needed commands like Mail, Warn, Kick, Ban I just copied out of the Test folder and renamed them to fit the module.
Thes example is included withing the alpha_2 release, so you get the code here:
http://sourceforge.net/projects/php-ips/files/
To get this module now running, just go to etc/System.ini and edit it. Below I show you what you need to change:
UseCustomCommands="On"
CustomCommandModuleName="Example"
Now your new Module is activated and the system uses our created new log command.
I hope you enjoyed this post, if anything isn't clear or you just found an error in this post, use the comment system.
I'll upload the alpha_2 release asap, so you can implement your own command modules now.
regards
Securing php based web applications with phpips
Currently I'm working on an Intrusion Prevention System, project name is phpips.
The system itself is based on the Intrusion Detection System PHPIDS
The main goal is to program a framework like ips system, which interacts with the ids.
Currently interacting with the ids is working fine and I'm implementing the framework around the system.
If you wanna check out the current version, its online under: http://ra23.net/phpips/online_version_ra23_alpha01/example.php. Take a look and play a bit around with it.
But don't hurt my machine ;)
At a later stage a programmer would be able to implement modules for the ips, and configure the system with a few configuration files or even from a database.
There is no Documentation for the code yet and how you can implement modules (which is working already, but I'm not fully satisfied yet.)
To give you a short preview how you can install and setup the example in your enviroment, I'll show some Details now.
As I already said, the System is based on phpids. If you already have a running phpids, you can use it, if not there will be an actual version included in the first code release.
So you need to configure the ids first. Currently I'm not using special functions in my setup. I just editied the main configuration (phpids-0.6.4/lib/IDS/Config/Config.ini.php)
Just use the absolute path to the location where your phpids is located.
base_path = /var/www/path/to/webroot/php-ips/phpids-0.6.4/lib/IDS/
You can find the documantation for phpids here. Search for "How to install the PHPIDS"
The project is currently hosted on sourceforge.net
To Download the first alpha release follow this link
Well, if you downloaded my code, you have to configure it too.
There are three things which have to be done, pretending you wanna get the example.php up and running.
1. Configure phpips/etc/System.ini:
You need to setup the Basepath:
BasePath="/var/www/path/to/webroot/php-ips/"
2. Edit example.php
You need to define a path here too, now third time. All good things are three you know ;)
define("PATH_TO_ROOT", "/var/www/path/to/webroot/php-ips/" );
I promise, it was the last time setting a path.
3. Edit System.ini to fit your needs.
You find the Documentation inline. For the first running test, you don't need to modify anything inside.
On my example page, the Debugger is enabled. So if you wanna see what the system actually does in the Background get the following Fiefox addons:
I write another post in a couple of days, explaining how to create you own modules, configuring the system and so on....
This need further testing right now and is not satisfying me right now.
If you found a bug or have trouble with setting the system up, just use the comment system.
I advice you, the system is under heavy development. Things can change rapidly, so try it, have fun with it, but things can change very fast. Never ever use the alpha version in a production enviroment.
Never. Ever. Please!
I did a further post, how to build your own modules. You find it here