Logging the HTTP requests!
Logs are a very important part of security, either for preventing attacks or for forensics. But sometimes you don’t have access to logs, like for example in shared hosting environments.
Logs, and I’m speaking about logging the HTTP requests, can help you very much. With the use of logs you can predict defacements: someone constantly trying to inject sql commands, who knows, maybe he’s on to something. Also these logs could help you prevent bruteforce attacks (if such protections weren’t implemented in the original login scripts). Needless to say that it will help you (probably) trace back a dumb attacker.
A rudimentary logging system would look something like this (assuming that a mysql connection has been made before):
function sqle($in) { return mysql_real_escape_string($in); }
function start_log() {
$referer = sqle($_SERVER['HTTP_REFERER']);
$uagent = sqle($_SERVER['HTTP_USER_AGENT']);
$iproxy = sqle($_SERVER['REMOTE_ADDR']);
$exactly = date('r');
$model = "INSERT INTO <TABLE> (iproxy, referer,
uagent, exactly, data) VALUES ('$iproxy',
'$referer', '$uagent', '$exactly', '<DATA>')";
if(isset($_POST)) {
$data = sqle(serialize($_POST));
$query = str_replace('<DATA>',$data,$model);
mysql_query(str_replace('<TABLE>','postlog',$query));
}
if(isset($_GET)) {
$data = sql(serialize($_GET));
$query = str_replace('<DATA>',$data,$model);
mysql_query(str_replace('<TABLE>','getlog', $query));
}
}
As you can see we have two tables declared in the same way, one named ‘postlog’, while the other ‘getlog’. From this point on you can make scripts that will check for xss, sql injection, lfi/rfi attempts.
I, for example, use it to track those trying to bruteforce my login credentials. And for monitoring wrong entered passwords, if any.
Another thing to note is that the script logs everything passed via a request, so it’s not recommended to add on login pages without setting an exception for the password field.
Another security enchantment would be to have the tables inside another database than the one you’re using for the website, so in case of an SQL injection no sensitive log data would be revealed (sensitive if you wouldn’t add exceptions as mentioned above). And how it would be this the best way to achieve? By adding a mysql connection to the example above. Upon inclusion the code executed would be the following
//some general inclusion you make
//include logger.php (this is our script expanded)
function sqle($in) { ... }
function start_log() {
$handle = mysql_connect('host','user','pass');
mysql_select_db('logDB', $handle);
...
if(isset($_POST)) {
...
mysql_query(
str_replace('<TABLE>','postlog',$query),
$handle
);
}
if(isset($_GET)) {
...
mysql_query(
str_replace('<TABLE>','getlog',$query),
$handle
);
}
mysql_close($handle);
}
Another thing to note, is that the user of the website database shouldn’t have rights upon the log database. You should create a special user just for the logging part.
Also if you like automated stuff, as I do, you would love a logrotate-like implementation which you could cron:
mysql_connect('host','user','pass');
mysql_select_db('logDB');
$date = date('Y-m-d');
$path = '/home/logs/';
$file = $path.'default.txt';
$query = "SELECT * FROM <TABLE> INTO OUTFILE '$file'
FIELDS TERMINATED BY ' ' LINES TERMINATED BY 'n'";
mysql_query(str_replace('<TABLE>', 'getlog', $query);
rename($file, $path.$date.'(GET).txt');
mysql_query(str_replace('<TABLE>', 'postlog', $query);
rename($file, $path.$date.'(POST).txt');
About logs (and logging) that’s it for the moment. Maybe I’ll do another time an article about analyzing HTTP logs.
Another thing I wanted to mention, is that there is a similar approach found on the web via a wordpress plugin. Wanted to share it but unfortunately didn’t find it while writing the article.
P.S. Didn’t write the table creating syntax, but you can do it yourself. Not much into it, a bunch of varchar fields…
UPDATE: did some minor editing, upon renaming the files they would have been put in the scripts executing directory.
