Installing an Intrusion Detection System in your CakePHP application

This article is also available in the following languages:

How to install an Intrusion Detection System to protect your CakePHP application from hackers

I though some of you may find useful my plugin implementation of PHPIDS for CakePHP since there is no documentation available for CakePHP 1.3 & 1.2

What is PHPIDS?

PHPIDS (PHP-Intrusion Detection System) is a state-of-the-art security layer for your PHP based web application written by Mario Heiderich.

The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. PHPIDS is by far the best open source Intrusion Detection System for PHP right now. Don't forget to read its documentation to take full advantage of its power.

What does the plugin actually do?

This plugin will monitor and protect your CakePHP against web attacks. If an attacker tries to send malicious payload to your site, the IDS will detect, log and either warn the attacker, alert the administrator or ban the attacker's ip according to the attack's acumulated treat. Also remember that you can easily extend the plugin to perform additional actions when an attack is received.

Version 0.1 of the plugin supports the following attack reactions:
Log: Logs the attack in the database or logfile.
Send alert email: Sends to the administrator an email alert containing the attack information.
Ban attacker's IP: Bans an ip from accessing your application.

Installation instructions for Cakephp 1.2 & 1.3

Step 1: Download and unpack

Download and extract the plugin into your main application plugin folder [default folder:app/plugins/]

Step 2: Set up the database table

Set up the following table if you would like to store the intrusion alerts in the database.




CREATE TABLE IF NOT EXISTS `phpids_intrusions` (

  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,

  `name` varchar(128) NOT NULL,

  `value` text NOT NULL,

  `page` varchar(255) NOT NULL,

  `userid` int(11) unsigned NOT NULL,

  `session` varchar(32) NOT NULL,

  `ip` varchar(15) NOT NULL,

  `reaction` tinyint(3) unsigned NOT NULL COMMENT '0=log; 1=mail; 2=warn; 3=kill;',

  `impact` int(11) unsigned NOT NULL,

  `created` datetime NOT NULL,

  `tags` varchar(50) NOT NULL,

  PRIMARY KEY (`id`)

)

Note: The plugin also supports file logging if a database connection is not available.

Step 3: Configure PHPIDS

Open the configuration file provided by PHPIDS (default path: app/plugins/phpids/vendors/phpids/Config/Config.ini.php) and look for the following section:




[General]

    filter_type    =xml



    base_path      =/app/plugins/phpids/vendors/phpids/

    use_base_path  =true

Set the absolute path to the folder containing the PHPIDS library (The folder named 'phpids' inside the plugin's vendors folder. Ex. /var/www/website/app/plugins/phpids/vendors/phpids/)




[General]

    filter_type    =xml



    base_path      =/var/www/myapp/app/plugins/phpids/vendors/phpids/

    use_base_path  =true

Note: This is the minimum required configuration to run PHPIDS. However, there are more configuration options you should learn more about if you want to take full advantage of its features.

Next, we will configure the plugin. Look for the section named 'Cakephpids' and change the values accordingly




[CakephpIDS]

    production_mode = false

    notification_email = your@email.com

    ban_duration = 30



    ;Reaction threshold

    reaction_threshold_log=3

    reaction_threshold_warn=15

    reaction_threshold_mail=50

    reaction_threshold_kill=150

Configuration options:

base_path:Absolute path to the PHPIDS library folder (Same path as in Step 3)
notification_email:Notification Email
production_mode: Set production mode to enable IP banning
ban_duration: Ban duration in days
reaction_threshold_log:Required attack impact to log the request
reaction_threshold_mail:Required attack impact to mail the administrator
reaction_threshold_kill:Required attack impact to ban the attacker.

Step 4: Configure your application

To reduce the overhead of loading the plugin for every controller, we will only monitor actions that handle user input. Ex. Let's say you have the following action in your Comments controller:




function add() {

        if (!empty($this-]data)) {

            if ($this-]Post-]save($this-]data)) {

                $this-]Session-]setFlash('Your post has been saved.');

                $this-]redirect(array('action' =] 'index'));

            }

        }

    }

To start monitoring this method you to add the line '$this-]requestAction("/phpids/phpids_intrusions/detect");' at the beginning of the function call.




function add() {

    $this-]requestAction("/phpids/phpids_intrusions/detect");

        if (!empty($this-]data)) {

            if ($this-]Post-]save($this-]data)) {

                $this-]Session-]setFlash('Your post has been saved.');

                $this-]redirect(array('action' =] 'index'));

            }

        }

    }

Step 5: Testing

Finally we need to test the IDS is working properly, so open your web browser and try to break your CakePHP application now ;). Here are some basic attack vectors in case you don't know any ('Just copy and paste into your input fields'):




&lt;script&gt;alert(1)&lt;/script&gt; 

' OR 'X'=X

../../../../../../etc/passwd

If everything went fine you should see a new intrusion alert in your logs now.

Dealing with false positives

PHPIDS supports the use of exceptions to deal with the false positives some valid requests may cause. These exceptions need to be added manually to your PHPIDS configuration file.

Open your PHPIDS configuration file and find the exceptions section.




    exceptions[]   =GET.__utmz

    exceptions[]   =GET.__utmc

And please submit your false positives to help PHPIDS keep getting better.

Keeping your rules and converter up to date

Finally, it's very important that you keep your filter rules and converter up to date. The community behind PHPIDS is very active and new attack vectors keep getting added every week.

Download the latest default_filter.xml and Converter.php from their subversion repository.

Contribute

Feel free to contribute any ideas and code via GitHub.

Resources

PHPIDS Official Website
CakePHPIDS on GitHub
Download CakePHPIDS (Latest tarball)
Websec Blog
Installing an Intrusion Detection System in your CakePHP application

Comments

dype

Posted 09/24/10 01:12:52 AM
IN order to get the ip of the client, I've changed the getIP function in : app/plugins/phpids/controllers/phpids_intrusions_controller.php

/*
* getIP()
* Extracts IP from $_SERVER variable
*/
function getIP() {
/*
$ip = ($_SERVER['SERVER_ADDR'] != '127.0.0.1') ?
$_SERVER['SERVER_ADDR'] :
(isset($_SERVER['HTTP_X_FORWARDED_FOR']) ?
$_SERVER['HTTP_X_FORWARDED_FOR'] :
'127.0.0.1');
*/
$ip=isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'] ;

return $ip;
}

Report this
- _cldrn
  
  Posted 09/24/10 09:08:44 AM
  Relying in HTTP_FORWARDED_FOR is a bad practice since it can be spoofed easily. I guess the best thing to do here will be to store both IPs if available.
  
  I will include this in the next update of the plugin and component.
  
  IN order to get the ip of the client, I've changed the getIP function in : app/plugins/phpids/controllers/phpids_intrusions_controller.php
  
  /*
  * getIP()
  * Extracts IP from $_SERVER variable
  */
  function getIP() {
  /*
  $ip = ($_SERVER['SERVER_ADDR'] != '127.0.0.1') ?
  $_SERVER['SERVER_ADDR'] :
  (isset($_SERVER['HTTP_X_FORWARDED_FOR']) ?
  $_SERVER['HTTP_X_FORWARDED_FOR'] :
  '127.0.0.1');
  */
  $ip=isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'] ;
  
  return $ip;
  }
  
  Report this
_cldrn

Posted 09/10/10 02:34:00 PM
You can also find my component implementation for cakephp 1.2 and 1.3 at http://github.com/cldrn/cakephpids-component

Report this

The Bakery Everything CakePHP