Standard Security API

registered · Regular Joined: Dec 26, 2003 Posts: 50

I am interested in your feedback on this. I am thinking about a standard function that all security patches would implement. So instead of doing a "die" upon a hack attemp, the script would call a standard function which depending on the cirucumstances, would issue a warning or ban the ip (or ban the ip range).

I propose that the function would be based on Protector system, since so much work has already been done, and the admin headaches have been taken care of already. As a result, the hack attempts would be logged to protector tables. Lacking protector tables, a standard email will be issued to admin.

This is similar to Raven's union hack alert, but would be generalized and made available to security authors.

I am proposing a function call in the next article.

Posted: Sun Mar 28, 2004 12:00 am

Function protector_alert($comment, $type, $arg, $severity_level)

input parameters:
$comment: security codes comments e.g. "hack happened xyz..."
$type: 0=url 1=Get 2=Post 3=Union ..
$arg: url if $type=0,1,2 $sql statement if $type=3
$severity: 0-10 ban=10, warnings are anything less than 10, they accumulate and if total is 10, ip is banned.

The code will write the ip number, the comments, type, arg, etc. to protector tables. If protector table does not exist, then emails the info to admin.

Protector table may have to be modified slightly to account for the parameters. We are also introducing a warning type, that does not ban automatically ... e.g. if a user types in a legit. sql union statement (e.g. in sql forums).

steve

Posted: Sun Mar 28, 2004 8:00 pm

Cool, I did a downsized system like this I think users like the info even if they never do anything with it. Heck its fun when it comes right down to it.

Posted: Mon Mar 29, 2004 11:42 am

Well, to make it more clear, I am asking people who write secruity patches to implement something like this in their code. This is a programming discipline:

So for example, right now we do:
Code:

Code:




$topic_id = intval($_GET['t']);

instead, do this:
Code:

Code:




if (intval($_GET['t']) != $_GET['t']) { 


  //hack detected 


  protector_alert(....); 


}


else { 


  //normal process 


  ...

Posted: Mon Mar 29, 2004 12:21 pm

You'd have to make it something like
if($protector = true)
or did I miss protector getting added to the official distro?
But I like the idea Very Happy

Posted: Mon Mar 29, 2004 12:41 pm

sixonetonoffun wrote:

You'd have to make it something like
if($protector = true)
or did I miss protector getting added to the official distro?
But I like the idea Very Happy

True, the function will internally check for existance of protector tables. If they don't exist, then it simply emails (like Raven's). Otherwise, writes the content to the tables.

So this is ready to go when Protector is officially included (and it will be, 99% for sure).

steve

Posted: Mon Mar 29, 2004 2:44 pm

Sorry I did read that in your 2nd post but forgot you already addressed this.

Posted: Mon Mar 29, 2004 4:00 pm

I have released ptap version 1.0 which implements the function described here.
[ Only registered users can see links on this board! Get registered or login! ]

Posted: Mon Mar 29, 2004 5:11 pm

Geez, I'm not welcome there. I respect that so its blackholed at my firewall Rolling Eyes

Maybe another time.

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Seriously? What happens when you try?

Posted: Mon Mar 29, 2004 7:32 pm

Raven,
Browser just times out I blocked their IP as a reminder to myself to not temp fate.

steve1,
I'm wondering if you did anything like if X-IP's get warned from the same hostname do a lookup of the domain block and autoban the entire block until the admin clears it? I've only got 2 levels ban and warn going. Ban for specific violations and ban for more then 6 warns. Right now all I'm warning on is No User-Agent. But its easy to expand now Very Happy

If not I might work on something in my "spare" time.

Posted: Mon Mar 29, 2004 7:37 pm

sixonetonoffun, I am working within the confines of Protector, so I did not have the luxury of a fancy banning system, the way you described. So in my model, you either get banned or get a warning. It is a single IP and not arange.

At the same time, if admin starts getting multiple emails (ptap provides automatic emails), then the admin can decide, through Protector interface, to do whatever one wishes with it.

I have seen too much security code being written where the trapped hacker simply sees a "die" and no ip blocking, so I decided to do something about it.

steve

Posted: Mon Mar 29, 2004 7:47 pm

steve1,
Don't get me wrong you just renewed my interest in the whole concept.

Nothing fancy here just very crude simple functions:
if num rows $result >2
and such.
Luxury is I haven't shared any files with anyone yet so I can tweak the tables yet without causing others grief.

Posted: Mon Mar 29, 2004 8:15 pm

sixonetonoffun, reading your post again, I think the additional functionality that you are talking about ARE GREAT.

I would like to suggest that they be included within Protector. Protector is 99% sure to be included in the follow-on releases of Nuke. That way, our ideas have a good chance of being propagated, and improved by others.

Posted: Tue Mar 30, 2004 12:08 am

Ok this isn't great because it requires fopen=on but it works. Basically its based on 4CM_Grabber.php [ Only registered users can see links on this board! Get registered or login! ]

Ravens code from hackattempt.php is better.
This will return the netrange from arins sadly they don't do lookups by hostname. So we just have to choose the ip to search by random basically from an array of matches so there will be a little more to do but this is a weak start in the right direction. I just wanted to see how hard it would be to get this much to work with.

Code:




<?php


// $hacker_ip = IP to search


$GrabURL = "http://ws.arin.net/cgi-bin/whois.pl?queryinput=".$hacker_ip."";  //-  Complete URL Of The Page Your Grabbing From!


$GrabStart = "NetRange";  //- HTML Code To Start Grab. Must Be A Unique Bit Of Code!


$GrabEnd = "CIDR";  //- HTML Code To End Grab. Must Be A Unique Bit Of Code!


$OpenFile = fopen("$GrabURL", "r"); //- DO NOT CHANGE


$RetrieveFile = fread($OpenFile, 200000);  //- Reduce This To Save Memory


$GrabData = eregi("$GrabStart(.*)$GrabEnd", $RetrieveFile, $DataPrint);


fclose($OpenFile); //- DO NOT CHANGE


$raw_info = strip_tags($DataPrint[1]);


$rangez = str_replace(":", "", "$raw_info");


$ban_range = trim($rangez);


?>

Posted: Tue Mar 30, 2004 12:29 am

sixonetonoffun, nice job. My question is at this point: what are we going to do with the ip range. Are we banning the whole range?

I think I would need geo information. If the IP is from certain countries, I just ban the range. If they are on a N.American dial up, then the range would represent a whole bunch of people... and I would not want to ban them. [edit: I see that arin also returns geo info. That could also be exposed..].

For example every credit card taken on a site of mine from a certain former USSR satellite country is fraud.

Any ideas? Disclaimer: I have not looked into Raven's code yet.

Posted: Tue Mar 30, 2004 12:57 am

I'm thinking a Message (User from IP and Hostname has been banned from this site for 24hrs. Please contact site admin to lift ban if you feel this was done in error.) I use a dynamic image to show the admin email there.

I think an auto time limit say 24hrs could be done easily. Otherwise admin can manuelly remove sooner if wanted. I didn't consider geo but its a very good point. A lot of people will say this is all better done at the firewall level but the majority of us don't have that lux.

Something like this in (what I called) isbanned() function:

Code:




$Diff = (time() - $hacker_time))/60/60/24;


           if ($Diff > 1)  // 1 day ago ban lifted

I don't know how to approach the geo idea exactly without seeming to be discriminating big time against folks Wink

I don't have a manuel add IP to static ban function but that could be done too I guess.

Posted: Tue Mar 30, 2004 12:24 pm

Protector system (which I use) already has the feature of informing someone coming thru banned ip's, so I am not worried about that personally.

What is of interest to me is banning someone who comes in, gets banned, and then comes back in thru another ip.. my guess is that the other ip would also be in the same range.

So Protector could be modified in this way. Add a new field called range.
When hacker comes in and gets banned, save the range as well (using arin- thanks for the pointer).
Next time the hacker comes in (assuming using the same ISP), and we are going to ban him, just look up to see if in a pre-existing range, and then ban the whole range.

There would still be a maintenance problem with large ISP's (AOL, eg.). This could become a headache.

The easier approach:
-I think in my ptap code, I will also write arin's range and geo information to Protector tables. You quickly get an idea once you start looking at Geo's how to deal with the problem (as Geos stay in your memory, vs. IP numbers).

steve

Posted: Tue Mar 30, 2004 2:52 pm

Yeah AOL is a real issue I have access to test from AOL but I haven't had the time to do it. The biggest trouble is getting the actual IP not the AOL proxy. If you've any tips on that one let me know. It would be hard to do short of getting them to do a direct file tranfere or an https connection (Which if is available should be exploited for all it worth. ie for logins at least.)

re: The easier approach.
Yes the info is there to get for the user to work with in htaccess which is going to do a lot better job. For the time being I'm either going with a 1hr or 1day auto ban though for percieved DoS attacks.

Posted: Tue Mar 30, 2004 4:20 pm

Note* Why do automated lookups at all then? Just put a lookup url into the html output everyone else does. Thats what I did originally.

Edit* Forget that if we are comparing dialup users we need that at the time of attack info.

Posted: Tue Mar 30, 2004 6:00 pm

Don't really know what to do about AOL. I think I will just watch what's happening.

As far as automated lookups, it is not necessary until there is a lot of attack, otherwise as you say, URL will do.

Posted: Tue Mar 30, 2004 11:21 pm

This is puttin the cart before the horse but rather then do an extensive lookup >Check>react I revamped the NSS code by Panoo. His method was to match a close range. Its a little hit and miss but what isn't here? So anyway here is the functions as I'm using/testing them now.
I call isBanned() in my header function before any html and call isWarned() right after the body tag.

Code:




        function isBanned()


        {


                global $ADVT_NAME, $ADMIN_EMAIL, $ADMIN_NAME, $ADVT_URL;


                dbConnect();


                $ip2 = @gethostbyname(gethostbyaddr("getenv('REMOTE_ADDR')"));


                $test = @gethostbyaddr(gethostbyname($ip2));


                $result = mysql_query("SELECT hacker_ip,attack_time from hackers WHERE hacker_ban='2'") or error( die());


                $ip = explode (".",$ip2);


                if (mysql_num_rows($result)>0) {


                while (list($hacker_ip,$attack_time) = mysql_fetch_row($result)) {


                $Diff = (time() - $attack_time)/60/60/24; 


                if ($Diff < 1){ // 1 day ban lifted 


                  $ban_ip = explode (".",$hacker_ip);


           if ($ip[0] == $ban_ip[0] && $ip[1] == $ban_ip[1]) {


      echo "<html><head></head><body><center><br><H1>$ADVT_NAME</H1><br><b>This system has interpreted your actions as malicious!!!<br>Your not allowed to use our services for a period of 24 Hours. Should you be detected performing additional malicious actions we will send all information to the ISP connected with your service. Most ISP's will terminate users who violate their Terms of Service. Attempting to deface, hack or steal from others using your internet connection would most certainly be in violation of any reputable ISP's Terms of Service.</b><br><br><img src=\"$ADVT_URL/images/hacker.jpg\" alt=\"Ooops busted!\"><br><br><b>Your IP address $ip2 and Hostname $test were recorded.</b></center>";


      echo "<P align=\"center\">If you have been banned without cause please contact our administrator.</P><P align=\"center\"><B>At the email address shown here</B>.</P><P align=\"center\"><img src='$ADVT_URL/admin.php' alt=\"Anti Spam Image\"/img></P><P> Describe what actions took place to cause you to become banned. If you have no idea just do the best you can to describe what took place. Include the reported IP and Hostname in all communications.</P></body></html>";


      exit;


   }


}else{


}





       if ($ip2 == '') { die();}


                   }


                 }


        }


        function isWarned()


        {


                global $ADVT_NAME, $ADMIN_EMAIL, $ADMIN_NAME, $ADVT_URL;


                dbConnect();


                $ip2 = @gethostbyname(gethostbyaddr("getenv('REMOTE_ADDR')"));


                $test = @gethostbyaddr(gethostbyname($ip2));


                $ip = explode (".",$ip2);


                $result = mysql_query("SELECT hacker_ip,hacker_hostname from hackers WHERE hacker_ip='$ip2' AND hacker_ban='1'") or error( die());


                if (mysql_num_rows($result)>0) {


                while (list($hacker_ip, $hacker_hostname) = mysql_fetch_row($result)) {


                  $ban_ip = explode (".",$hacker_ip);


           if ($ip[0] == $ban_ip[0] && $ip[1] == $ban_ip[1]) {


      


   }


   }


                echo "<div align=\"left\" class=\"warn\"><b>Warning!</b><small><br>Someone from:<br>IP <b>(</b>".$ip2."<b>)</b><br>Hostname <b>(</b>".$test."<b>)</b><br>Has been performing actions considered malicious.<br>This is evidenced to be <b>you</b> please contact our site administrator. <P align=\"left\"><img src='$ADVT_URL/admin.php' alt=\"Anti Spam Image\"/img></P><P>Send a detailed explanation of your actions to prevent your becoming banned from this site.</small></div>";


   


   


   if (mysql_num_rows($result)>1) {


      echo("<div align=\"left\" class=\"warn\"><b>Alert!</b><small><br>You have repeated your malicious acts resulting in your being suspended for 24hrs.</small></div>");


      include("ban.php");


      sleep(5); 


      exit;


      


      }


       if ($ip2 == '') { die();}


                   }


        }