Installing an Intrusion Detection System in your CakePHP application

Installing an Intrusion Detection System in your CakePHP application

Posted on May 18, 2010 by Paulino Calderon

Update: Folks at #cakephp suggested to merge the configuration files into one. Instructions have been updated.

I though some of you may find useful my plugin implementation of PHPIDS for CakePHP since there is no documentation available for CakePHP 1.3

What is PHPIDS?

PHPIDS (PHP-Intrusion Detection System) is a state-of-the-art security layer for your PHP based web application written by Mario Heiderich.

The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. PHPIDS is by far the best open source Intrusion Detection System for PHP right now. Don't forget to read its documentation to take full advantage of its power.(*)

(*) Description from http://php-ids.org

What does the plugin actually do?

This plugin will monitor and protect your CakePHP against web attacks. If an attacker tries to send malicious payload to your site, the IDS will detect, log and either warn the attacker, alert the administrator or ban the attacker's ip according to the attack's accumulated treat. Also remember that you can easily extend the plugin to perform additional actions when an attack is received.

Version 0.1 of the plugin supports the following attack reactions:
Log: Logs the attack in the database or logfile.
Send alert email: Sends to the administrator an email alert containing the attack information.
Ban attacker's IP: Bans an ip from accessing your application.

Installation instructions

Step 1: Download and unpack

Download and extract the plugin into your main application plugin folder [default folder:app/plugins/]

Step 2: Set up the database table

Set up the following table if you would like to store the intrusion alerts in the database.

CREATE TABLE IF NOT EXISTS `phpids_intrusions` (
  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
  `name` varchar(128) NOT NULL,
  `value` text NOT NULL,
  `page` varchar(255) NOT NULL,
  `userid` int(11) unsigned NOT NULL,
  `session` varchar(32) NOT NULL,
  `ip` varchar(15) NOT NULL,
  `reaction` tinyint(3) unsigned NOT NULL COMMENT '0 = log; 1 = mail; 2 = warn; 3 = kill;',
  `impact` int(11) unsigned NOT NULL,
  `created` datetime NOT NULL,
  `tags` varchar(50) NOT NULL,
  PRIMARY KEY (`id`)
)

Note: The plugin also supports file logging if a database connection is not available.

Step 3: Configure PHPIDS

Open the configuration file (default path: app/plugins/phpids/config/Config.php.ini) and look for the following section:

[General]
    filter_type     = xml

    base_path       = /app/plugins/phpids/vendors/phpids/
    use_base_path   = true

Set the absolute path to the folder containing the PHPIDS library (The folder named 'phpids' inside the plugin's vendors folder. Ex. /var/www/website/app/plugins/phpids/vendors/phpids/)

[General]
    filter_type     = xml

    base_path       = /var/www/myapp/app/plugins/phpids/vendors/phpids/
    use_base_path   = true
Note: This is the minimum required configuration to run PHPIDS. However, there are more configuration options you should learn more about if you want to take full advantage of its features.

Next, we will configure the plugin. Look for the section named 'Cakephpids' and change the values accordingly

[CakephpIDS]

    production_mode = false

    notification_email = your@email.com

    ban_duration = 30



    ;Reaction threshold

    reaction_threshold_log=3

    reaction_threshold_warn=15

    reaction_threshold_mail=50

    reaction_threshold_kill=150

Configuration options:

base_path:Absolute path to the PHPIDS library folder (Same path as in Step 3)
notification_email:Notification Email
production_mode: Set production mode to enable IP banning
ban_duration: Ban duration in days
reaction_threshold_log:Required attack impact to log the request
reaction_threshold_mail:Required attack impact to mail the administrator
reaction_threshold_kill:Required attack impact to ban the attacker.

Step 4: Configure your application

To reduce the overhead of loading the plugin for every controller, we will only monitor actions that handle user input. Ex. Let's say you have the following action in your Comments controller: 

function add() {
        if (!empty($this->data)) {
            if ($this->Post->save($this->data)) {
                $this->Session->setFlash('Your post has been saved.');
                $this->redirect(array('action' => 'index'));
            }
        }
    }

To start monitoring this method you to add the line '$this->requestAction("/phpids/phpids_intrusions/detect");' at the beginning of the function call. 

function add() {
    $this->requestAction("/phpids/phpids_intrusions/detect");
        if (!empty($this->data)) {
            if ($this->Post->save($this->data)) {
                $this->Session->setFlash('Your post has been saved.');
                $this->redirect(array('action' => 'index'));
            }
        }
    }

Step 5: Testing

Finally we need to test the IDS is working properly, so open your web browser and try to break your CakePHP application now ;). Here are some basic attack vectors in case you don't know any ('Just copy and paste into your input fields'):

<script>alert(1)</script> 
' OR 'X'='X
../../../../../../etc/passwd

If everything went fine you should see a new intrusion alert in your logs now.

Dealing with false positives

PHPIDS supports the use of exceptions to deal with the false positives some valid requests may cause. These exceptions need to be added manually to your PHPIDS configuration file.

Open your PHPIDS configuration file and find the exceptions section.

    exceptions[]    = GET.__utmz
    exceptions[]    = GET.__utmc

And please submit your false positives to help PHPIDS keep getting better.

Keeping your rules and converter up to date

Finally, it's very important that you keep your filter rules and converter up to date. The community behind PHPIDS is very active and new attack vectors keep getting added every week.

Download the latest default_filter.xml and Converter.php from their subversion repository.

Contribute

Feel free to contribute any ideas and code via GitHub.

Resources

PHPIDS Official Website:PHPIDS Official Website
CakePHPIDS on GitHub: CakePHPIDS on GitHub
CakePHPIDS Plugin Download (Latest Tarball): Download CAKEPHPIDS

tags:cakephp phpids Web security


Recent From Blog

Attacking Linksys WRT160N router using the "URL Obfuscation in Frames" bug
Using the "URL Obfuscation in Frames" bug to enable remote administration on a Linksys WRT160N router
Posted in linksys routers wrt160n url obfuscation default password basic auth

Do not trust your browser's status bar
Many people rely on the status bar for checking the destination of links, but it has been proven before that it is easy to falsify.
Posted in phishing status bar scam spoofing

egrepping mod_security logs
Useful commands to extract information from your mod_security logs
Posted in security logs mod_security

Last News

Aug 19, 2010
Websec at Campus Party 2010
WebSec was proud to participate in Campus Party Mexico 2010, held from August 10th–16th in Mexico City.

May 10, 2010
The attacks against apache.org
Last month apache.org suffered from a targeted attack against their infrastructure. The Apache Foundation has released the incident report to promote security transparency among more companies.

Last advisories