Simple Intrusion Detecion Rules for Apache (Apache mod_rewrite & PHP based Intrusion Detection System IDS)
This is a document I created a while ago. I’m redesigning the Watkissonline site that this was previously stored on, but I wanted to keep this information. It’s kept more as an academic exercise. It could be used as a basic IDS notification system or as a module for a more complex solution, but I don’t intend to continue development of this.
Simple Intrusion Detection Rules for Apache
Apache mod_rewrite & PHP based Intrusion Detection System (IDS)
An Intrusion Detection System (IDS) is a way of detecting and logging, reporting or alerting to events caused by people attempting to, or successfully attacking your system. The technique described here is a simple way of logging attempts at accessing vulnerable scripts or programs on a website.
The techniques described here are simple and are fairly limited but they do have some benefits:
* View of what is happening on the system
* Removes errors from error log file to make genuine errors easier to find
* Messages could be integrated into a full IDS system (depends upon config)
* Alerts user that their activity has been detected as a deterrant from future attacks
* Simple to implement
How it Works
This technique uses the apache mod_rewrite module to identify certain URL requests. For example looking for users trying to find phpmyadmin, or formmail scripts when they don’t extist. If the URL is matched then the user is redirected to a PHP file that gives the user a warning to the user and logs the details to a dedicated log file.
The following process is followed:
1. Does the URL match one of the IDS mod_rewrite rules
* No – process as normal
2. Yes
3. Redirect the user to /idsalert.php with details of the alert
4. Returns a warning to the user to cease
5. Logs details
6. Sysadmin (or automated script) checks the logs and sees details of attempts
Optionally (not detailed) a script could look for multiple hack attempts and block incoming connections from that address; or or a full IDS could view the entries and handle appropriately; and/or a log analysis script such as LogInfo Web Analysis Program (future versions will support ids log) could look at the file and report number of attempts.
Creating mod_rewrite Rules
The Apache mod_rewrite module will need to be enabled. This is achieved by including the following entry in the Directory element, or in the virtual host configuration.
RewriteEngine on
Then a number of RewriteRules will redirect known intrusion attempts to the idsalert.php script.
### The following are all intrusion alerts, these are forwarded
# to a IDSAlert page which can then lot the details
RewriteRule ^/(misc.php).* /idsalert.php?request=$1 [R,L]
RewriteRule ^(.*cltreq.asp).* /idsalert.php?request=$1 [R,L]
RewriteRule (owssvr.dll) /idsalert.php?request=$1 [R,L]
etc...
These entries could be included directly in the httpd.conf / Vhosts.conf file, or it can be put into a separate file using the apache Include statement.
The following example is the recommended configuration which puts the rewrite rules in a separate file:
In httpd.conf (within
RewriteEngine on
Include /etc/httpd/conf/idsrewrite.conf
In /etc/httpd/conf/idsrewrite.conf
## IDSAlert Rewrite Rules
# Version 1.0 25/7/2005
# The following are all intrusion alerts, these are forwarded
# to a IDSAlert page which can then lot the details
RewriteRule ^/(misc.php).* /idsalert.php?request=$1 [R,L]
RewriteRule ^(.*cltreq.asp).* /idsalert.php?request=$1 [R,L]
RewriteRule (owssvr.dll) /idsalert.php?request=$1 [R,L]
RewriteRule (cmd.exe) /idsalert.php?request=$1 [R,L]
## Remove following lines if that feature is required
# awstats
RewriteRule awstats /idsalert.php?request=awstats [R,L]
# phpmyadmin
RewriteRule phpmyadmin /idsalert.php?request=phpmyadmin [R,L]
# openwebmail
RewriteRule openwebmail /idsalrt.php?request=openwebmail [R,L]
# Form based email (or use different name)
RewriteRule formmail /idsalert?request=formmail [R,L]
** End of idsrewrite.conf file
Also see Updates to idsrewrite.conf file.
More information is available from the Apache mod_rewrite Guide.
PHP Scripts idsalert.php
The above rules redirect to a php script called idsalert.php which is in the servers root document directory. The PHP script should return a message to the user and log into a log file. The following example logs the entry in a format similar to that used by the apache error_log format.
idsalert.php file
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>IDS Alarm - Illegal Operation</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<h1>IDS Alarm - Illegal Operation</h1>
<p>
An Illegal Operation has occured. There is a possibility that this was an intrusion attempt that has
been caught by the Intrusion Detection System.<br>
Details of this has been logged.
</p>
<p>
If you have reached this page from a search engine or similar then you can proceed to the <a href="/index.html">Website Homepage</a>.
Or if you believe this to be a mistake please email the webmaster with details of the page you were trying to access.
</p>
<h2>The following information has been logged</h2>
<?php
$logfile = "/var/log/httpd/idsalert_log";
$useraddress = $_SERVER[REMOTE_ADDR];
$request = $_GET[request];
$date = date("D M d H:i:s Y");
# Security reasons - remove any none letter / number / [/?&] replace with #
$request = ereg_replace("[^a-zA-Z0-9/?&]", "#", $request);
echo "User's IP address: $useraddress
</body>
</html>
** End of idsalert.php file
If you are feeding this into an IDS system then you may want to change the logging format to meet your own requirements. Alerts will be added to the /var/log/httpd/idsalert_log file.
Summary of Install Procedures
1. Enable the mod_rewrite module
2. Create /etc/httpd/conf/idsrewrite.conf using the latest version
3. Create the idsalert.php file in your websites root directory
IDS Rewrite File
## IDSAlert Rewrite Rules
# Version 1.0 25/7/205
# Download new version from http://www.watkissonline.co.uk
# The following are all intrusion alerts, these are forwarded
# to a IDSAlert page which can then lot the details
RewriteRule ^/(misc.php).* /idsalert.php?request=$1 [R,L]
RewriteRule ^(.*cltreq.asp).* /idsalert.php?request=$1 [R,L]
RewriteRule (owssvr.dll) /idsalert.php?request=$1 [R,L]
RewriteRule (cmd.exe) /idsalert.php?request=$1 [R,L]
## Remove following lines if that feature is required
# awstats
RewriteRule awstats /idsalert.php?request=awstats [R,L]
# phpmyadmin
RewriteRule phpmyadmin /idsalert.php?request=phpmyadmin [R,L]
# openwebmail
RewriteRule openwebmail /idsalrt.php?request=openwebmail [R,L]
# Form based email (or use different name)
RewriteRule formmail /idsalert?request=formmail [R,L]
** End idswrite file