Tiny-IDS - a tiny intrusion detection system

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
patrickd's picture
Posted by patrickd on February 21, 2012 at 1:20pm

http://drupal.org/project/tinyids

After several conceptual changes, I finally created a first dev release.

It's still under development but I would really appreciate deep code and functionality reviews on the current state.
Feel free to express your opinion and discuss about the general implementation in the issue queue.

regards.

Comments

Cool idea

Posted by rjbrown99 on February 24, 2012 at 6:08am
rjbrown99's picture

Interesting idea, I was going to do something similar but more along the lines of a poor man's IPS. One of the problematic things I see on a regular basis are bots trolling my site for specific paths. For example -

GET /phpMyAdmin/index.php
GET /phpmyadmin/index.php
GET /phpMyAdmin-2.5.5-rc1/index.php

... and so forth. I'd like to permanently kill them as they are consuming resources. My thought was simply to create pathalias entries for paths, pointing back at a single callback function. The callback interacts with libiptphp to drop in iptables rules blocking access to whatever IP happens to hit it. This could also be done using Drupal's ip blocking but I avoid that for my purposes and prefer to use OS-level firewall rules.

I'll check out your module for sure - I get tons of form input SQL injector bots as well so it should be fairly easy to test against the common web pests. Thanks for putting it together.

Yep, I know these bots good

Posted by patrickd on March 29, 2012 at 11:03pm
patrickd's picture

Yep, I know these bots good ^^

I've also tried to figure out a good way to block such request, but I could not find out a way that had acceptable performance impact. (Seems like these bot scans consume less resources then any logger that tries to block them out)

It has been a while since the release, and I know the code is still a little messy (it's a dev! ;-P) - but I've had no technical feedback yet, but I would really appreciate some concept and code reviews before I continue to work on this.

(I commented it pretty well! I promise!)

Thanks

tinyids-alpha1

Posted by patrickd on April 24, 2012 at 3:30pm
patrickd's picture

Spend some more work on it and released a first alpha for d6 and d7:
https://drupal.org/project/tinyids

Very interesting

Posted by chales on April 24, 2012 at 11:04pm
chales's picture

This looks promising. A coworker and I were just discussing this very topic so I'm certainly going to take it for a test drive and will give you feedback.

Chris Hales - mediacurrent.com

Trying it on D6

Posted by plaverty on April 30, 2012 at 4:26pm
plaverty's picture

I'm testing out TinyIDS on my D6 instance. I installed it and set it to paranoid. Then I tried tinkering with the URL, both by putting some XSS in the URL bar and then on another page, replacing the node id with ' or '1'='1#

Sure, I get a 404, but I don't see anything from TinyIDS in my Recen Log Entries. Should I be? How do you best test that TinyIDS is functioning properly and reacting to attacks?

Thank you.

Thanks for testing! :)

Posted by patrickd on April 30, 2012 at 4:46pm
patrickd's picture

(please use the modules issue queue for reporting any of your findings.)

I guess you were logged in as admin while you tested it ?
As admins have the "bypass tinyids" permission by default, everything they do will be ignored.

I included a simpletest (it was a ten minute thing so bare with me) to test its general functionality quickly.

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: