Feature Request - cooking up next version
Goto page 1, 2  Next
 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.   printer-friendly view    phpMiX.org Forum Index -> mxBB Modules -> mxBB Module: mx_errordocs
View previous topic :: View next topic  
Author Message
dcz
Apprentice
Apprentice


Joined: 14 Mar 2006
Posts: 15

PostPosted: Tue Mar 14, 2006 5:20 pm    Post subject: Feature Request - cooking up next version Reply with quote

So First, since this is my first message here, hello everybody Wink

Then, I really appreciate your work markus.

And finally, it goes like this :

I implemented and tested your mod with great satisfaction, but I was thinking on or two (two actually) addings could make it even more usefull.
The first one would be email notice to admin for selectable error type (401, 403 ...).
This feature is implemented in the webmedic error doc I use on one of my sites.
You can test it if you like, but be carrefful, I am quick at banning ip Wink
-http://www.marsatak.org/videos

Each visit to this leads to a mail sent to me with those infos :
SITE WEB -- www.marsatak.org:80
REASON : Some infos about errors
The tryed url
The refferer url (if any available)
Ip and UA from the user.

So it can seem anoying to recieve a mail upon every 404, but there aren't that much in the end and it's a very powerfull way to discover hacking attemps, since almost all hack attemps will start with a 404 or a 403 (the mod also locks directory listing so it's kind of hard not to provoque any error while testing security).
So basically, I ban when I encounter a lot of 404 in a very little period of time with suspicious urls, and even quicker if it's obvious the guy is using several ip to performs those tests.
I mean, I did not go through that many attacks but still, 28 banned ip in 6 month. Almost all of them where perfoming 404 at high rate (on per second or so), two where using at least 5 ip (same url tested in the same 10sec repeted a lot of times).
And guess what, when I gave this baned list to a friend while installing him my version of the error mod I use, he recieved right the second a mail for banned ip visit attemps on a very suspicious url for 10 of those ip. They came back twice, never more, they know they are being tracked here and don't whish to risk being reported since ip is gold for hackers.

And with your sql log feature, you could even think of only sending mail if the same ip (and or sams url) is performing 404 (and or 403) xtime in a defined period of time for example, and then sending a complete report on all error at once, saving many mail send.

And here come the second feature I was thinking of, a banned page :
I implemented it in the webmedic mod.

here an example (same here, I'll get a mail per try, so be carrefull)
-http://www.marsatak.org/marsforum/error.php?mode=banned

I find it a lot more secure to ban throught .htaccess than usintg phpbb for this, not that I don't trust phpbb, but because it is just obvious it is quite harder to hack a server than to only hack phpbb. And this is good for all of the domaine pages, not only phpbbs.


I don't think though it is that worth it to output a search result too, and at first, since the webmedic mod did redirect the page to itsefl to perform the search, it was outputing the wrong header (eg 302 for all errors), so your code is a better base for a complete mod, even though I managed to bypass this redirect and ended up with the correct header.

Then, several security rules could be added such as these :
I post my code but it easy to understand what it is doing

Code:
DirectoryIndex  index.html index.php /error.php?mode=403


To lock all dir listing and redirect to a warning (many tries coule here too lead to a mail and a report).
Code:

#banned
RewriteCond %{REMOTE_ADDR} ^xx\.xx\.xx.\xx$ [OR]
...
RewriteCond %{REMOTE_ADDR} ^xx\.xx\.xx.\xx$ [OR]
# FIN
RewriteCond %{REMOTE_ADDR} ^xx\.xx\.xx.\xx$
RewriteRule !(error\.php|robots\.txt) /error.php?mode=banned [L,E=HTTP_USER_AGENT:BANNED_IP]


For the banning feature, I think that all E flag should not be needed by yours.

Code:

# CODERED
RewriteCond %{REQUEST_URI} /default\.(idaŠidq)$ [NC,OR]
RewriteCond %{REQUEST_URI} /.*\.printer$ [NC]
RewriteRule !(error\.php|robots\.txt) /error.php?mode=codered [L,E=HTTP_USER_AGENT:CODERED_EXPLOIT,T=application/x-httpd-cgi]


Who knows who'd like to test this Wink

Code:
# Various
RewriteCond %{REQUEST_URI} ^/(bin/|cgi/|cgi\-local/|cgi\-bin/|sumthin) [NC,OR]
RewriteCond %{THE_REQUEST} ^GET\ http [NC,OR]
RewriteCond %{REQUEST_URI} /sensepost\.exe [NC,OR]
RewriteCond %{REQUEST_METHOD}!^(GET|HEAD|POST) [NC,OR]


Plus some bot banning settings if we want :

then :

Code:
RewriteRule !(error\.php|robots\.txt) /error.php?mode=badua [L,E=HTTP_USER_AGENT:BAD_USER_AGENT]


To disaloww perl scripts to access the site :
Code:
RewriteCond %{HTTP_USER_AGENT} ^.*PHP.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*libwww-perl [NC,OR]


Then


Code:

# Block if useragent and referer are unknown.
RewriteCond %{HTTP_REFERER} ^-$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^-$


Then

Code:
RewriteRule !(error\.php|robots\.txt) /error.php?mode=noagent [L,T=application/x-httpd-cgi]


And why not Wink
Code:

# this ruleset is for formmail script abusers...
# we don't use Perl for Postnuke so this is not really needed.
RewriteCond %{REQUEST_URI} (mail.?form|form|form.?mail|mail|mailto)\.(cgiŠexeŠpl)$ [NC]
RewriteRule !(error\.php|robots\.txt) /error.php?mode=noformmail [L,E=HTTP_USER_AGENT:FORMMAIL_EXPLOIT,T=application/x-httpd-cgi]


Adding all of this would turn the actual mod into a great security enhancement too I think.

Not necessarly all kind of error would be to keep, but it would be cool to be able to use the system to provide intelligent messages to all of those kind of arrasment : bots, banned ip, script abuse attemps and http errors.

Then I know I just ended with the longuest feature request ever but in the end I don't think that would be that much of a big deal, at lest compared to the cool and usefull features it would add.

Besides, your mod is great.

++

 
 
_________________
Sig
 
Back to top
View user's profile Send private message
markus
[Administrator]
[Administrator]


Joined: 28 Jul 2003
Posts: 1124

PostPosted: Tue Mar 14, 2006 6:47 pm    Post subject: Reply with quote

Hi Wink

I should say I'm quite busy, I believe I do not have many time to work on MX modules right now. Maybe I can be of some help on how to modify the code to suit your needs?

For the second feature... not sure if you've seen this?
http://forums.phpmix.org/viewtopic.php?t=304

The second example (hotlink prevention) shows you how to use a non-standard error code for your own purposes, and customize its message.

...or if you want to redirect to a fully customized page, you could modify errordocs.php to include something like:
PHP:
if$errdoc_code == 1234 )
{
    @
header('Location: my_custom_page.html');
    exit;
}


For the e-mail feature, maybe you could modify errordocs.php, adding the emailer code after this?
PHP:
if$errdoc_log && $errdoc->is_write_log_allowed() )
{

Examples on how to use the phpBB emailer class can be found f.e. in privmsg.php


Another thing you could do is add a delay for some requests:
PHP:
$delayed_ips = array(
    
'127.0.0.1',
    
'127.0.0.127',
);
if( 
in_array($_SERVER['REMOTE_ADDR'], $delayed_ips) )
{
    
sleep(10);
}
if( 
$errdoc_code == 1234 )
{
    
sleep(10);
}


...or any of the above tricks after checking anything in the database.

 
 
_________________
http://www.phpmix.org
 
Back to top
View user's profile Send private message
dcz
Apprentice
Apprentice


Joined: 14 Mar 2006
Posts: 15

PostPosted: Wed Mar 15, 2006 1:57 am    Post subject: Reply with quote

Thanks for answering Wink

I had already seen the topic your talked about, and yes, I'll try to do something with your code.

What you told me will help, it's easyer to start from one point than to have to follow all processes (which I know I'll have to do anyway if I end up implementing all of those, but hey).

I'll post here my result when ever they'll be done (it's not first priority for me now, but it's not far from the top list as I want some error handeling at least with mails).
Time to pratice OO a bit Wink

++

 
 
_________________
Sig
 
Back to top
View user's profile Send private message
dcz
Apprentice
Apprentice


Joined: 14 Mar 2006
Posts: 15

PostPosted: Mon Mar 27, 2006 1:52 pm    Post subject: Reply with quote

All right, here is what I came up with :

I added a analyse_log() function in common.php that is looking in the logs if this perticular error would not have already been performed by the same ip in a recent past.
Several level of cheking are allowed, you can ask as well for matching requested uri, http referer, user id and error number. Those additional check are implemented with "OR" in the query so that the result is a possible match upon ip or requested uri or http referer or user id or error number.
This way you are most likely to find out how many logs entries are linked to the same event.

Then, if the number of match reach a defined limit, logs are analysed and a mail, including the result of log analysis, is sent to the admin while an extra warning message is diplayed on the errror page.

I implementer three custom error levels :
These are only working in stand alone mod though, since I have to implement an exeption on the errordocs.php file in order to only allow this page to be viewed upon errors of such type (could not find a proper rule to exclude something like index.php?page=# ...). But actually it's no big deal.

Banned Ip : To handle banned ip through .htaccess (a lot more secure than the regular php/mysql ban). This way, every time a banned ip tryies to access your site (and not only phpbb pages) it get's redirected to the error page. Again, once a certain number of tryies is reached (can be different from the general one, actually I set general to 5 allow matches and custom to one), a custom warning is added on the error page and a mail is sent to the admin.

Banned Ua : Same as previous, but for bots. Actually I use mixed UA and ip banning rules for this, but they end up sorted in the same custom error categorie. Same as before as far as custom warning and mail.

Hacking attemp : This for now is activated when security rewriterules such as the one locking distant php script or formail attemps are activated. Could be extended to replace die('hacking attempt') throughout phpbb. Same as before as far as custom warning and mail.


Report email lokks like this :

Quote:
!HACKING ATTEMPT! : Event Logged
---------------------------------------------------------

Some suspicious behaviours as been observed on "" ( http://localhost/ )

This could be a false alert, but could not too.

There are 7 logged error related to this event so far.
Remeber, an email is being sent only if 5 errors where either comming from the same user, ip, Http Referer or any combination.
This means that this event is likely to be linked to one person.

Two users with the same ip is to be looked at.
Several ip obviously linked to the same event, itself looking sucpicious as far as requested uri, should lead to a ban.

A HACKING ATTEMPT has been detected on your site.
Please read the following logs very carrefully and try to find out if this ip was not doing other suspicious things.
In such case, consider reporting the event to the ip provider and / or the user of this UA.
If the problem persists, just ban the ip.

USER AGENT : Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
REMOTE HOST : localhost


What follow are logs of the event, you may recieve more than one mail if the scan appear to be massive.
Further analysis of those and the server log if any will help you out taking the right decision.

/***********************************************************************************************************************************************************/
/******************************************************************EVENT_LOG********************************************************************************/
/***********************************************************************************************************************************************************/
||_______ERROR_TIME______||__ERR___||___UID___||_______IP________||_REQUESTED_URI_______________||_HTTP_REFERER_________________________________________________||
|| 2006-03-27 @ 11:20:11 || 404 || _GUEST_ || 127.0.0.1 || /error.php?var=test || http://localhost/index.php ||
|| 2006-03-27 @ 11:20:24 || 404 || _GUEST_ || 127.0.0.1 || /error.php?var=test || EMPTY HTTP REFERER ||
|| 2006-03-27 @ 11:20:30 || 404 || _GUEST_ || 127.0.0.1 || /error.php?var=test || EMPTY HTTP REFERER ||
|| 2006-03-27 @ 11:20:32 || 404 || _GUEST_ || 127.0.0.1 || /error.php?var=test || EMPTY HTTP REFERER ||
|| 2006-03-27 @ 11:20:34 || 404 || _GUEST_ || 127.0.0.1 || /error.php?var=test || EMPTY HTTP REFERER ||
|| 2006-03-27 @ 11:20:37 || 404 || _GUEST_ || 127.0.0.1 || /error.php?var=test || EMPTY HTTP REFERER ||
|| 2006-03-27 @ 11:21:44 || !HACK! || UID : 2 || 127.0.0.1 || /index.hackit.php?bla=bli || EMPTY HTTP REFERER ||

/***********************************************************************************************************************************************************/


The part of the mail like this is custom, meaning only sent upon custom error, regular error report do not output it.

Then I haded two small sleep() in the code in order to be able to face massive scan without screwing logs. (on local test serv I could actually trick logs by just loading and reloading an error very fast (double entry error, guess it's because the next id was calc before the last log was actually sent), a sleep(1) in errordocs.php solve this, if an email is sent I added a sleep(2) so that if this is a massive scan, it will have to wait a bit more. And I do not care if this page needs 4 or 5 sec to load actually Wink

Then, as you can see, I have come to the point where next step would be to implement auto ban or sleep for some ip, but I thinks this would require another db table in order to store analysed events, and some more entries in the config to set security level.

So, about this and also to give you my test server url (I don't really want to recieve that much mails Wink ) I will pm you right after I end this post.

Your mod is really cool, and I think I just started building a real nice and powerfull security add on with this one.
With it, if only few errors are performed, users are just warned, if there are too many, you recieve a mail with all info needed to take the right decision.

++

 
 
_________________
Sig
 
Back to top
View user's profile Send private message
markus
[Administrator]
[Administrator]


Joined: 28 Jul 2003
Posts: 1124

PostPosted: Mon Mar 27, 2006 3:25 pm    Post subject: Reply with quote

Those ideas look cool. If you're for sharing while learning (as I do) ...go ahead and take over the module. I'm very happy you have found inspiration in it. Also, if you wish to create a MOD for phpBB.

Do you have a development site, or would you simply use MX/phpBB resources to release the module/MOD? Whatever you do, just give me a URL and I'll post it to link to your version.

 
 
_________________
http://www.phpmix.org
 
Back to top
View user's profile Send private message
dcz
Apprentice
Apprentice


Joined: 14 Mar 2006
Posts: 15

PostPosted: Mon Mar 27, 2006 3:48 pm    Post subject: Reply with quote

markus wrote:
Those ideas look cool. If you're for sharing while learning (as I do) ...go ahead and take over the module. I'm very happy you have found inspiration in it. Also, if you wish to create a MOD for phpBB.

Do you have a development site, or would you simply use MX/phpBB resources to release the module/MOD? Whatever you do, just give me a URL and I'll post it to link to your version.


Cool Very Happy

So yes, obviously I want to share.

And I am very pleased you said so, cause such a security module would really be usefull for phpbb sites, and the best part is without changing a single phpbb line eg without risking to implement security holes while securing phpbb (sic and lol but could be).

As far as releasing, phpbb.com, mx-system.com, phpbb-seo.com (this will be my personnal releasing site as well as a general seo community web site once finished) and why not here are my first thoughts.

Also, as far as sharing, you may not have noticed my fisrt mod (beside the seo one I am curently developping at phpbb-seo.com) mx_ggsitemaps
Since it could be usefull to you here, here is a link :
http://www.phpbb.com/phpBB/viewtopic.php?t=371752
and another one
http://www.mx-system.com/index.php?page=2&t=8440&phpbb_script=viewtopic

Since the code is ment to work on both phpbb and mx.

It's RC1 and so far so good no bugs, just install misunderstanding and small mystakes.

And it really helps indexing of phpbb (and mx).

I'll post here as soon as I come up with something testable.

++

 
 
_________________
Sig
 
Back to top
View user's profile Send private message
markus
[Administrator]
[Administrator]


Joined: 28 Jul 2003
Posts: 1124

PostPosted: Mon Mar 27, 2006 4:09 pm    Post subject: Reply with quote

Sweet. I'll check out you ggsitemaps MOD when it gets approved. Though, for some reason it seems Google, Inktomi and MSN seem to live here. They are constantly crawling these forums.

Let me know when you open a topic at mx/phpbb about errordocs. And I'll update the project page to point to them.

 
 
_________________
http://www.phpmix.org
 
Back to top
View user's profile Send private message
markus
[Administrator]
[Administrator]


Joined: 28 Jul 2003
Posts: 1124

PostPosted: Wed Mar 29, 2006 7:13 am    Post subject: Reply with quote

...while you're at it, have you considered that anyone wanting to deploy an attack could a) use annonymous proxies and/or b) use a worm to infect other sites that could then infect more sites and deploy attacks together?

I mean, banning IP is not a useful option in those cases, because the next attempt will come from a different IP... there is little you can do about it. If you were running your own server, you could use an intrussion prevention system (IPS) such as snort inline or even mod_security, so you could let the script kiddies play, no matter what they try. The IPS would just block the potentially harmful requests.

Probably, the best bet to minimize the chances to get hacked is to try to be as up to date as possible with security fixes, new versions et al. And be in that as fast as possible, to get protected asap from 0-day exploits. That means, if you have a lot of MODs installed, then you are prone to be open to known exploits during more time than expected when big changes are released. Many people do not upgrade phpBB because of the MODs they have and hackers know that. If you're up to date, they will spend their time somewhere else, hopefully. Wink

Another good method of protection is password protecting the phpBB admin folder at the server level, so if the board was compromised they would have to guess a very different password, and of course, backups of data and files.

So... getting back to your idea to send reports via e-mail, maybe they may turn into something anoying that people will end up disabling?

Although you have probably thought about that already, I wanted to post it anyway, if that encourages one or two out there to think about software upgrades et al.

 
 
_________________
http://www.phpmix.org
 
Back to top
View user's profile Send private message
dcz
Apprentice
Apprentice


Joined: 14 Mar 2006
Posts: 15

PostPosted: Wed Mar 29, 2006 1:54 pm    Post subject: Reply with quote

Hehe, don't worry, I have been thinking about all this.

The thing is, according to what I have observed so far on my servers thanks to the mail feature of my error's pages is that hack atempts are very likely to provoque 404 or at least 403 (thanks to dir locking), since they need to test sec a bit before finding the leak.

Ip banning is actually quite a good way to go so far, even if it's only temporary if the ip is public (when I ban ip, I look at the whois db, and only ban it for like couple month if it's a public ip, more if the ip apears to come from some wierd domains).
So far, all banned ip did never come back more than once, but guess what, once I gave my banned list to a friend, right the same exact day (no linking at all between our site) he got scanned quite massively by half of them ... for the last time. And it was several weeks after I had banned them on my server.

Actualy, hackers do really care about one thing : ip.
Once they find out you are most likeley to log them, ban them and report them to the ip provider, they just don't like your site anymore, it becomes risky.
The dumb ones using theire ip will know they are risking a lot, others will know they'll risk to loose theire attack ip if a report is made to the provider, so ... And they will be warned clearely.

Obviously, there is no perfect solution, but ip banning is on of the most efficient way, as far as being hacker repulsive, and you'll admint .htaccess banning is way more efficient thant phpbb ip banning.

Then, as far as pure anti hack procedure, I am working on several sides of the code :
First, several rewriterules are filtering the query string for :
  • WRITING ATTEMPS
  • SQL INJECTION
  • ENCODED CHARACTERS
  • UNION TRICK
  • CLIKE TRICK
  • CBACK WORM
  • DISTANT PHP & PEARL SCRIPTS
  • FORMAIL
  • Many other checks including some IIS exploits detection, so that the one trying those will be warned even though we don't risk it on apache, still nobody should do such things.


Then, for sure, we can imagine those rules to be tricked some time, but hey, no comparaison with no rules at all Wink

Then the analysis part :
I though quite a while to find what could be the right and efficient checks to perform upon one event (eg the error page is loaded).

Also I implemented a bot trapping feature, allowing you to easy discover which bots or human are not folowing the robots.txt rules. Additionnal custom switch can be implemented almost as easy as for regular ones.

The way I am actually following now, is :
Before all, get all datas : config, event infos.
Then setup the event, eg, pre analyse param to select what to do.
At this stage I already (after the config query eg very few code processing) know if some special kind of custom errors where not activated and react.
Server self defense can here be sleep(), redir, exit, and /or send an alert mail (or activate a switch to do so in case the scan ends up screwing db connection and breaks log analysis, since we already have quite some infos about the event rigth at this stage).
The idea being, what could help prevent server overload in case of massive scanning.
I did not implement auto ban feature so far, I am not sure this would be very usefull but I will see this after the main part is done.
I am currently thinking about adding some info in the config table to allow better analysis at this stage (like tagging some ip so that we can right at this stage already find out if it's a first try and aventually with some kind of rating of the last few events, acording to the previous event checks).

Then, next step is analyse logs. So far I am performing at least a check on the ip (proxy case is being taken care of in both reports and log analysis)
and eventually one error numbers (icluding customs) and why not if sec level is set to max, an additionnal check upon uri (hackers with many ip are most likely to use automate scan and thus to perform checks on the same uri).

I am taking care of trying to be as fast as possible before the first checks, to have greater chances to be able to send an alert in time, and to check the process upon each step (analysed, logged, alert sent) so that sleep() or whatever other action needed is possible, event though the server would be under a serious attack and would start to lose db connection for example).

All of this is set upon three security level, plus additional option (bot trapping, email alerts ...). Those sec level are used to take decision for sending alerts on each stage, build the analyse log query (more or less compares, time limit and LIMIT).

First thing done upon the analyse log query is to compare time and data between this event and last two. Another place to tag event and to react.

If all went well so far, write logs (if not done why not another reaction), and analyse them. And we start to have a lot of usefull infos to take decisions here. Anyway, another place to take mesures if needed.

Then the alert mail is dealt with, eventually built and sent.

Then the regular page, load page's header etc ...

I have to decide where to update config, I use it to keep track of some elemental stats here, and to tag last event also. But it will certainly the hurryer I can in the process (eg, maybe before logs and / or analysis) and certainly in two steps.


So I do really think all of this will help a lot securising a site, and the good thing is unlike phpbb security, it's not adding php code in phpbb, making it slower in the end. Basically it's doing similar things, but it's apache to do them instead, which I find faster and more secure, even though the apache anlysis is not as deep as what php could do.

All of this being said, yes, being up to date is a must, and I do lock my admin folder as well as I rescritct it to accept only my ip. Actually I am thinking of compiling a more advanced protection method based on some I have seen here and there. The principle is to rename the folder and to leave an admin one with a trapp in it Wink, simple and efficient.
I also "deny from all" all include and db folders.

So in the end, even though no one can tell it will be 100%, this system will be very powerfull.
And don't worry about to many mails being sent. With what I use so far, eg on mail upon every error, I get on mail every other day or so, and a lot more in case of scan but it's not that many times.

This mod will end up sending a lot fewer mail, with a lot more infos int it.
And you can chosse to only be bothered in case of serious event.
I find it a good compromise, but I could try and see how I could try to send only couple mails per event (like sending the first, and wait and see until it's another ip with time condition as well, so that you'll recieve fewer mails with more infos, but I also want the code to be fast to have greater chances to send a report in case of massive scan which could end up overloading the server quite fast).

Jeeezz, what a long post Smile

Have you tryed the test link I pm ed you for the draft version I made last time ? Don't bother sending mail if you which to see the custom message, you could for example test url ending with "markus" so I'll know it's you and won't ban Wink

Anyway, have a nice day, I should be able to demonstrate a beta of this in a few days. Actually it's a very good OO exercice Wink.

++

 
 
_________________
Sig
 
Back to top
View user's profile Send private message
markus
[Administrator]
[Administrator]


Joined: 28 Jul 2003
Posts: 1124

PostPosted: Wed Mar 29, 2006 4:35 pm    Post subject: Reply with quote

Ugh, that sounds a lot of work. Maybe you could consider to defer some stuff using register_shutdown_function?

To control overall site usage you could do something by cheking how many "concurrent" sessions are active by checking a count on the sessions table. and maybe add some delay... just ideas...


Quote:
Have you tryed the test link I pm ed you ...

Yeah, been there. I was not banned, though. I even tried a XSS thingy through the referrer and useragent headers. Twisted Evil worked?

 
 
_________________
http://www.phpmix.org
 
Back to top
View user's profile Send private message
dcz
Apprentice
Apprentice


Joined: 14 Mar 2006
Posts: 15

PostPosted: Wed Mar 29, 2006 11:58 pm    Post subject: Reply with quote

hehe,yep, I am crazy sometimes I know.

The thing is my internet acces is really impossible right now, the company is supposively taking care of finding where my two cable becomes one (yep I am posting with just one cable Wink ) thanks to some leaks in the networks I get the loop like 10 sec every min. 1000 m to check, I hope this won't last over next week.

So I am quite limited to work online and use this time to code this module.

So yes I had though about something like a shutdown function.

For the sessions, good idea, but I fear to have an extra sql, even though session table is stored in ram. I am currently implementing kind of a rating event system to allow very early checks (two last event ip are stored in config with tag and time). When the tag (score) get too high extreme mesures are taken (sorter end of script or exit) and since this allow several levels, session check could be one of them.

I don't think I'll go for auto ban right now, would need to fine tune the rating system first (it's quite simple actually but based on many param so I don't wan't false ban.

And don't worry no auto ban on the test serv nor manual actually since it would be a dream to reach a phpbb acp with my connection, not even talking about ftp transfer lol.

For the Xss trick, well, I am far from being a pro in xss tricks, actually I have to document a bit. But if you played with refs and UA then this mod won't do nothing unless you end up on a error page. So far I did not implement ua and refs checks it it (I want the core now and will see up to what level 'll be able to go as far as being efficient) but some .htaccess checks for those could be a fast way to implement protection.

Do you know where I could find good doc about those so that I can figure out some key terms to exclud right from .htaccess ?

For example you can try a nice little "wget" in your query string, things like that are already taken care of in first draft.

I ended thinking sleep() is no good solution, my plan is to go as fast as possible until first check and sql update of the mod's new config table so that next session "knows" faster what to early do.
Then I tend to reduce the number of mail sent under serious attack detection, a first one is sent upon first serious event, then if the security score is too big the mod will start to shorten the script until it will only exit (need ip matching one or two of the last too ones and big event scoring).

But I am still figuring how to best achive some parts, so I guess we'll both know more in a few more days.

++

 
 
_________________
Sig
 
Back to top
View user's profile Send private message
markus
[Administrator]
[Administrator]


Joined: 28 Jul 2003
Posts: 1124

PostPosted: Thu Mar 30, 2006 12:24 am    Post subject: Reply with quote

mod_security has a lot of options, but there is food you could use, I think:
http://www.modsecurity.org/projects/rules/
http://www.gotroot.com/tiki-index.php?page=mod_security+rules

snort covers much more, it works at the firewall level, but there are rules specific to HTTP, most of them ported to mod_security too:
http://www.snort.org/rules/

Here's a site with lots of examples about XSS:
http://ha.ckers.org/xss.html

Seems to be down though.

 
 
_________________
http://www.phpmix.org
 
Back to top
View user's profile Send private message
dcz
Apprentice
Apprentice


Joined: 14 Mar 2006
Posts: 15

PostPosted: Thu Mar 30, 2006 10:41 am    Post subject: Reply with quote

Thanks Wink
 
 
_________________
Sig
 
Back to top
View user's profile Send private message
dcz
Apprentice
Apprentice


Joined: 14 Mar 2006
Posts: 15

PostPosted: Thu Mar 30, 2006 12:45 pm    Post subject: Reply with quote

hiha, my internet access is on a rather good mood today Wink
So I made it until my test serv's acp, and actually, you are on try from sending me a mail Wink

And you where logged on your href attemp.

Try just one more regular 404 to see Wink

I am wondering on thing about db settings.
I fisrt set up a regular config (config_name, value) table but, since I want to use it for quick stats also, I'd like to find a better set up allowing one single sql for update.

Is there a better solution, according to you, than to create a table similar to the log one and just use the first row (nothing more needed), knowing I'll probably end up with like 20 param (config + quick stats) in it ?
Building a table with trhee column maybe (id, name, value) maybe ?

I'll see what I'll come up with.

++

 
 
_________________
Sig
 
Back to top
View user's profile Send private message
dcz
Apprentice
Apprentice


Joined: 14 Mar 2006
Posts: 15

PostPosted: Mon Apr 03, 2006 1:38 pm    Post subject: Reply with quote

hello,
obviously this is taking a bit more time than I first expected, and it will be a lot more advanced too Wink

The thing is, I am just starting debug today, already fixed the thee or four regular parsing errors and I am currently ending the new acp part.

The beta core code was ready two days ago, but I decided to write the acp part before testing it, so that I can go faster testing settings.

As soon as I get a running beta, I'll post the code here, and then, after we discuss a bit, I'll start dev threads over at phpbb.com and mx-system.com.

I did not implement any auto ban or clear session code for now, but I will as soon as the scoring system will be set up and tested efficient.

I kind of defined scoring rules that gives a security score to each event, the higher it is the bader the event is. The idea here is to first go faster while taking care about many params, and then to end up with kind of a hard to predict code for hackers (scoring depends on many many params, so it's rather hard in the end to be able to perform repeated errors (even not serious) without having this score increase.
This way I hope hackers won't find easy way to always be safe from mail alert while they are not sent upone every event.
I tend not to send too many email for related events, but I must not miss any serious alert too, so some unecessary mails (well they still are since they are always connected to one event being suspicious) can still be sent, but the massive scan case is taken care of, the script will end up exiting before any alert was sent, and you still should have recieved first a special mail telling you it's massive scan and that no more alert will be sent for this event, also susggesting to ask for a mail report asap (I implemented a feature to just ask detailed report by mail using special url).

And the behaviour of the mod is set upon various config settings such as security level, time depth in analysis, number of related (by ip, proxy, score error etc ) errors before a warn (thus a mail with logs) is outputed.
Custom errors such as the one activated through the .htaccess rules leads to even more strict answer from the mod.
I implemented a bot trapp custom error, so that you can easily trapp bots not folowwing robots.txt rules.

As previouly said, short script ends are implemented, the scritp is able to exit right after the config was asked for in case of massive scan.

The testing phase, beside debugging will also be usefull to set scoring constants (above which score should we do this or that).

I made it right now the have a working config acp page, thing are going forward.


++

 
 
_________________
Sig
 
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.   printer-friendly view    phpMiX.org Forum Index -> mxBB Modules -> mxBB Module: mx_errordocs All times are GMT + 1 Hour
Goto page 1, 2  Next
Page 1 of 2


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum