{"id":32,"date":"2020-06-17T03:36:51","date_gmt":"2020-06-17T01:36:51","guid":{"rendered":"https:\/\/www.olivierlange.com\/?p=32"},"modified":"2020-06-17T03:37:10","modified_gmt":"2020-06-17T01:37:10","slug":"php-ids-ou-comment-proteger-son-site-web","status":"publish","type":"post","link":"https:\/\/olivierlange.com\/index.php\/2020\/06\/17\/php-ids-ou-comment-proteger-son-site-web\/","title":{"rendered":"PHP-IDS, ou comment prot\u00e9ger son site web"},"content":{"rendered":"\n

Attention. Cet article a \u00e9t\u00e9 \u00e9crit en f\u00e9vrier 2009, et n’a pas encore \u00e9t\u00e9 r\u00e9actualis\u00e9 !<\/p>\n\n\n\n

Il y a quelques temps, j\u2019ai d\u00e9couvert un outil indispensable, et qui plus est open source\u2026 Il n\u2019en faut pas plus pour que je m\u2019y jette dessus \u00e0 corps perdus.<\/p>\n\n\n\n

PHP-IDS, qu\u2019est-ce que c\u2019est?<\/strong>
Il s\u2019agit d\u2019un syst\u00e8me de d\u00e9tection d\u2019intrusion en php. Il s\u2019interpose entre les pages du site, et les donn\u00e9es entr\u00e9es par l\u2019utilisateur, et d\u00e9tecte les tentatives d\u2019injection, que ce soit SQL, XSS ou autres. Utilisant un syst\u00e8me de \u201cpoints\u201d, il va donner un poids a chaque d\u00e9tection, et si le total d\u00e9passe la norme tol\u00e9r\u00e9e, il interdit la poursuite de l\u2019affichage de la page du site.<\/p>\n\n\n\n

Attention, il ne s\u2019agit pas pour autant d\u2019une solution miracle! Il reste n\u00e9cessaire de bien coder afin d\u2019\u00e9viter des probl\u00e8mes. Mais il fournit une protection supl\u00e9mentaire au site sur lequel il est configur\u00e9.<\/p>\n\n\n\n

Mise en place<\/strong><\/h2>\n\n\n\n
  1. On r\u00e9cup\u00e8re les sources sur le site officiel :\u00a0http:\/\/php-ids.org\/downloads\/<\/a><\/li>
  2. On d\u00e9compresse nos sources<\/li>
  3. On mets \u00e0 jour les fichiers\u00a0default_filter.xml et\u00a0<\/em>converter.php afin d\u2019avoir des donn\u00e9es le plus a jour possible<\/li>
  4. https:\/\/svn.php-ids.org\/svn\/trunk\/lib\/IDS\/default_filter.xml<\/a><\/li>
  5. https:\/\/svn.php-ids.org\/svn\/trunk\/lib\/IDS\/Converter.php<\/a><\/li>
  6. On place le r\u00e9pertoire lib\/IDS dans les librairies de notre projet<\/li>
  7. On configure le fichier IDS\/Config\/Config.ini<\/li><\/ol>\n\n\n\n
    ; PHPIDS Config.ini\n\n; General configuration settings\n\n; !!!DO NOT PLACE THIS FILE INSIDE THE WEB-ROOT\n; IF DATABASE CONNECTION DATA WAS ADDED!!!\n\n[General]\n\n    ; basic settings - customize to make the PHPIDS work at all\n    filter_type     = xml\n    filter_path     = \/chemin\/vers\/lib\/IDS\/default_filter.xml\n    tmp_path        = \/chemin\/vers\/lib\/IDS\/tmp\n    scan_keys       = false\n\n    ; in case you want to use a different HTMLPurifier source, specify it here\n    ; By default, those files are used that are being shipped with PHPIDS\n    HTML_Purifier_Path  = IDS\/vendors\/htmlpurifier\/HTMLPurifier.auto.php\n    HTML_Purifier_Cache = IDS\/vendors\/htmlpurifier\/HTMLPurifier\/DefinitionCache\/Serializer\n\n    ; define which fields contain html and need preparation before\n    ; hitting the PHPIDS rules (new in PHPIDS 0.5)\n    html[]          = __wysiwyg\n\n    ; define which fields shouldn't be monitored (a[b]=c should be referenced via a.b)\n    exceptions[]    = __utmz\n    exceptions[]    = __utmc\n\n    ; PHPIDS should run with PHP 5.1.2 but this is untested - set\n    ; this value to force compatibilty with minor versions\n    ;min_php_version = 5.1.6\n    min_php_version = 5.1.2\n\n; If you use the PHPIDS logger you can define specific configuration here\n\n[Logging]\n\n    ; file logging\n    ; non necessaire si log via DB\n    path            = \/chemin\/vers\/lib\/IDS\/tmp\/phpids_log.txt\n\n    ; email logging\n\n    ; note that enabling safemode you can prevent spam attempts,\n    ; see documentation\n    recipients[]    = test@test.com.invalid\n    subject         = \"PHPIDS detected an intrusion attempt!\"\n    header          = \"From: <PHPIDS> info@php-ids.org\"\n    safemode        = true\n    allowed_rate    = 15\n\n    ; database logging\n\n    wrapper         = \"mysql:host=localhost;port=3306;dbname=phpids\"\n    user            = phpids_user\n    password        = phpids\n    table           = intrusions\n\n; If you would like to use other methods than file caching you can configure them here\n\n[Caching]\n\n    ; caching:      session|file|database|memcached|none\n    caching         = memcached\n    expiration_time = 600\n\n    ; file cache\n    path            = \/chemin\/vers\/lib\/IDS\/tmp\/default_filter.cache\n\n    ; database cache\n    wrapper         = \"mysql:host=localhost;port=3306;dbname=phpids\"\n    user            = phpids_user\n    password        = 123456\n    table           = cache\n\n    ; memcached\n    host           = localhost\n    port           = 11211\n    key_prefix     = PHPIDS\n    tmp_path       = \/chemin\/vers\/lib\/IDS\/tmp\/memcache.timestamp<\/code><\/pre>\n\n\n\n
    1. La base de donn\u00e9e n\u2019est n\u00e9cessaire que si l\u2019on d\u00e9sire stocker les logs dedans. On peut en effet choisir si on d\u00e9sire un simple fichier de log, syslog, base de donn\u00e9e, ou rien. Si vous d\u00e9sirez utiliser une base de donn\u00e9e, il est n\u00e9cessaire de cr\u00e9er la base seon les infos fournies dans le fichier de conf. POur la cr\u00e9ation de la table:<\/li><\/ol>\n\n\n\n
      CREATE TABLE `intrusions` (\n  `id` int(11) unsigned NOT NULL auto_increment,\n  `name` varchar(128) NOT NULL,\n  `value` text NOT NULL,\n  `page` varchar(255) NOT NULL,\n  `userid` int(11) unsigned NOT NULL,\n  `session` varchar(32) NOT NULL,\n  `ip` varchar(15) NOT NULL,\n  `reaction` tinyint(3) unsigned NOT NULL COMMENT '0 = log; 1 = mail; 2 = warn; 3 = kick;',\n  `impact` int(11) unsigned NOT NULL,\n  `created` datetime NOT NULL,\n  PRIMARY KEY  (`id`)\n);<\/code><\/pre>\n\n\n\n
      1. Une fois configurer, il ne reste plus qu\u2019a l\u2019inclure dans nos sites. Pour cela, je vous conseille de cr\u00e9er un fichier prepend, et de configurer le htaccess pour le charger en priorit\u00e9. Voici un exemple du fichier de traitement. A vous de l\u2019adapter selon vos besoins:<\/li><\/ol>\n\n\n\n
        <?php\n\n\/\/ On rajoute le chemin de la lib\nset_include_path(\n    get_include_path()\n    . PATH_SEPARATOR\n    . '\/chemin\/vers\/lib\/'\n);\n\n\/\/ Inclusion de PHP-IDS\nrequire_once 'IDS\/Init.php';\n\n\/*\n * Un exemple d'utilisation consiste \u00e0 utiliser try()\n * afin de r\u00e9cup\u00e9rer d'\u00e9ventuelles erreurs\n *\/\ntry {\n    \/\/ Attention \u00e0 l'ordre des variables EGPCS\n    $request = array_merge_recursive($_GET, $_POST, $_COOKIE);\n    $init = IDS_Init::init(APPLI_ROOT.'\/lib\/IDS\/Config\/Config.ini');\n\n    \/\/ lancement de l'IDS\n    $ids = new IDS_Monitor($request, $init);\n    $result = $ids->run();\n\n    \/\/ Decision...\n    if (!$result->isEmpty()) {\n        \/*\n         * Pour le DEBUG il suffit de faire\n         * echo $result;\n         *\/\n        \/\/ Exemple d'interpration : on affiche un msg d'erreur\n        echo \"Sorry, but it seems your browser has sent incorrect data.<br>\";\n\n        \/\/ On loggue l'attaque\n        \/*\n         * Dans le cas d'un fichier de log :\n         * require_once 'IDS\/Log\/File.php';\n         *\/\n        require_once 'IDS\/Log\/Database.php';\n        require_once 'IDS\/Log\/Composite.php';\n\n        $compositeLog = new IDS_Log_Composite();\n        $compositeLog->addLogger(IDS_Log_Database::getInstance($init));\n        \/*\n         * Dans le cas d'un fichier de log\n         * $compositeLog->addLogger(IDS_Log_File::getInstance($init));\n         *\/\n\n        $compositeLog->execute($result);\n        die();\n    } else {\n        \/\/ On peut afficher quelque chose pour dire que PHPIDS tourne\n        \/\/echo '<a href=\"?test=%22><script>eval(window.name)<\/script>\">No attack detected - click for an example attack<\/a>';\n        echo \"PHPIDS is running\";\n    }\n} catch (Exception $e) {\n    printf(\n        'An error occured: %s',\n        $e->getMessage()\n    );\n}<\/code><\/pre>\n\n\n\n
        1. Il ne reste plus qu\u2019a tester l\u2019application! Vous pouvez avoir un exemple de ce qui doit se passer ici:\u00a0http:\/\/demo.php-ids.org\/<\/a><\/li><\/ol>\n\n\n\n
          Remarque: PPH-IDS n\u00e9cessite au minimum PHP 5.1.2 pour fonctionner. De plus, si vous d\u00e9sirez logguer les donn\u00e9es dans une base mysql, vous devrez avoir activer PDO et PDO Mysql<\/p>\n\n\n\n
          <\/p>\n","protected":false},"excerpt":{"rendered":"
          Attention. Cet article a \u00e9t\u00e9 \u00e9crit en f\u00e9vrier 2009, et n’a pas encore \u00e9t\u00e9 r\u00e9actualis\u00e9 ! Il y a quelques temps, j\u2019ai d\u00e9couvert un outil…<\/p>\n
          Continuer la lecturePHP-IDS, ou comment prot\u00e9ger son site web<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,9],"tags":[],"_links":{"self":[{"href":"https:\/\/olivierlange.com\/index.php\/wp-json\/wp\/v2\/posts\/32"}],"collection":[{"href":"https:\/\/olivierlange.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/olivierlange.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/olivierlange.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/olivierlange.com\/index.php\/wp-json\/wp\/v2\/comments?post=32"}],"version-history":[{"count":1,"href":"https:\/\/olivierlange.com\/index.php\/wp-json\/wp\/v2\/posts\/32\/revisions"}],"predecessor-version":[{"id":33,"href":"https:\/\/olivierlange.com\/index.php\/wp-json\/wp\/v2\/posts\/32\/revisions\/33"}],"wp:attachment":[{"href":"https:\/\/olivierlange.com\/index.php\/wp-json\/wp\/v2\/media?parent=32"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/olivierlange.com\/index.php\/wp-json\/wp\/v2\/categories?post=32"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/olivierlange.com\/index.php\/wp-json\/wp\/v2\/tags?post=32"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}