Intrusion Detection System

trialnick · 02-08-2011 11:14 AM

you do not need any plugins, just read here

http://perishablepress.com/press/2009/03...http://perishablepress.com/press/2009/03/16/the-perishable-press-4g-
and other themes about htaccess protection on blog.

Especially :

Code:

# QUERY STRING EXPLOITS
<IfModule mod_rewrite.c>
 RewriteCond %{QUERY_STRING} \.\.\/    [NC,OR]
 RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
 RewriteCond %{QUERY_STRING} tag\=     [NC,OR]
 RewriteCond %{QUERY_STRING} ftp\:     [NC,OR]
 RewriteCond %{QUERY_STRING} http\:    [NC,OR]
 RewriteCond %{QUERY_STRING} https\:   [NC,OR]
 RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
 RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|'|"|;|\?|\*).* [NC,OR]
 RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3E|%5C|%7B|%7C).* [NC,OR]
 RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
 RewriteCond %{QUERY_STRING} ^.*(globals|encode|config|localhost|loopback).* [NC,OR]
 RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]
 RewriteRule ^(.*)$ - [F,L]
</IfModule>

Choose the lines that will suit your server&forum (eg. you shouldn't use SELECT or INSERT because it will conflict wth mybb queries; you can add in the same line: rlike and like)

***ZiNgA BuRgA*** · 02-08-2011 02:52 PM

I do not recommend using the above.

trialnick · 02-08-2011 08:37 PM

(02-08-2011 02:52 PM)ZiNgA BuRgA Wrote: I do not recommend using the above.

why not?

Let's say that one installs a plugin that has a security issue.
Majority of users won't ever notice and find eg. XSS in plugin code, so htaccess will protect the forum no matter of the sec hole. Surely, these queries may be bypassed, but better any protection than nothing.

There are many sites with sqli. Some of them, when one tries to put the query just loop and never end wih loading even they are vulnerable. Or, even there's a visible sql error, the query can't be executed because htaccess forbidds it.

***ZiNgA BuRgA*** · 02-08-2011 09:38 PM

And it will block plenty of legit requests too.

MasterZuFu · 02-09-2011 09:00 AM

Is there any way to set it so that it's less restrictive then?

***ZiNgA BuRgA*** · 02-09-2011 10:07 AM

Well... removing keywords you wish to allow, but then, it's making it less secure.
Personally, I just don't really like these intrusion detection systems, but if you're going to use one, try something more complex than a very simple request URL filter.

trialnick · 02-10-2011 05:16 AM

Quote:And it will block plenty of legit requests too.

well, not so many at all. One should remove select, insert ....

(02-09-2011 10:07 AM)ZiNgA BuRgA Wrote: try something more complex than a very simple request URL filter.

These are only to prevent sql, xss.
There are (on the blog I mentioned above) various things for protection.

Being a coder you can recognize holes in plugins, but you are just 1% of mybb users who are able to do that. Talking about an ordinary mybb owners, these protections are good.

***ZiNgA BuRgA*** · 02-10-2011 08:57 AM

(02-10-2011 05:16 AM)trialnick Wrote: well, not so many at all. One should remove select, insert ....

So if someone searches for, say, "select" or "insert", their request gets mysteriously blocked?
And blocking those isn't really good against SQL injection anyway. PHP's mysql extension prevents multiple queries. Perhaps the only thing it really blocks is a UNION SELECT injection, but blocking INSERT is practically useless. I can't think of any likely (MySQL) query where INSERT would be good for injection.

trialnick · 02-12-2011 09:22 AM

I do appreciate your work here ( this is one of my fav mybb forums), I like your review of plugins , but you have to understand that you belong to few people around who can fluently read codes and notice holes in plugins. That's not the case for many of us, so we should find the other way. At that point, you don't have competency to realize how the "ordinary users" think Wink

because you aren't part of them. Eg. bulletproof protection plugin was made for wordpress , because they are pretty aware that their users are those who use blogging to write about coffee, school, books , ants and that they aren't coders, designers etc. Hope you get my words now.

(02-10-2011 08:57 AM)ZiNgA BuRgA Wrote:
(02-10-2011 05:16 AM)trialnick Wrote: well, not so many at all. One should remove select, insert ....
So if someone searches for, say, "select" or "insert", their request gets mysteriously blocked?

Exactly what I said---select and insert should be removed from the htaccess lines.

The script isn't perfect: that's why one has to search for other queries ...
There's the great method to get blind mysql inj in very short way (using floor rand) and such queries should be prevented as well...I'll repeat: I have no idea who and how plugins are made and if I had enough time I'll read the whole code, but this is the shortcut I use (I have no ambition to be a coder ).

Other thing: I saw the site that had a sqli error , but no one could inject anything because the htaccess redirect any suspicious queries (except order and select). When one tried to use union, site was looping, also blind way didn't worked. Thanks to htaccess Biggrin

***ZiNgA BuRgA*** · 02-12-2011 03:32 PM

(02-12-2011 09:22 AM)trialnick Wrote: I do appreciate your work here ( this is one of my fav mybb forums), I like your review of plugins , but you have to understand that you belong to few people around who can fluently read codes and notice holes in plugins. That's not the case for many of us, so we should find the other way. At that point, you don't have competency to realize how the "ordinary users" think because you aren't part of them. Eg. bulletproof protection plugin was made for wordpress , because they are pretty aware that their users are those who use blogging to write about coffee, school, books , ants and that they aren't coders, designers etc. Hope you get my words now.

I understand what you're trying to say, but that doesn't mean one should take drastic measures which adversely affect user experience. If you want to take it to an extreme, turning off the server will most likely prevent any attack, but the obvious consequence is no user can use it too.

(02-12-2011 09:22 AM)trialnick Wrote: The script isn't perfect: that's why one has to search for other queries ...

No IDS system is "perfect". The idea is simply to maximise detection of attack attempts and minimise effects on users.
A "better" IDS script is one which works better in both of the above. I don't think a .htaccess blacklist is sufficient to really achieve the aim well - a PHP based IDS mentioned earlier in this thread will most likely have better heuristic capabilities.

(02-12-2011 09:22 AM)trialnick Wrote: There's the great method to get blind mysql inj in very short way (using floor rand) and such queries should be prevented as well...I'll repeat: I have no idea who and how plugins are made and if I had enough time I'll read the whole code, but this is the shortcut I use (I have no ambition to be a coder ).

SQL injections are usually variables which haven't been "cleaned" by the processing script, for example:

SQL Code

SELECT field FROM table WHERE id={id}

If "{id}" is a variable and not cleaned by the script, someone could set {id} to have arbitrary SQL.
Variables are usually placed in the WHERE statement or later, which is why blocking INSERT or SELECT probably isn't terribly useful.

Threaded Mode \| Linear Mode Standard Tools
Forum Jump: View a Printable Version Send this Thread to a Friend Subscribe to this thread