Installing an Intrusion Detection System in your CakePHP application

Installing an Intrusion Detection System in your CakePHP application

Posted on May 18, 2010 by Paulino Calderon

Update: Folks at #cakephp suggested to merge the configuration files into one. Instructions have been updated.

I though some of you may find useful my plugin implementation of PHPIDS for CakePHP since there is no documentation available for CakePHP 1.3

What is PHPIDS?

PHPIDS (PHP-Intrusion Detection System) is a state-of-the-art security layer for your PHP based web application written by Mario Heiderich.

The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. PHPIDS is by far the best open source Intrusion Detection System for PHP right now. Don't forget to read its documentation to take full advantage of its power.(*)

(*) Description from http://php-ids.org

What does the plugin actually do?

This plugin will monitor and protect your CakePHP against web attacks. If an attacker tries to send malicious payload to your site, the IDS will detect, log and either warn the attacker, alert the administrator or ban the attacker's ip according to the attack's accumulated treat. Also remember that you can easily extend the plugin to perform additional actions when an attack is received.

Version 0.1 of the plugin supports the following attack reactions:
Log: Logs the attack in the database or logfile.
Send alert email: Sends to the administrator an email alert containing the attack information.
Ban attacker's IP: Bans an ip from accessing your application.

Installation instructions

Step 1: Download and unpack

Download and extract the plugin into your main application plugin folder [default folder:app/plugins/]

Step 2: Set up the database table

Set up the following table if you would like to store the intrusion alerts in the database.

CREATE TABLE IF NOT EXISTS `phpids_intrusions` (
  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
  `name` varchar(128) NOT NULL,
  `value` text NOT NULL,
  `page` varchar(255) NOT NULL,
  `userid` int(11) unsigned NOT NULL,
  `session` varchar(32) NOT NULL,
  `ip` varchar(15) NOT NULL,
  `reaction` tinyint(3) unsigned NOT NULL COMMENT '0 = log; 1 = mail; 2 = warn; 3 = kill;',
  `impact` int(11) unsigned NOT NULL,
  `created` datetime NOT NULL,
  `tags` varchar(50) NOT NULL,
  PRIMARY KEY (`id`)
)

Note: The plugin also supports file logging if a database connection is not available.

Step 3: Configure PHPIDS

Open the configuration file (default path: app/plugins/phpids/config/Config.php.ini) and look for the following section:

[General]
    filter_type     = xml

    base_path       = /app/plugins/phpids/vendors/phpids/
    use_base_path   = true

Set the absolute path to the folder containing the PHPIDS library (The folder named 'phpids' inside the plugin's vendors folder. Ex. /var/www/website/app/plugins/phpids/vendors/phpids/)

[General]
    filter_type     = xml

    base_path       = /var/www/myapp/app/plugins/phpids/vendors/phpids/
    use_base_path   = true
Note: This is the minimum required configuration to run PHPIDS. However, there are more configuration options you should learn more about if you want to take full advantage of its features.

Next, we will configure the plugin. Look for the section named 'Cakephpids' and change the values accordingly

[CakephpIDS]

    production_mode = false

    notification_email = [email protected]

    ban_duration = 30



    ;Reaction threshold

    reaction_threshold_log=3

    reaction_threshold_warn=15

    reaction_threshold_mail=50

    reaction_threshold_kill=150


Configuration options:

base_path:Absolute path to the PHPIDS library folder (Same path as in Step 3)
notification_email:Notification Email
production_mode: Set production mode to enable IP banning
ban_duration: Ban duration in days
reaction_threshold_log:Required attack impact to log the request
reaction_threshold_mail:Required attack impact to mail the administrator
reaction_threshold_kill:Required attack impact to ban the attacker.

Step 4: Configure your application

To reduce the overhead of loading the plugin for every controller, we will only monitor actions that handle user input. Ex. Let's say you have the following action in your Comments controller:

function add() {
        if (!empty($this->data)) {
            if ($this->Post->save($this->data)) {
                $this->Session->setFlash('Your post has been saved.');
                $this->redirect(array('action' => 'index'));
            }
        }
    }

To start monitoring this method you to add the line '$this->requestAction("/phpids/phpids_intrusions/detect");' at the beginning of the function call.

function add() {
    $this->requestAction("/phpids/phpids_intrusions/detect");
        if (!empty($this->data)) {
            if ($this->Post->save($this->data)) {
                $this->Session->setFlash('Your post has been saved.');
                $this->redirect(array('action' => 'index'));
            }
        }
    }

Step 5: Testing

Finally we need to test the IDS is working properly, so open your web browser and try to break your CakePHP application now ;). Here are some basic attack vectors in case you don't know any ('Just copy and paste into your input fields'):

<script>alert(1)</script> 
' OR 'X'='X
../../../../../../etc/passwd

If everything went fine you should see a new intrusion alert in your logs now.

Dealing with false positives

PHPIDS supports the use of exceptions to deal with the false positives some valid requests may cause. These exceptions need to be added manually to your PHPIDS configuration file.

Open your PHPIDS configuration file and find the exceptions section.

    exceptions[]    = GET.__utmz
    exceptions[]    = GET.__utmc

And please submit your false positives to help PHPIDS keep getting better.

Keeping your rules and converter up to date

Finally, it's very important that you keep your filter rules and converter up to date. The community behind PHPIDS is very active and new attack vectors keep getting added every week.

Download the latest default_filter.xml and Converter.php from their subversion repository.

Contribute

Feel free to contribute any ideas and code via GitHub.

Resources

PHPIDS Official Website:PHPIDS Official Website
CakePHPIDS on GitHub: CakePHPIDS on GitHub
CakePHPIDS Plugin Download (Latest Tarball): Download CAKEPHPIDS


Latest Blog Entries

Belkin Wemo Switch NMap Scripts
Belkin Wemo Switch Smart Plug is a network controlled power outlet. The current firmware version does not requiere authentication to switch the power ON or OFF or to gather information such as nearby wireless networks. Two NMap scripts have been published

Downloading an Application's Entire Source Code Through an Exposed GIT Directory
Website administrators sometimes inadvertently leave an exposed .git directory, from which it is possible to download the entire source code of the web application using just wget and a common server misconfiguration.

credmap: The Credential Mapper
An overview of credmap, an open source penetration testing tool that automates the process of testing for credential reuse. It does so by testing supplied user credentials on known websites and verifies if the password has been reused on any of these.

Latest News

Blackhat EU 2015
Websec participated with two tools at the Blackhat, EU Arsenal held in Amsterdam, NL from the 10-13 of November, 2015. During this event, we introduced our brand new tool "credmap: The Credential Mapper" and also presented an amped-up version of Panoptic.

BSides Vancouver 2015
Websec is proud to announce that we will be attending the 3rd annual edition of BSides Vancouver, a local non-profit information security conference held in the heart of Vancouver, BC on March 16 and 17.