Commit cb122101 authored by Till Brehm's avatar Till Brehm

FS#3640 - Add Intrusion Detection System

parent fb6c56e0
......@@ -1010,6 +1010,12 @@ class installer_dist extends installer_base {
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security/ids.whitelist';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security/ids.htmlfield';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security/apache_directives.blacklist';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
//* Make the global language file directory group writable
exec("chmod -R 770 $install_dir/interface/lib/lang");
......
......@@ -903,6 +903,12 @@ class installer extends installer_base
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security/ids.whitelist';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security/ids.htmlfield';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security/apache_directives.blacklist';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
//* Make the global language file directory group writable
exec("chmod -R 770 $install_dir/interface/lib/lang");
......
......@@ -1081,6 +1081,12 @@ class installer_dist extends installer_base {
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security/ids.whitelist';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security/ids.htmlfield';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security/apache_directives.blacklist';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
//* Make the global language file directory group writable
exec("chmod -R 770 $install_dir/interface/lib/lang");
......
......@@ -1937,6 +1937,12 @@ class installer_base {
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security/ids.whitelist';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security/ids.htmlfield';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security/apache_directives.blacklist';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
//* Make the global language file directory group writable
exec("chmod -R 770 $install_dir/interface/lib/lang");
......
......@@ -48,6 +48,7 @@ class app {
private $_wb;
private $_loaded_classes = array();
private $_conf;
private $_security_config;
public $loaded_plugins = array();
......@@ -109,7 +110,8 @@ class app {
}
$this->uses('functions'); // we need this before all others!
$this->uses('auth,plugin');
$this->uses('auth,plugin,ini_parser,getconf');
}
public function __get($prop) {
......@@ -327,4 +329,13 @@ class app {
//* possible future = new app($conf);
$app = new app();
// load and enable PHP Intrusion Detection System (PHPIDS)
$ids_security_config = $app->getconf->get_security_config('ids');
if(is_dir(ISPC_CLASS_PATH.'/IDS') && $ids_security_config['ids_enabled'] == 'yes') {
$app->uses('ids');
$app->ids->start();
}
unset($ids_security_config);
?>
# in case PHPIDS is placed in the web-root
deny from all
# silence is golden
php_flag display_errors off
\ No newline at end of file
<?php
/**
* PHPIDS
*
* Requirements: PHP5, SimpleXML
*
* Copyright (c) 2008 PHPIDS group (https://phpids.org)
*
* PHPIDS is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, version 3 of the License, or
* (at your option) any later version.
*
* PHPIDS is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with PHPIDS. If not, see <http://www.gnu.org/licenses/>.
*
* PHP version 5.1.6+
*
* @category Security
* @package PHPIDS
* @author Mario Heiderich <mario.heiderich@gmail.com>
* @author Christian Matthies <ch0012@gmail.com>
* @author Lars Strojny <lars@strojny.net>
* @license http://www.gnu.org/licenses/lgpl.html LGPL
* @link http://php-ids.org/
*/
namespace IDS\Caching;
/**
* APC caching wrapper
*
* This class inhabits functionality to get and set cache via memcached.
*
* @category Security
* @package PHPIDS
* @author Yves Berkholz <godzilla80@gmx.net>
* @copyright 2007-2009 The PHPIDS Groupoup
* @license http://www.gnu.org/licenses/lgpl.html LGPL
* @link http://php-ids.org/
* @since Version 0.6.5
*/
class ApcCache implements CacheInterface
{
/**
* Caching type
*
* @var string
*/
private $type = null;
/**
* Cache configuration
*
* @var array
*/
private $config = null;
/**
* Flag if the filter storage has been found in memcached
*
* @var boolean
*/
private $isCached = false;
/**
* Holds an instance of this class
*
* @var object
*/
private static $cachingInstance = null;
/**
* Constructor
*
* @param string $type caching type
* @param array $init the IDS_Init object
*
* @return void
*/
public function __construct($type, $init)
{
$this->type = $type;
$this->config = $init->config['Caching'];
}
/**
* Returns an instance of this class
*
* @param string $type caching type
* @param object $init the IDS_Init object
*
* @return object $this
*/
public static function getInstance($type, $init)
{
if (!self::$cachingInstance) {
self::$cachingInstance = new ApcCache($type, $init);
}
return self::$cachingInstance;
}
/**
* Writes cache data
*
* @param array $data the caching data
*
* @return object $this
*/
public function setCache(array $data)
{
if (!$this->isCached) {
apc_store(
$this->config['key_prefix'] . '.storage',
$data,
$this->config['expiration_time']
);
}
return $this;
}
/**
* Returns the cached data
*
* Note that this method returns false if either type or file cache is
* not set
*
* @return mixed cache data or false
*/
public function getCache()
{
$data = apc_fetch($this->config['key_prefix'] . '.storage');
$this->isCached = !empty($data);
return $data;
}
}
<?php
/**
* PHPIDS
*
* Requirements: PHP5, SimpleXML
*
* Copyright (c) 2008 PHPIDS group (https://phpids.org)
*
* PHPIDS is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, version 3 of the License, or
* (at your option) any later version.
*
* PHPIDS is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with PHPIDS. If not, see <http://www.gnu.org/licenses/>.
*
* PHP version 5.1.6+
*
* @category Security
* @package PHPIDS
* @author Mario Heiderich <mario.heiderich@gmail.com>
* @author Christian Matthies <ch0012@gmail.com>
* @author Lars Strojny <lars@strojny.net>
* @license http://www.gnu.org/licenses/lgpl.html LGPL
* @link http://php-ids.org/
*/
namespace IDS\Caching;
/**
* Caching factory
*
* This class is used as a factory to load the correct concrete caching
* implementation.
*
* @category Security
* @package PHPIDS
* @author Christian Matthies <ch0012@gmail.com>
* @author Mario Heiderich <mario.heiderich@gmail.com>
* @author Lars Strojny <lars@strojny.net>
* @copyright 2007-2009 The PHPIDS Group
* @license http://www.gnu.org/licenses/lgpl.html LGPL
* @link http://php-ids.org/
* @since Version 0.4
*/
class CacheFactory
{
/**
* Factory method
*
* @param object $init the IDS_Init object
* @param string $type the caching type
*
* @return object the caching facility
*/
public static function factory($init, $type)
{
$object = false;
$wrapper = preg_replace(
'/\W+/m',
null,
ucfirst($init->config['Caching']['caching'])
);
$class = '\\IDS\\Caching\\' . $wrapper . 'Cache';
$path = dirname(__FILE__) . DIRECTORY_SEPARATOR . $wrapper . 'Cache.php';
if (file_exists($path)) {
include_once $path;
if (class_exists($class)) {
$object = call_user_func(
array('' . $class, 'getInstance'),
$type,
$init
);
}
}
return $object;
}
}
<?php
/**
* PHPIDS
*
* Requirements: PHP5, SimpleXML
*
* Copyright (c) 2008 PHPIDS group (https://phpids.org)
*
* PHPIDS is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, version 3 of the License, or
* (at your option) any later version.
*
* PHPIDS is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with PHPIDS. If not, see <http://www.gnu.org/licenses/>.
*
* PHP version 5.1.6+
*
* @category Security
* @package PHPIDS
* @author Mario Heiderich <mario.heiderich@gmail.com>
* @author Christian Matthies <ch0012@gmail.com>
* @author Lars Strojny <lars@strojny.net>
* @license http://www.gnu.org/licenses/lgpl.html LGPL
* @link http://php-ids.org/
*/
namespace IDS\Caching;
/**
* Caching wrapper interface
*
* @category Security
* @package PHPIDS
* @author Christian Matthies <ch0012@gmail.com>
* @author Mario Heiderich <mario.heiderich@gmail.com>
* @author Lars Strojny <lars@strojny.net>
* @copyright 2007-2009 The PHPIDS Group
* @license http://www.gnu.org/licenses/lgpl.html LGPL
* @since Version 0.4
* @link http://php-ids.org/
*/
interface CacheInterface
{
/**
* Interface method
*
* @param array $data the cache data
*
* @return void
*/
public function setCache(array $data);
/**
* Interface method
*
* @return void
*/
public function getCache();
}
<?php
/**
* PHPIDS
*
* Requirements: PHP5, SimpleXML
*
* Copyright (c) 2008 PHPIDS group (https://phpids.org)
*
* PHPIDS is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, version 3 of the License, or
* (at your option) any later version.
*
* PHPIDS is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with PHPIDS. If not, see <http://www.gnu.org/licenses/>.
*
* PHP version 5.1.6+
*
* @category Security
* @package PHPIDS
* @author Mario Heiderich <mario.heiderich@gmail.com>
* @author Christian Matthies <ch0012@gmail.com>
* @author Lars Strojny <lars@strojny.net>
* @license http://www.gnu.org/licenses/lgpl.html LGPL
* @link http://php-ids.org/
*/
namespace IDS\Caching;
/**
*
*/
/**
* Database caching wrapper
*
* This class inhabits functionality to get and set cache via a database.
*
* Needed SQL:
*
#create the database
CREATE DATABASE IF NOT EXISTS `phpids` DEFAULT CHARACTER
SET utf8 COLLATE utf8_general_ci;
DROP TABLE IF EXISTS `cache`;
#now select the created datbase and create the table
CREATE TABLE `cache` (
`type` VARCHAR( 32 ) NOT null ,
`data` TEXT NOT null ,
`created` DATETIME NOT null ,
`modified` DATETIME NOT null
) ENGINE = MYISAM ;
*
* @category Security
* @package PHPIDS
* @author Christian Matthies <ch0012@gmail.com>
* @author Mario Heiderich <mario.heiderich@gmail.com>
* @author Lars Strojny <lars@strojny.net>
* @copyright 2007-2009 The PHPIDS Groupup
* @license http://www.gnu.org/licenses/lgpl.html LGPL
* @link http://php-ids.org/
* @since Version 0.4
*/
class DatabaseCache implements CacheInterface
{
/**
* Caching type
*
* @var string
*/
private $type = null;
/**
* Cache configuration
*
* @var array
*/
private $config = null;
/**
* DBH
*
* @var object
*/
private $handle = null;
/**
* Holds an instance of this class
*
* @var object
*/
private static $cachingInstance = null;
/**
* Constructor
*
* Connects to database.
*
* @param string $type caching type
* @param object $init the IDS_Init object
*
* @return void
*/
public function __construct($type, $init)
{
$this->type = $type;
$this->config = $init->config['Caching'];
$this->handle = $this->connect();
}
/**
* Returns an instance of this class
*
* @static
* @param string $type caching type
* @param object $init the IDS_Init object
*
* @return object $this
*/
public static function getInstance($type, $init)
{
if (!self::$cachingInstance) {
self::$cachingInstance = new DatabaseCache($type, $init);
}
return self::$cachingInstance;
}
/**
* Writes cache data into the database
*
* @param array $data the caching data
*
* @throws PDOException if a db error occurred
* @return object $this
*/
public function setCache(array $data)
{
$handle = $this->handle;
$rows = $handle->query('SELECT created FROM `' . $this->config['table'].'`');
if (!$rows || $rows->rowCount() === 0) {
$this->write($handle, $data);
} else {
foreach ($rows as $row) {
if ((time()-strtotime($row['created'])) >
$this->config['expiration_time']) {
$this->write($handle, $data);
}
}
}
return $this;
}
/**
* Returns the cached data
*
* Note that this method returns false if either type or file cache is
* not set
*
* @throws PDOException if a db error occurred
* @return mixed cache data or false
*/
public function getCache()
{
try {
$handle = $this->handle;
$result = $handle->prepare(
'SELECT * FROM `' .
$this->config['table'] .
'` where type=?'
);
$result->execute(array($this->type));
foreach ($result as $row) {
return unserialize($row['data']);
}
} catch (\PDOException $e) {
throw new \PDOException('PDOException: ' . $e->getMessage());
}
return false;
}
/**
* Connect to database and return a handle
*
* @return object PDO
* @throws Exception if connection parameters are faulty
* @throws PDOException if a db error occurred
*/
private function connect()
{
// validate connection parameters
if (!$this->config['wrapper']
|| !$this->config['user']
|| !$this->config['password']
|| !$this->config['table']) {
throw new \Exception('Insufficient connection parameters');
}
// try to connect
try {
$handle = new \PDO(
$this->config['wrapper'],
$this->config['user'],
$this->config['password']
);
$handle->setAttribute(\PDO::MYSQL_ATTR_USE_BUFFERED_QUERY, true);
} catch (\PDOException $e) {
throw new \PDOException('PDOException: ' . $e->getMessage());
}
return $handle;
}
/**
* Write the cache data to the table
*
* @param object $handle the database handle
* @param array $data the caching data