Simple web application firewall using .htaccess

Apache provides a simple web application firewall by a allowing for a “.htaccess” file with certain rules in it. This is a file you put in your document root and may restrict or allow access from certain specific IP addresses. NB: These commands may also be put directly in the virtual host configuration file in “/etc/apache2/sites-available/”.

Use Case #1: Test environment

Sometimes you may want to lock down a site and only grant access from a limited set of IP addresses. The following example (for Apache 2.2) only allows access from the IP address “127.0.0.1” and blocks any other request:

Order Allow,Deny
Deny from all
Allow from 127.0.0.1

In Apache 2.4 the syntax has slightly changed:

Require all denied
Require ip 127.0.0.1

You can find your IP address on: whatismyipaddress.com

Use Case #2: Application level firewall

If you run a production server and somebody is abusing your system with a lot of requests then you may want to block a specific IP address. The following example (for Apache 2.2) only blocks access from the IP address “172.28.255.2” and allows any other request:

Order deny,allow
Allow from all
Deny from 172.28.255.2

In Apache 2.4 the syntax has slightly changed:

Require all granted
Require not ip 172.28.255.2

If you want to block an entire range you may also specify CIDR notation:

Require all granted
Require not ip 10.0.0.0/8
Require not ip 172.16.0.0/12
Require not ip 192.168.0.0/16

NB: Not only IPv4, but also IPv6 addresses may be used.

Static code analysis for PHP templates

Templating is cool. Everybody is using Twig today. Other popular choices are: Smarty, Mustache and Latte. You may also want to read what Fabien Potencier has written about PHP templates languages. It makes sense.

Still I can think of two reasons why we don’t want a templating language and we rather use PHP itself for templating. First reason: PHP templating is easier to learn than a PHP templating language.  Second reason: it executes faster.

PHP templating languages improve security

I tried to understand what the primary reason is that people are using a templating language. It seems to be ease of use, while keeping the application secure. The following example shows how easily you can write unsafe code:

Hello <?php echo $POST['name']; ?>!

It would only be safe to print a POST variable when using:

<?php echo htmlspecialchars($POST['name'],ENT_QUOTES,'UTF-8'); ?>

A templating language typically allows you to write something like:

Hello {{ name }}!

I agree that security is improved by using a templating language. The templating language escapes the output strings in order to prevent XSS vulnerabilities. But still I wonder: Can’t we get the same security benefits when we use native PHP for templating?

Helper function

As you have seen the PHP way of escaping is rather long. Fortunately, you can easily define a function that allows an alternative syntax, for instance:

Hello <?php e($POST['name']); ?>!

Yup, that is the “e” for “echo” :-). Now we can report all native (unescaped) echo function calls as being potentially unsafe. This can be achieved by doing static code analysis. While analyzing the code the analyzer could complain like this:

PHP Warning:  In "template.php" you should not use "echo" on line 1. Error raised  in analyzer.php on line 11

This could be limited to debug mode as static code analysis actually takes some time and may harm the performance of your application.

Static code analysis in PHP

I worked out the idea of secure PHP templating using static code analysis. In development (debug) mode it should warn the programmer when he uses a potentially non-safe construct.

The following analyzer script shows how this works:

<?php
$tokens    = array('T_ECHO', 'T_PRINT', 'T_EXIT', 'T_STRING', 'T_EVAL', 'T_OPEN_TAG_WITH_ECHO');
$functions = array('echo', 'print', 'die', 'exit', 'var_dump', 'eval', '<?=');
$filename  = 'template.php';

$all_tokens = token_get_all(file_get_contents($filename));
foreach ($all_tokens as $token) {
  if (is_array($token)) {
    if (in_array(token_name($token[0]),$tokens)) {
      if (in_array($token[1],$functions)) {
        trigger_error('In "'.$filename.'" you should not use "'.htmlentities($token[1]).'" on line '.$token[2].'. Error raised ', E_USER_WARNING);
      }
    }
  }
}

It will analyze the “template.php” file and report potentially insecure or erroneous language constructs.

This form of templating and static code analysis is fully implemented in the MindaPHP framework that you can find on my Github account. You can find the source code of the PHP static code analyzer class here.

Linux commands “astu” and “astsu” in Mr. Robot

mr_robot

People told me that the hacking in “Mr Robot” was pretty accurate. Mr Robot is a TV series about a hacker named “Elliot”. I had to see it, but until now I was lacking the time. Last Sunday was a prefect lazy day and I took the time to finally watch it. I must admit it was pretty amazing to see the inside of a data-center and all the geeky Linux command line screens in a such a popular TV series.

Linux commands “astu” and “astsu”

When Elliot (the main character) is hacking he uses two Linux commands frequently: “astu” and “astsu”. The commands play a critical role in the series. I did not know what they did, so I wondered:

Did anyone figure out what the “astsu” command is supposed to be? Did he just type random characters or what? The other commands I noticed were all real.

On which some other user on the Cyberpunk and Science Fiction board replied:

It seems to be used like sudo (or ssh) would so I guess the idea was that the company that he works for has its own way to allow safe privilege escalation and this is the tool they install astsu = AllSafe Toolkit Super User (allsafe security being the company name).

You should read the Mr. Robot Episode 1 Analysis for more detail on the actual commands used during the hacking.

Things I liked

Some things were really spot on in the series and I liked them a lot:

  1. The correctness, detail and accuracy of the hacking that goes on.
  2. Elliot has some social challenges and thus feels like an outsider.
  3. Elliot is unhappy and this is his strength, as he has nothing to lose.

But not everything was good, there was also some stuff that bothered me in the series.

Things that bothered me

Here is a list of the most annoying things in the series:

  1. Elliot uses a smart-phone and he never switches SIM or phone.
  2. Elliot’s schizophrenia is making his conspiracy thinking less genuine.
  3. Computers and downers do not match. Caffeine on the other hand…

I feel the makers of Mr. Robot should have thought these things over better. Nevertheless they made an enjoyable TV series. Recommended!

 

Limit concurrent PHP requests using Memcache

When you run a website you may want to use nginx reverse proxy to cache some of your static assets and also to limit the amount of connections per client IP to each of your applications. Some good modules for nginx are:

Many people are not running a webfarm, but they still want to protect themselves against scrapers and hackers that may slow the website (or even make it unavailable). The following script allows you to protect your PHP application from too many concurrent connections per IP address. You need to have Memcache installed and you need to be running a PHP web application that uses a front controller.

Installing Memcache for PHP

Run the following command to install Memcache for PHP on a Debian based Linux machine (e.g. Ubuntu):

sudo apt-get install php5-memcache memcached

This is easy. You can flush your Memcache data by running:

telnet 0 11211
flush_all

You may have to restart apache for the Memcache extension to become active.

sudo service apache2 restart

Modifying your front controller

It is as simple as opening up your “index.php” or “app.php” (Symfony) and then pasting in the following code in the top of the file:

<?php
function firewall($concurrency,$spinLock,$interval,$cachePrefix,$reverseProxy)
{
  $start = microtime(true);
  if ($reverseProxy && isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
    $ip = array_pop(explode(',',$_SERVER['HTTP_X_FORWARDED_FOR']));
  }
  else {
    $ip = $_SERVER['REMOTE_ADDR'];
  }
  $memcache=new Memcache();
  $memcache->connect('127.0.0.1', 11211);
  $key=$cachePrefix.'_'.$ip;
  $memcache->add($key,0,false,$interval);
  register_shutdown_function(function() use ($memcache,$key){ $memcache->decrement($key); });
  while ($memcache->increment($key)>$concurrency) {
    $memcache->decrement($key);
    if (!$spinLock || microtime(true)-$start>$interval) {
      http_response_code(429);
      die('429: Too Many Requests');
    }
    usleep($spinLock*1000000);
  }
}
firewall(10,0.15,300,'fw_concurrency_',false);

Add these lines if you want to test the script in stand-alone mode:

session_start();
session_write_close();
usleep(3000000);

With the default setting you can protect a small WordPress blog as it limits your visitors to do 10 concurrent(!) requests per IP address. Note that this is a lot more than 10 visitors per IP address. A normal visitor does not do concurrent requests to PHP as your browser tends to send only one request at a time. Even multiple users may not do concurrent requests (if you are lucky). In case concurrent requests do happen they will be delayed for “x” times 150 ms until the concurrency level (from that specific IP) is below 10. Other IP addresses are not affected/slowed down.

If you use a reverse proxy you can configure this (to get the correct IP address from the “X-Forwarded-For” header). Also if you set “$spinLock” to “false” then you will serve “429: Too Many Requests” if there are too many concurrent requests instead of stalling the connection.

This functionality is included as the “Firewall” feature of the new MindaPHP framework and also as the firewall functionality in the LeaseWeb Memcache Bundle for Symfony. Let me know what you think about it using the comments below.

Open source privacy tools µBlock and µMatrix

In the past we have been giving some attention to the tools Adblock Plus and RequestPolicy when we talked about enhancing your privacy and security online.

“The user decides what web content is acceptable or not in their browser.” – µBlock manifesto

Today we want to introduce you to two alternative (open source) tools for this, made by Raymond Hill: µBlock and µMatrix

µBlock

This is a simple tool, comparable to Adblock Plus, but it is open source and light-weight and very user friendly. This tool uses the approach and block-lists as AdBlock Plus and has the main advantage of being more lightweight as you can see in the graph below:

ublock

Source code and more information: https://github.com/gorhill/uBlock

µMatrix

This tool is comparable to RequestPolicy and is aimed at blocking non first party requests, like RequestPolicy. It has a nice matrix that you can easily click to allow/disallow certain requests. I have found that it works much better as it also allows related 3rd party domains. For instance redditmedia.com is not blocked on reddit.com, where RequestPolicy would block it.

umatrix

Source code and more information: https://github.com/gorhill/uMatrix

Installation

On the following links you find the installable extensions for Chromium and Firefox:

Conclusion

Both tools enhance your security and privacy online. They are easy to use and have great integration with the free Chrome (Chromium) browser. Unfortunately µMatrix is not yet available for Firefox, but this may only be a matter of time. I would highly recommend to use both tools in your Chromium install and I would recommend µBlock also on Firefox.