Site Guardian

Posted: Fri Apr 01, 2011 10:06 pm

I am currently combining idea's for several smaller projects and using them to create one all encompassing module, which will eventually be released as Site Guardian (tm).

The project itself is well under way but because the module itself is growing rapidly, I'm keen to to bloat it if I don't need to.

There are a couple of aspects of the module I would like the communities feedback on;

1 The module has the ability to block certain IP's, domains and referrers from accessing the website it is installed on. Although this data is stored in the modules tables, I have built hooks into the module to allow this data to also be passed into Nuke Sentinel's (tm) tables i.e. for banning IP's, domains and referrers.
The question I am needing help with is this;
If the data has been passed on to NS, do I still need to store the data in my own module?
The reason I ask is simply because of efficiency. If I pass the data to NS, I need to indicate in my own module, when viewing the data that it has been passed to NS so users dont' waste time trying to pass that same data again.

2 The second phase of the module relates to detecting un-authorised changes in core files. I have already built a mechanism that allows files to be archived in a compressed format on the server as a type of back-up (each file from a specific top level directory is backed up individually).
The question is;
Would you actually use something like that?
My thoughts are, that to be effective, you would have to back-up the entire site and this means even though the backed up files are compressed, it would still consume a fair amount of disc space and I'm not convinced the majority of people would have that amount of disc space free, especially since it is probably less resource intensive to use your hosting providers control panel to download the entire site.

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

SG = Site Guardian (tm)
NS = Nuke Sentinel (tm)
EOL = End of Life

Re: SG and NS - Maybe the question we should be asking is:

Should NS be retired in lieu of other advances in security including SG? Rather than integrating SG into NS, meld the best of both, call it SG and set an EOL for NS. NS has needed an overhaul for quite a while. This could be the perfect time Wink

. There's certainly no ego to be bruised here Laughing

.

@Guardian, I'd like to get your Feedback before anyone else chimes in since the load will be more on you than anyone else. Of course I will assist you with any issues concerning NS that I can Wink

.

Posted: Sat Apr 02, 2011 9:01 am

Re. backup and compression, I think we'd be better off relying on individual admins to use their hosting control panel to backup their files (as you imply). There are differing needs depending on the nature of the sites and a one size fits all approach would not work that well.

Re. retiring NS, I agree with Raven that it's getting to be time. Especially if we can tighten up filtering there is really little need for NS. The one part I would miss is IP tracking ... it would be good if we could build this into a replacement.

Posted: Sat Apr 02, 2011 10:38 am

@ Raven - I honestly don't have an answer to that one Smile

Personally, I have no use for NS. I have had it disabled on my site for over 4 months and the only reason I recently switched it back on was to do some xHTML/Accessibility validation on an administration GUI in a production environment (when in admin mode and with NS disabled, the 'Disabled' warning produces compliance issues).

For people that install a plethora of third party modules, particularly older modules, I think that NS is still a valuable tool and whilst it should never be seen as a cure all panacea for badly coded modules, it does offer a degree of protection that the users website might not otherwise have.
The only real issue with NS (from my own personal perspective) is in the infrequent IP2C updates. That isn't really the fault of NS but simply one of time; the lack of it to maintain and deploy them.

NS has always been a reactive system. It waits for bad stuff to happen, then tries to control it. I'm hoping with SG, things can be more of a proactive system. Kinda like encasing the Mongol Hordes in concrete rather than waiting for them to storm the village.

The main hurdle really in deciding which way to go is that I had envisaged SG as a commercial product; either a small fee for a years data and script updates/fixes etc or maybe a free script with a $1 monthly subscription for data updates. This would never be to line my own pocket; The reality is that I rarely manage to fund the dedicated server I use now and SG will, if/once it hits users in double figures, require it's own server simply due to the massive amounts of data it will be handling and sharing.
It's really easy to build and use a system that relies on individual websites to perform look-up's to remote RBL's and other data sources (CA HTTBL for example uses that approach to look-up IP's at Project Honeypot) but the essence (at least one aspect of SG) is to 'share' this data between all it's users, like the way Akismet currently works.
If site A gets a visit from a bad guy (or the website owner flags a bad guy) that SG doesn't know about yet, the visitor gets blocked from accessing the site. This data is then passed back to a central location, which then gets pushed out to all the other sites using SG.
But it isn't all about bad referrers/bad IP's. With hooks into RYNA to block specific email addresses or email domains from registering, imagine a spammer registering on one site and then (more or less) being automagically blocked on every other site using SG Smile

I am currently handling the entire dataset from Project Honeypot and the rather massive dataset from Google, all stored locally. However, to be effective, the datasets need to be regularly updated in the central location. Optionally the user can take advantage of one-off look-ups to any other RBL that allows a remote look-up such as Spamhaus but if such a look-up takes place and the result is a ban, that data gets pushed to SG as well.
If something gets banned and then subsequently gets whitelisted, again, the data is disseminated back through the chain(subject to verification).

Any way I'm rambling, this is just one aspect of SG's functionality Wink

@ fkelly - yes that is why I'm looking for feedback. I actually have all the code written to archive files and also the functionality to 'restore' a specific file with the option to automagically restore a file if a monitored files contents change e.g. a website gets compromise and someone injects iframe or other malicious code into a file, it could potentially be reverted back before any further harm is done or indeed before the system sent out the warning email to the webmaster.
I did that more as coding excercise of "can it be done" rather than something based on a need or practicality. I would prefer to actually advance some things on my roadmap but I thought that since I had the majority of it completed, I might as well see what feedback there might be. If sufficient people would actually truly use it, I would retain it.

Posted: Sat Apr 02, 2011 12:54 pm

I definitely agree concerning the tracking.

Posted: Sat Apr 02, 2011 1:12 pm

Not sure what type of IP tracking you mean. The ability to track which pages/url's a specific IP visits?

Posted: Sat Apr 02, 2011 1:45 pm

By IP tracking I mean the "display tracked IP" choice from the NS menu and the results. It is really helpful to me in tracing problems as well as seeing what hackers are up to. I can also see how users use the system, which areas they go into and which ones they don't.

Here's an example where I can see all the details of what they are doing in one of my custom modules.

Quote:

[ Only registered users can see links on this board! Get registered or login! ]

I can see where they are stepping through my Gcalendar entries day by day or looking at individual Gallery albums and pictures one by one. And I can see the patterns of activities that hackers try to break into RNYA.

This gives me an understanding of what's going on that summary statistics can't approach.

Posted: Sat Apr 02, 2011 5:43 pm

Interesting.
Shouldn't be too much of a problem since SG tracks 'referrers', which are basically just links anyway. At present it just ignores internal ones because it's primary focus is on where people are coming from externally but it shouldn't be too much if a stretch to make some minor modifications to track internal ones as well. The minor bugbear will be adding in the bits to associate it with the user and putting it all in a new table (I think internal data should be kept seperate). I already incorporate similar functionality in SG's 'logging' ability whereby it logs the admins activity within the module so I could maybe seperate that bit out to use it in a more global sense.

Posted: Sat Apr 02, 2011 6:34 pm

@all: I meant that I could/would create a separate application if NS was eliminated. I wasn't clear at all.

Posted: Sun Apr 03, 2011 5:34 am

@ Raven, I would agree that if NS couldn't be slimmed down, a replacement would be a good option. I think all hosting providers now use mod_security and that in itself eliminates the need for NS to look at a raft of things; some string blocks and things like Santy worm etc.

There are also a few potential gotcha's that are probably not fully catered for currently in NS;
IPv4 is EOL by virtue of the fact that they ran out of un-used combinations in February this year. Most newer mobile phones use the (newer version of the) IPv6 protocol and there is rapidly mounting pressure for all internet related things (IP's, CIDR's DNS etc) to move to the newer IPv6 protocol but no doubt all systems will still have to cater for IPv4 for a long time to come.

Posted: Sun Apr 03, 2011 8:17 pm

I'm still liking zbblock for its minimalistic approach. Though there is no user interface to monitor/manage stats. Which makes it a great candidate for hooking into for its use of the stop forum spam blocklist.

Looking forward to hearing more.

Posted: Sun Apr 03, 2011 10:24 pm

To my knowledge I have never heard of this. Having just spent some time on their site I definitely think this may be a viable replacement for Nuke Sentinel (TM). I have downloaded the script. I was really happy to see RavenNuke (TM) listed on the front page in the "ZB Block is tested and compatible with these php applications:" column Wink

.

ZB Block Web Site

Posted: Sat Apr 23, 2011 9:50 am

Sorry, late to the party. Just some random thoughts as I read through the various responses (and you get the figure out what they relate too - lol):

The company I work for is pushing really hard on "Cloud Computing" and "Virtualization" (essentially internal private cloud), so I've been researching/reading/trying-my-best-to-keep-up on these topics. Given SG's potential growth and computing needs, I'd give strong consideration to Amazon's cloud offerings. It allows us small guys a chance to look bigger than what we really are... Wink

Some really well-known services run on it - ala: Twitter. You pay for what you use and will grow as you do.

I, too, would be lost within IP Tracking and also like the ability to ban right from it. But, I wonder if it really should just be a separate "product" (CA Tracker? Tracking Guardian?), but with good hooks into SG to very quickly and effectively "spank" when needed.

I also agree that NS (or maybe something slimmer like discussed here) still has its place unless you are somehow going to blindly run ALL input through the filtering PRIOR to importing the super global variables. I don't really like that idea because you don't really know what/how to filter just by inspecting the super globals. What I was hoping RN would transition to, was a new API (start with just a small handful of things, with filtering as one key one) and modify the core modules and other RN code to use the new API, but somehow leave NS to protect all the non-RN provided stuff...

I'll leave it at that for now. Good stuff!

Site Admin Joined: Jun 04, 2004 Posts: 6432

Wow...it's amazing what I've missed! As I "re-engage" with RN, SG and ZB are both appealing.

@Guardian: thoughts on integrating ZB with SG?

Finally, I'm sure several enjoyed the ZB quote: IIS = It Isn't Secure. Smile

Posted: Fri Apr 29, 2011 1:40 am

@ kguske - yes I could integrate ZB with SG but it wouldn't be in the initial release.