In association with heise online


The basic set up in Serendipity works just like that in Wordpress. The only exception is the first path in example.php, where you need to replace the wordpress folder name with serendipity (provided the blog is located at /var/www/serendipity). Then, include example.php after the following two lines in index.php:

header('HTTP/1.0 200');
header('Status: 200 OK');

Alternatively, PHP can also automatically include example.php without a need to change the original files. All you need to do is set the

auto_prepend_file = /var/www/serendipity/example.php

option in /etc/php5/apache3/php.ini and restart the web server. The advantage of this method is that every PHP file will automatically be protected via the IDS. However, this nifty little trick is not universally applicable. Our tests revealed problems, for example multiple log entries for a single attack or even application failures, in other PHP applications like Drupal. You will need to experiment with this yourself.


Integrating the IDS into this CMS is just as simple, and the same instructions as for Wordpress apply. Include the example.php file as your first PHP instruction in index.php.


Drupal users can use a custom PHPIDS module which simplifies installation and configuration. At the time of testing, offered the current version for Drupal 6, phpids-6.x-1.8-beta2.tar.gz. Drupal expects to find non-standard modules in the sites/all/modules directory. You will need to create a modules directory and move the folder you extracted from the tarball to this location. However, the module doesn't contain the actual PHPIDS files, which need to be downloaded manually and installed in the phpids module directory. The Drupal module files should reside in sites/all/modules/phpids, while the PHPIDS files should be in sites/all/modules/phpids/lib, as described in the previous configurations.

An attempted attack becomes apparent relatively quickly in Drupal's report.
Zoom An attempted attack becomes apparent relatively quickly in Drupal's report.
Next, create a phpids subdirectory in the temporary /tmp folder (caution – this does not refer to the lib/IDS/tmp path) and set up write access for the web server:

sudo chown www-data:www-data /tmp/phpids

The newly added module can be enabled using Drupal's "/Administer/Site Building/Modules" menu. The "/Administer/Site Configuration/Logging and Alerts/PHPIDS Settings" menu now opens the PHPIDS configuration menu. For "PHP-IDS Path", enter /var/www/drupal/sites/all/modules/phpids/lib; use /tmp/phpids for "PHP-IDS Temp Path". Conveniently, setting the "warning impact" allows users to not only log, but also to prevent attacks. An attacker is then redirected to an alert page, and the request is discarded. The remaining fields in this menu can be filled in, or left blank, as required.

Once the settings are saved, the IDS goes live. It will now log any attacks in Drupal's report feature, which is accessible at "Administer/Reports/Recent Log Entries".


Getting into the practical aspects of PHPIDS is quick and easy. No in-depth configuration of the application to be monitored is required; if in doubt you can simply delete "include ('example.php')". Drupal offers the most practical solution and includes both a clear report and the possibility to prevent attacks. One can only hope that many operators of PHP applications will use this approach to help stem the current flood of attacks on vulnerable applications.


Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit