Menu

README

...............IOSec.org Anti Flood Security Gateway Module v.1.1...............

Coded by Gökhan Muharremoğlu
License: GNU Library or Lesser General Public License version 3.0 (LGPLv3)
Release Date: 16.05.2012 v.1.1

CHANGES v.1.1

  • Added Reverse Proxy Support
  • Added reCAPTCHA Support
  • Now Blocks Brute Force More Efficiently
  • Minor Security Fixes

To use reCAPTCHA Get a different key from https://www.google.com/recaptcha/admin/create

--What does this module do?
This module provides security enhancements against (HTTP) Flood & Brute Force Attacks for PHP scripts.
Massive scanning tools (vulnerability scanners), HTTP flood tools can be blocked by this module via htaccess or iptables, etc.("banlist" file)

--How can i use this module?
It is really simple! You can use this module by including "iosec.php" to any PHP file which wants to be protected.
You can use this function by adding a line to your PHP script: "include('./iosec.php');"

You can find a test page (test.php)in this package which "iosec.php" file is already included.
You can configure IOSec Security Gateway Module by typing URL of admin panel (http://YOUR_SITE/iosec_admin/index.php)

BENEFITS:

  • You can block proxies (via header information)
  • You can detect flooding IP addresses.
  • You can slow down or restrict access for automated tools (HTTP DoS tools & Flood tools, Brute force tools, Vulnerability scanners, etc.)
  • You can save your server resources (database, cpu, ram, etc.) under an attack.
  • You can restrict access permanently or temporarily for listed IP addresses in "banlist" file.
  • You can notify yourself via email alerts when attacks begin.

CONS:

  • You have to tweak configuration file and even script’s itself to avoid false positives.
  • You have to restrict access for world writeable files and apply least privilige permissions to file properties.

USAGE & EXPLANATATIONS

Files:

/
-test.php (This is just a test file so, you can see how module works. Delete this file when script goes live.)
-iosec.php (The core script module. This file should be included to the pages that should be protected. NEVER leave it writeable.)

iosec_admin/
-.iosec_config (The main configuration file for "iosec.php". You can embed this file into "iosec.php" this will reduce attack surface on script files.)
-index.php (This is just a GUI for ".iosec_config" file.)
-banlist (Detected IP addresses listed here. You can use this file with iptables, htaccess with bash scripts.)
-banlisttemp (Just a system file. IP and Time correlations listed in it.)
-ips (Just a system file. Every request is listed in it.)
-sample.htaccess (You can use this file for restricting access to public. Before use, rename it.)
-sample.htpasswd (Username: iosec, Password: iosec_demo)

Default Password for Admin Panel:
Password: 123 (Attention! Please change this password before you go live with your module!)

Default Password and User for Admin Panel Basic Auth. (sample.htaccess):
Username: iosec (Attention! Please change this before you go live with your module!)
Password: iosec_demo (Attention! Please change this before you go live with your module!)

Make sure to these files are not readable by Public via browser (Internet).
Use .htaccess or other restriction functions to prevent publishing of these files:
You should rename and edit the "sample.htaccess" file to ".htaccess" file to use it.
You should rename the "sample.htpasswd" file to ".htpasswd" file to use it.

iosec_admin/
-.iosec_config
-ips
-banlist
-banlisttemp
-index.php

You should restrict access to iosec_admin/ folder for Public users! from Internet (e.g. by Basic Authentication)
These files must be in world writeable mode (locally):
-ips
-banlist
-banlisttemp
-.iosec_config (this file should not be left in world writeable mode after saving via admin panel.)

CONFIGURATION DESCRIPTIONS

  1. Connection Interval: This is second based interval for accepting a second connection.
    If you choose value 1 (1 second), a second request in 1 second will be suspended by module. You can enter values like 0.1, 0.001, etc.

  2. Suspended Process Timeout: When a connection interval rule finds a connection is prohibited, this timeout value will be activated.
    For example, if connection interval is 1 and then this value is 30 so, second connection in 1 second will be suspended for 30 seconds.

  3. Page Redirection: You can redirect your detected users to another page after timeout page disappears.

  4. Send Me Mail: Module can send you a mail when an IP address is detected.

  5. Block Proxies: You can identify and block proxies via http header.

  6. Show Debug Info: Time and IP information will be displayed on suspension page when this option is activated.

  7. Use Incremental Blocking: This option will increase time of suspension if attack is still happening.
    For example, if C.I. is 1 and a second connection happens in 1 second this will be suspended for 30 seconds (above ex.).
    If one connection in 10 seconds happens, this will increase suspension time when this option is activated.

MADE IN TURKEY

Gökhan Muharremoğlu
Information Security Specialist

You can reach me @
gokhanmuh@users.sourceforge.net
gokhan.muharremoglu@iosec.org
https://sourceforge.net/projects/iosec/
http://www.iosec.org

Posted by Gökhan Muharremoğlu 2012-05-16

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.