« Back to Unix / Linux

Simple Intrusion Detection Rules for Apache

Apache mod_rewrite & PHP based Intrusion Detection System (IDS)

An Intrusion Detection System (IDS) is a way of detecting and logging, reporting or alerting to events caused by people attempting to, or successfully attacking your system. The technique described here is a simple way of logging attempts at accessing vulnerable scripts or programs on a website.

The techniques described here are simple and are fairly limited but they do have some benefits:

• View of what is happening on the system
• Removes errors from error log file to make genuine errors easier to find
• Messages could be integrated into a full IDS system (depends upon config)
• Alerts user that their activity has been detected as a deterrant from future attacks
• Simple to implement

How it Works

This technique uses the apache mod_rewrite module to identify certain URL requests. For example looking for users trying to find phpmyadmin, or formmail scripts when they don't extist. If the URL is matched then the user is redirected to a PHP file that gives the user a warning to the user and logs the details to a dedicated log file.

The following process is followed:

1. Does the URL match one of the IDS mod_rewrite rules
• No - process as normal
2. Yes
3. Redirect the user to /idsalert.php with details of the alert
4. Returns a warning to the user to cease
5. Logs details

 

6. Sysadmin (or automated script) checks the logs and sees details of attempts

Creating mod_rewrite Rules

The Apache mod_rewrite module will need to be enabled. This is achieved by including the following entry in the Directory element, or in the virtual host configuration.
RewriteEngine on
Then a number of RewriteRules will redirect known intrusion attempts to the idsalert.php script.

### The following are all intrusion alerts, these are forwarded
# to a IDSAlert page which can then lot the details
RewriteRule ^/(misc.php).* /idsalert.php?request=$1 [R,L]
RewriteRule ^(.*cltreq.asp).* /idsalert.php?request=$1 [R,L]
RewriteRule (owssvr.dll) /idsalert.php?request=$1 [R,L]
etc...

The following example is the recommended configuration which puts the rewrite rules in a seperate file:

In httpd.conf (within <Directory>) or Vhosts.conf (within <VirtualHost>)

RewriteEngine on
Include /etc/httpd/conf/idsrewrite.conf

## IDSAlert Rewrite Rules
# Version 1.0 25/7/205
# Download new version from http://www.watkissonline.co.uk

# The following are all intrusion alerts, these are forwarded
# to a IDSAlert page which can then lot the details
RewriteRule ^/(misc.php).* /idsalert.php?request=$1 [R,L]
RewriteRule ^(.*cltreq.asp).* /idsalert.php?request=$1 [R,L]
RewriteRule (owssvr.dll) /idsalert.php?request=$1 [R,L]
RewriteRule (cmd.exe) /idsalert.php?request=$1 [R,L]


## Remove following lines if that feature is required
# awstats
RewriteRule awstats /idsalert.php?request=awstats [R,L]
# phpmyadmin
RewriteRule phpmyadmin /idsalert.php?request=phpmyadmin [R,L]
# openwebmail
RewriteRule openwebmail /idsalrt.php?request=openwebmail [R,L]
# Form based email (or use different name)
RewriteRule formmail /idsalert?request=formmail [R,L]

More information is available from the Apache mod_rewrite Guide.

PHP Scripts idsalert.php

The above rules redirect to a php script called idsalert.php which is in the servers root document directory. The PHP script should return a message to the user and log into a log file. The following example logs the entry in a format similar to that used by the apache error_log format.

idsalert.php file

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>IDS Alarm - Illegal Operation</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<h1>IDS Alarm - Illegal Operation</h1>

<p>
An Illegal Operation has occured. There is a possibility that this was an intrusion attempt that has 
been caught by the Intrusion Detection System.<br>
Details of this has been logged. 
</p>
<p>
If you have reached this page from a search engine or similar then you can proceed to the <a href="/index.html">Website Homepage</a>. 
Or if you believe this to be a mistake please email the webmaster with details of the page you were trying to access.
</p>

<h2>The following information has been logged</h2>
<?php 

$logfile = "/var/log/httpd/idsalert_log";

$useraddress = $_SERVER[REMOTE_ADDR];
$request = $_GET[request];

$date = date("D M d H:i:s Y");

# Security reasons - remove any none letter / number / [/?&] replace with #
$request = ereg_replace("[^a-zA-Z0-9/?&]", "#", $request);

echo "User's IP address: $useraddress<br />";
echo "Request Type: $request<br />";


# Now write to log
if ($fout = fopen ($logfile, "a"))
{
	fputs ($fout, "[$date] [idsalert] [client $useraddress] Not Allowed: $request\n");
	fclose ($fout);
}

?>

</body>
</html>

1. Enable the mod_rewrite module
2. Create /etc/httpd/conf/idsrewrite.conf using the latest version
3. Create the idsalert.php file in your websites root directory

## IDSAlert Rewrite Rules
# Version 1.0 25/7/205
# Download new version from http://www.watkissonline.co.uk

# The following are all intrusion alerts, these are forwarded
# to a IDSAlert page which can then lot the details
RewriteRule ^/(misc.php).* /idsalert.php?request=$1 [R,L]
RewriteRule ^(.*cltreq.asp).* /idsalert.php?request=$1 [R,L]
RewriteRule (owssvr.dll) /idsalert.php?request=$1 [R,L]
RewriteRule (cmd.exe) /idsalert.php?request=$1 [R,L]


## Remove following lines if that feature is required
# awstats
RewriteRule awstats /idsalert.php?request=awstats [R,L]
# phpmyadmin
RewriteRule phpmyadmin /idsalert.php?request=phpmyadmin [R,L]
# openwebmail
RewriteRule openwebmail /idsalrt.php?request=openwebmail [R,L]
# Form based email (or use different name)
RewriteRule formmail /idsalert?request=formmail [R,L]

• Apache mod_rewrite module
• Information on regular expressions