Site security is always an issue as we have seen with the number of upgrades to CMSMS recently.
Has anyone any comments on
PHPIDS (PHP-Intrusion Detection System) http://php-ids.org/
just to keep a check on intrusions to a site?
Site security
-
LeisureLarry
Re: Site security
I think you´ve developed the phpids module cms ms, but I don´t really get how it is or should be working.
I´m using your default config and only added my email. What do the three level configs mean and how can I test the module?
In the phpids forum someone posted something like:
http://YOUR SITE/?test=">XXX
But this doesn´t seem to result in anything. My logfile is empty and write permissions are ok. Besides I should mention that I´m using pretty urls.
Greats from Germany
LeisureLarry
I´m using your default config and only added my email. What do the three level configs mean and how can I test the module?
In the phpids forum someone posted something like:
http://YOUR SITE/?test=">XXX
But this doesn´t seem to result in anything. My logfile is empty and write permissions are ok. Besides I should mention that I´m using pretty urls.
Greats from Germany
LeisureLarry
Re: Site security
Thanks for your interest in CMSMS PHPIDS module
The detection will start as soon as the module is installed providing
1) php version > 5.1.6 and includes SimpleXML extension(normally enabled by default)
2) you are not logged in to admin OR in the same session
The three levels allow you to toggle and set impact levels
1) If you want an email sent to you giving details of intrusion
2) If you want a warning message displayed
3) If you want to ban the intruder
All impacts will be logged in the phpids_log txt file (impact will not be logged on database if you are on local machine)
To check impact uncomment
debug_display($impact, 'impact');
on about line 437 in phpids.module.php
or for results
debug_display($result, 'results');
on about line 476 in phpids.module.php
As you mention if you enter a url like
http://YOUR SITE/?test=">XXX
this should result in an initial impact of 4 each refresh will increase this by the same amount.
For further information visit http://php-ids.org/
Taking into account the number of reproted attacks on CMSMS sites and indeed on this forum it is worth reading Mario's white paper on 'Attack Detection'
http://docs.google.com/View?docID=dd7x5smw_11cfdd34db
The detection will start as soon as the module is installed providing
1) php version > 5.1.6 and includes SimpleXML extension(normally enabled by default)
2) you are not logged in to admin OR in the same session
The three levels allow you to toggle and set impact levels
1) If you want an email sent to you giving details of intrusion
2) If you want a warning message displayed
3) If you want to ban the intruder
All impacts will be logged in the phpids_log txt file (impact will not be logged on database if you are on local machine)
To check impact uncomment
debug_display($impact, 'impact');
on about line 437 in phpids.module.php
or for results
debug_display($result, 'results');
on about line 476 in phpids.module.php
As you mention if you enter a url like
http://YOUR SITE/?test=">XXX
this should result in an initial impact of 4 each refresh will increase this by the same amount.
For further information visit http://php-ids.org/
Taking into account the number of reproted attacks on CMSMS sites and indeed on this forum it is worth reading Mario's white paper on 'Attack Detection'
http://docs.google.com/View?docID=dd7x5smw_11cfdd34db
-
LeisureLarry
Re: Site security
I´ve tried the module for several days, but there seems to be a problem with google analytics or something else.
Do you know what could cause the following email and a warning message above the normal content of my website (not always, only if an email was send).
I´ve got several of this ones (forum.cmsmadesimple.org) and another domain. Both websites have links to my website in the content.
Besides the phpids website isn´t really good, I couldn´t find really useful informations.
Greats from Germany
LeisureLarry
Do you know what could cause the following email and a warning message above the normal content of my website (not always, only if an email was send).
Code: Select all
The following attack has been detected by PHPIDS
IP: xx.yy.zz.vv
Date: 2008-02-27T14:05:34+01:00
Impact: 11
Affected tags: xss csrf id rfe lfi
Affected parameters: COOKIE.__utmz=207471233.1204113981.1.1.utmcsr%3Dforum.cmsmadesimple.org%7Cutmccn%3D%28referral%29%7Cutmcmd%3Dreferral%7Cutmcct%3D%2Findex.php%2Ftopic%2C19305.0.html,
Request URI: %2F
Besides the phpids website isn´t really good, I couldn´t find really useful informations.
Greats from Germany
LeisureLarry
Re: Site security
LeisureLarry The docs (Linked above) say something about this is
Furthermore exceptions can be defined in the configuration file. This is an extremely important feature to avoid false alerts on certain web applications. If for example the requests against a programming forum are being monitored with the PHPIDS it probably doesn't make sense to check the post body data. It will in most cases be filled with source code examples and other data that will trigger alert after alert because the filter rules of the PHPIDS match the monitored string. Same goes for parameters used by Google Analytics - those are by the way defined as exclusions on default - also to show how the definition of exclusions in the Config.ini works. After including the files and adding the necessary code it is important to decide how the protected web application should react. There are various ways and most of them should be depending on the impact the overall attack had.
Mark
-
LeisureLarry
Re: Site security
Really odd, reading your quote google analytics should be no problem, but for me it seemed to be the problem used with phpids. For the moment I had to disable phpids, as I need the analytics. If I´ve more time, I will have some testing.
Greats and thanks from Germany
LeisureLarry
Greats and thanks from Germany
LeisureLarry
Re: Site security
Hi guys!
First of all, sorry for my english written, I'm spanish and I don't write english as well as I want.
I think I have a solution for the phpids and google analitycs issue.
I've seen the all the mail that phpids sent me when I've installed google analytics in my site ([url http://www.pablillo.es/]www.pablillo.es[/url]) and I tried to log into my admin area.
The problem, as you know, are in the cookies of the google analytics.
I've searched in config file of phpids and I've seen that exclusion :
But the cookie problem sent by phpids said that: ....
Then I used all my brain to search for a solution and I found this: Add two (2) exceptions:
Since I've added the exceptions, I've had no warn.
I hope that this solutions will work for you
Thank you for your patience
Regards
Pablo
www.pablillo.es
First of all, sorry for my english written, I'm spanish and I don't write english as well as I want.
I think I have a solution for the phpids and google analitycs issue.
I've seen the all the mail that phpids sent me when I've installed google analytics in my site ([url http://www.pablillo.es/]www.pablillo.es[/url]) and I tried to log into my admin area.
The problem, as you know, are in the cookies of the google analytics.
I've searched in config file of phpids and I've seen that exclusion :
Code: Select all
exceptions[] = __utmzCode: Select all
Affected parameters: COOKIE.__utmz=Then I used all my brain to search for a solution and I found this: Add two (2) exceptions:
Code: Select all
exceptions[] = .__utmzCode: Select all
exceptions[] = COOKIE.__utmzI hope that this solutions will work for you
Thank you for your patience
Regards
Pablo
www.pablillo.es
Haz el bien y aléjate del mal
