首页 > 编程语言 >非常精彩的一篇入侵检测系统 phpids使用教程 写的真好

非常精彩的一篇入侵检测系统 phpids使用教程 写的真好

时间:2022-12-16 23:34:03浏览次数:76  
标签:phpids web 教程 www 精彩 web1 var php




Intrusion Detection For PHP Applications With PHPIDS



 




Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 06/04/2008

This tutorial explains how to set up ​​PHPIDS​​ on a web server with Apache2 and PHP5. PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt. This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user’s session.

I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

I have tested this on a Debian Etch LAMP system with Apache2 and PHP5 and the IP address 192.168.0.100. The Apache user and group on Debian Etch is www-data, so if you are on a different distribution, the Apache user and group might be different. The location of php.ini (/etc/php5/apache2/php.ini

I'm using a virtual host with the document root /var/www/web1/web

 

2 Installing PHPIDS

For security reasons, I want to install PHPIDS outside of the document root, so I create the directory /var/www/web1/phpids:

mkdir /var/www/web1/phpids

Then I install PHPIDS as follows (at the time of this writing the latest version was 0.4.7) - of all the contents of the phpids-0.4.7.tar.gz file, we only need the lib/

cd /tmp
wget http://php-ids.org/files/phpids-0.4.7.tar.gz
tar xvfz phpids-0.4.7.tar.gz
cd phpids-0.4.7
mv lib/ /var/www/web1/phpids/

Now I change to the directory /var/www/web1/phpids/lib/IDS...

cd /var/www/web1/phpids/lib/IDS

... and make the tmp/

chown -R www-data:www-data tmp/

Next we configure the PHPIDS configuration file (Config.ini):

cd Config/
vi Config.ini

I'm using the default configuration here, all I did was to adjust the paths:

; PHPIDS Config.ini; General configuration settings; !!!DO NOT PLACE THIS FILE INSIDE THE WEB-ROOT IF DATABASE CONNECTION DATA WAS ADDED!!![General] filter_type = xml filter_path = /var/www/web1/phpids/lib/IDS/default_filter.xml tmp_path = /var/www/web1/phpids/lib/IDS/tmp scan_keys = false exceptions[] = __utmz exceptions[] = __utmc; If you use the PHPIDS logger you can define specific configuration here[Logging] ; file logging path = /var/www/web1/phpids/lib/IDS/tmp/phpids_log.txt ; email logging ; note that enabling safemode you can prevent spam attempts, ; see documentation recipients[] = [email protected] subject = "PHPIDS detected an intrusion attempt!" header = "From: <PHPIDS> [email protected]" safemode = true allowed_rate = 15 ; database logging wrapper = "mysql:host=localhost;port=3306;dbname=phpids" user = phpids_user password = 123456 table = intrusions; If you would like to use other methods than file caching you can configure them here[Caching] ; caching: session|file|database|memcached|none caching = file expiration_time = 600 ; file cache path = /var/www/web1/phpids/lib/IDS/tmp/default_filter.cache ; database cache wrapper = "mysql:host=localhost;port=3306;dbname=phpids" user = phpids_user password = 123456 table = cache ; memcached ;host = localhost ;port = 11211 ;key_prefix = PHPIDS ;tmp_path = /var/www/web1/phpids/lib/IDS/tmp/memcache.timestamp

 

3 Using PHPIDS

We will now create the file /var/www/web1/web/phpids.php

vi /var/www/web1/web/phpids.php

<?phpset_include_path( get_include_path() . PATH_SEPARATOR . '/var/www/web1/phpids/lib' ); require_once 'IDS/Init.php'; $request = array( 'REQUEST' => $_REQUEST, 'GET' => $_GET, 'POST' => $_POST, 'COOKIE' => $_COOKIE ); $init = IDS_Init::init('/var/www/web1/phpids/lib/IDS/Config/Config.ini'); $ids = new IDS_Monitor($request, $init); $result = $ids->run(); if (!$result->isEmpty()) { // Take a look at the result object echo $result; require_once 'IDS/Log/File.php'; require_once 'IDS/Log/Composite.php'; $compositeLog = new IDS_Log_Composite(); $compositeLog->addLogger(IDS_Log_File::getInstance($init)); $compositeLog->execute($result); }?>

Now when you call that file in a browser, (e.g. ​http://192.168.0.100/phpids.php​), you will see a blank page. But if you try to append some malicious parameters to the URL (e.g. ​http://192.168.0.100/phpids.php?test=%22%3EXXX%3Cscript%3Ealert(1)%3C/script%3E​), PHPIDS will detect this and print its findings in the browser:

​ ​





Now we have to find a way to make our PHP scripts use PHPIDS. Of course, you don't want to modify all your PHP scripts (you could have hundreds of them...). Fortunately, there's a better way: we can tell PHP to prepend a PHP script whenever a PHP script is called. For example, if we call the script info.php in a browser, PHP would first execute phpids.php and then info.php, and we don't even have to modify info.php.





We can do this by using PHP's auto_prepend_file parameter. We can either set this in our php.ini (this is a global setting which is valid for all PHP web sites on the server), or in an .htaccess


php.ini

Open your php.ini (e.g. /etc/php5/apache2/php.ini), and set auto_prepend_file to /var/www/web1/web/phpids.php:

vi /etc/php5/apache2/php.ini

[...]auto_prepend_file = /var/www/web1/web/phpids.php[...]

Restart Apache afterwards:

/etc/init.d/apache2 restart

 

.htaccess

Instead of modifying php.ini (which is a global change, i.e., the change is valid for all web sites that use PHP on the server), you can instead use an .htaccess file (so the setting would be valid only for the web site for which you create the .htaccess

vi /var/www/web1/web/.htaccess

php_value auto_prepend_file /var/www/web1/web/phpids.php

Please make sure that the vhost for the web site in /var/www/web1/web contains something like this (otherwise the php_value line in the .htaccess

<Directory /var/www/web1/web/>AllowOverride All</Directory>


Now we create a simple PHP file, /var/www/web1/web/info.php:

vi /var/www/web1/web/info.php

<?phpphpinfo();?>

Call that file in a browser (​http://192.168.0.100/info.php​), and you should see the normal phpinfo()

Now append some malicious parameters to the URL (e.g. ​http://192.168.0.100/info.php?test=%22%3EXXX%3Cscript%3Ealert(1)%3C/script%3E​), and you should find a PHPIDS report before the phpinfo() output (because /var/www/web1/web/phpids.php was executed before /var/www/web1/web/info.php):

​ ​





PHPIDS logs to /var/www/web1/phpids/lib/IDS/tmp/phpids_log.txt, so you should see something in the log now:

cat /var/www/web1/phpids/lib/IDS/tmp/phpids_log.txt

"192.168.0.200",2008-06-04T17:36:08+02:00,54,"xss csrf id rfe lfi","REQUEST.test=%5C%22%3EXXX%3Cscript%3Ealert%281%29%3C%2Fscript%3E GET.test=%5C%22%3EXXX%3Cscript%3Ealert%281%29%3C%2Fscript%3E",
"%2Finfo.php%3Ftest%3D%2522%253EXXX%253Cscript%253Ealert%281%29%253C%2Fscript%253E"

Now by observing that log you learn what hackers are trying to do to your PHP applications, and you can try to harden your applications.

To add another level of security, we can stop our PHP scripts from executing if PHPIDS find that they are under attack: we simply add something like die('<h1>Go away!</h1>'); to the if (!$result->isEmpty()) {} section of the /var/www/web1/web/phpids.php

vi /var/www/web1/web/phpids.php

If there's no attack, the scripts are executed, but if PHPIDS finds an attack, it prevents the scripts from being executed and displays a message to the hackers:

​​

标签:phpids,web,教程,www,精彩,web1,var,php
From: https://blog.51cto.com/u_5112239/5948923

相关文章

  • 【MyBatis】MyBatis入门教程
    一、参考资料​​mybatis–MyBatis3|简介​​​​mybatis-spring官方文档​​​​【狂神说Java】Mybatis最新完整教程IDEA版通俗易懂_哔哩哔哩_bilibili​​​​GitHub......
  • 【UE官方教程】(三)UE纹理
    一.预备知识                                           未完待续.........
  • 电子报纸教程--部署篇
    模板优化侧边栏优化在第二篇的视频中,详解了如何更改侧边栏的链接内容。当时是在所有页面中都覆写了侧边栏信息,这导致了一个维护的问题。即每当新增一期报纸内容时,需要修改以......
  • zabbix安装教程
    更换阿里yun源,防止部分依赖包无法下载#!/bin/sh#yum源进行备份#进入到yum源的配置文件中cd/etc/yum.repos.d;CentOS-Base.repoCentOS-Base.repo.bak#获取阿里的yu......
  • Hexo 教程:Hexo 博客部署到腾讯云教程
    本文首发于我的个人博客:​​『不羁阁』​​文章链接:​​传送门​​本篇内容用来讲述如何将hexo博客部署到腾讯云的服务器上。只要通过三步即可成功部署:云服务器端git的......
  • C语言和VC视频教程
    C语言视频教程打包下载​​http://pan.baidu.com/share/link?shareid=593441&uk=4280148702​​VC视频教程打包下载​​http://pan.baidu.com/share/link?uk=4280148702&sha......
  • CocoaPods安装和使用教程
    目录CocoaPods是什么?如何下载和安装CocoaPods?如何使用CocoaPods?场景1:利用CocoaPods,在项目中导入AFNetworking类库场景2:如何正确编译运行一个包含CocoPods类库的项目CocoaPod......
  • Tensorflow 安装教程 傻瓜式一键安装
    最近又在鼓捣tensorflow,搞到一个比较简单的安装方法,在这里分享一下之前在网上看到的tensorflow安装教程,尤其是GPU版因为依赖cuda和cudnn,所以很多教程都是分开单独安装,很多......
  • 安卓APP抓包解决方案(教程)
      在我们日常的渗透测试工作中经常会发现手机APP抓取不到数据包的情况,本篇文章讲解的是通过postern代理软件来全局转发流量至charles联动BURP来对APP进行渗透,在......
  • 传奇GEE引擎微端架设教程
    传奇GEE引擎微端架设教程​GEE引擎架设微端需要准备好微端程序,用网站下载在服务器的版本​Mirserver文件一般都是自带微端程序的,偶尔也有版本没有微端程序那我们只需要到别......