PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt. This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the userâ€™s session.
For security reasons, I want to install PHPIDS outside of the document root, so I create the directoryÂ /var/www/web1/phpids:
Then I install PHPIDS as follows (at the time of this writing the latest version was 0.4.7) – of all the contents of theÂ phpids-0.4.7.tar.gz file, we only need thelib/ directory:
Now I change to the directoryÂ /var/www/web1/phpids/lib/IDS…
… and make theÂ tmp/ directory (which will hold the PHPIDS log file) writable for the Apache user and group:
Next we configure the PHPIDS configuration file (Config.ini):
I’m using the default configuration here, all I did was to adjust the paths:
; PHPIDS Config.ini ; General configuration settings ; !!!DO NOT PLACE THIS FILE INSIDE THE WEB-ROOT IF DATABASE CONNECTION DATA WAS ADDED!!! [General] filter_type = xml filter_path = /var/www/web1/phpids/lib/IDS/default_filter.xml tmp_path = /var/www/web1/phpids/lib/IDS/tmp scan_keys = false exceptions = __utmz exceptions = __utmc ; If you use the PHPIDS logger you can define specific configuration here [Logging] ; file logging path = /var/www/web1/phpids/lib/IDS/tmp/phpids_log.txt ; email logging ; note that enabling safemode you can prevent spam attempts, ; see documentation recipients = firstname.lastname@example.org subject = "PHPIDS detected an intrusion attempt!" header = "From: <PHPIDS> email@example.com" safemode = true allowed_rate = 15 ; database logging wrapper = "mysql:host=localhost;port=3306;dbname=phpids" user = phpids_user password = 123456 table = intrusions ; If you would like to use other methods than file caching you can configure them here [Caching] ; caching: session|file|database|memcached|none caching = file expiration_time = 600 ; file cache path = /var/www/web1/phpids/lib/IDS/tmp/default_filter.cache ; database cache wrapper = "mysql:host=localhost;port=3306;dbname=phpids" user = phpids_user password = 123456 table = cache ; memcached ;host = localhost ;port = 11211 ;key_prefix = PHPIDS ;tmp_path = /var/www/web1/phpids/lib/IDS/tmp/memcache.timestamp