einundzwanzig/einundzwanzig-verein
1
0
Fork 0
mirror of https://github.com/HolgerHatGarKeineNode/einundzwanzig-nostr.git synced 2026-02-04 15:53:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add Security Monitoring System with Command, Model, and Service

Browse Source 
- 🛡️ Introduce `SecurityMonitor` service for tampering and malicious activity detection.
- 🏷️ Add `SecurityAttempt` model and migration to log, categorize, and query security attempts.
- 🖥️ Create `SecurityAttemptsCommand` for filtering, statistics, and top IP analysis.
-  Add extensive tests to ensure the reliability of security monitoring and logging.
- 🔗 Integrate `SecurityMonitor` into the exception handling pipeline for real-time monitoring.
This commit is contained in:
HolgerHatGarKeineNode
2026-02-04 13:40:30 +01:00
parent 064ed68638
commit 5b814d631b
6 changed files with 664 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

166
app/Console/Commands/SecurityAttemptsCommand.php Normal file
View File

@@ -0,0 +1,166 @@
<?php
namespace App\Console\Commands;
use App\Models\SecurityAttempt;
use Illuminate\Console\Command;
class SecurityAttemptsCommand extends Command
{
protected $signature = 'security:attempts
{--hours=24 : Show attempts from the last N hours}
{--ip= : Filter by IP address}
{--severity= : Filter by severity (low, medium, high)}
{--component= : Filter by component name}
{--stats : Show statistics only}
{--top-ips=10 : Show top N attacking IPs}';
protected $description = 'View and analyze security attack attempts';
public function handle(): int
{
$hours = (int) $this->option('hours');
if ($this->option('stats')) {
return $this->showStats($hours);
}
if ($this->option('top-ips')) {
return $this->showTopIps($hours, (int) $this->option('top-ips'));
}
return $this->showAttempts($hours);
}
private function showAttempts(int $hours): int
{
$query = SecurityAttempt::query()->recent($hours);
if ($ip = $this->option('ip')) {
$query->fromIp($ip);
}
if ($severity = $this->option('severity')) {
$query->severity($severity);
}
if ($component = $this->option('component')) {
$query->forComponent($component);
}
$attempts = $query->latest()->limit(100)->get();
if ($attempts->isEmpty()) {
$this->info("No security attempts found in the last {$hours} hours.");
return self::SUCCESS;
}
$this->table(
['ID', 'Time', 'IP', 'Severity', 'Component', 'Property', 'Exception'],
$attempts->map(fn (SecurityAttempt $a) => [
$a->id,
$a->created_at->format('Y-m-d H:i:s'),
$a->ip_address,
$this->formatSeverity($a->severity),
$a->component_name ?? '-',
$a->target_property ?? '-',
class_basename($a->exception_class),
])
);
$this->newLine();
$this->info("Showing {$attempts->count()} attempts (max 100). Use filters to narrow down.");
return self::SUCCESS;
}
private function showStats(int $hours): int
{
$total = SecurityAttempt::query()->recent($hours)->count();
$bySeverity = SecurityAttempt::query()
->recent($hours)
->selectRaw('severity, COUNT(*) as count')
->groupBy('severity')
->pluck('count', 'severity')
->toArray();
$uniqueIps = SecurityAttempt::query()
->recent($hours)
->distinct('ip_address')
->count('ip_address');
$topComponents = SecurityAttempt::query()
->recent($hours)
->whereNotNull('component_name')
->selectRaw('component_name, COUNT(*) as count')
->groupBy('component_name')
->orderByDesc('count')
->limit(5)
->pluck('count', 'component_name')
->toArray();
$this->info("Security Attempts - Last {$hours} hours");
$this->newLine();
$this->table(['Metric', 'Value'], [
['Total Attempts', $total],
['Unique IPs', $uniqueIps],
['High Severity', $bySeverity['high'] ?? 0],
['Medium Severity', $bySeverity['medium'] ?? 0],
['Low Severity', $bySeverity['low'] ?? 0],
]);
if (! empty($topComponents)) {
$this->newLine();
$this->info('Top Targeted Components:');
$this->table(
['Component', 'Attempts'],
collect($topComponents)->map(fn ($count, $name) => [$name, $count])->toArray()
);
}
return self::SUCCESS;
}
private function showTopIps(int $hours, int $limit): int
{
$ips = SecurityAttempt::query()
->recent($hours)
->selectRaw('ip_address, COUNT(*) as count, MAX(severity) as max_severity')
->groupBy('ip_address')
->orderByDesc('count')
->limit($limit)
->get();
if ($ips->isEmpty()) {
$this->info("No security attempts found in the last {$hours} hours.");
return self::SUCCESS;
}
$this->info("Top {$limit} Attacking IPs - Last {$hours} hours");
$this->newLine();
$this->table(
['IP Address', 'Attempts', 'Max Severity'],
$ips->map(fn ($row) => [
$row->ip_address,
$row->count,
$this->formatSeverity($row->max_severity),
])
);
return self::SUCCESS;
}
private function formatSeverity(string $severity): string
{
return match ($severity) {
'high' => '<fg=red>HIGH</>',
'medium' => '<fg=yellow>MEDIUM</>',
'low' => '<fg=green>LOW</>',
default => $severity,
};
}
}

50
app/Models/SecurityAttempt.php Normal file
View File

@@ -0,0 +1,50 @@
<?php
namespace App\Models;
use Illuminate\Database\Eloquent\Builder;
use Illuminate\Database\Eloquent\Model;
class SecurityAttempt extends Model
{
protected $fillable = [
'ip_address',
'user_agent',
'method',
'url',
'route_name',
'exception_class',
'exception_message',
'component_name',
'target_property',
'payload',
'severity',
];
protected function casts(): array
{
return [
'payload' => 'array',
];
}
public function scopeFromIp(Builder $query, string $ip): Builder
{
return $query->where('ip_address', $ip);
}
public function scopeSeverity(Builder $query, string $severity): Builder
{
return $query->where('severity', $severity);
}
public function scopeRecent(Builder $query, int $hours = 24): Builder
{
return $query->where('created_at', '>=', now()->subHours($hours));
}
public function scopeForComponent(Builder $query, string $component): Builder
{
return $query->where('component_name', $component);
}
}

237
app/Services/SecurityMonitor.php Normal file
View File

@@ -0,0 +1,237 @@
<?php
namespace App\Services;
use App\Models\SecurityAttempt;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Log;
use Throwable;
class SecurityMonitor
{
private const MAX_PAYLOAD_SIZE = 10000;
private const SEVERITY_HIGH = 'high';
private const SEVERITY_MEDIUM = 'medium';
private const SEVERITY_LOW = 'low';
/**
* Livewire security exceptions that indicate tampering attempts.
*
* @var array<string>
*/
private const LIVEWIRE_SECURITY_EXCEPTIONS = [
'Livewire\Features\SupportLockedProperties\CannotUpdateLockedPropertyException',
'Livewire\Exceptions\ComponentNotFoundException',
'Livewire\Exceptions\MethodNotFoundException',
'Livewire\Exceptions\MissingFileUploadsTraitException',
'Livewire\Exceptions\PropertyNotFoundException',
'Livewire\Exceptions\PublicPropertyNotFoundException',
'Livewire\Exceptions\CannotBindToModelDataWithoutValidationRuleException',
'Livewire\Exceptions\CorruptComponentPayloadException',
];
/**
* Patterns in payloads that indicate injection attacks.
*
* @var array<string>
*/
private const MALICIOUS_PATTERNS = [
'__toString',
'phpinfo',
'system(',
'exec(',
'shell_exec',
'passthru',
'eval(',
'base64_decode',
'SerializableClosure',
'BroadcastEvent',
'FnStream',
'PendingBroadcast',
'dispatchNextJobInChain',
];
public function recordFromException(Throwable $exception, ?Request $request = null): void
{
try {
$request ??= request();
if (! $this->shouldRecord($exception)) {
return;
}
$componentName = $this->extractComponentName($request);
$targetProperty = $this->extractTargetProperty($exception);
$payload = $this->sanitizePayload($request);
$severity = $this->determineSeverity($exception, $payload);
SecurityAttempt::query()->create([
'ip_address' => $this->getIpAddress($request),
'user_agent' => $this->truncate($request->userAgent(), 500),
'method' => $request->method(),
'url' => $this->truncate($request->fullUrl(), 2000),
'route_name' => $request->route()?->getName(),
'exception_class' => get_class($exception),
'exception_message' => $this->truncate($exception->getMessage(), 1000),
'component_name' => $componentName,
'target_property' => $targetProperty,
'payload' => $payload,
'severity' => $severity,
]);
} catch (Throwable $e) {
// Never let monitoring fail the application
Log::warning('SecurityMonitor failed to record attempt', [
'error' => $e->getMessage(),
'original_exception' => get_class($exception),
]);
}
}
public function shouldRecord(Throwable $exception): bool
{
$exceptionClass = get_class($exception);
foreach (self::LIVEWIRE_SECURITY_EXCEPTIONS as $securityException) {
if ($exceptionClass === $securityException || is_subclass_of($exception, $securityException)) {
return true;
}
}
return false;
}
public function getAttemptsFromIp(string $ip, int $hours = 24): int
{
try {
return SecurityAttempt::query()
->fromIp($ip)
->recent($hours)
->count();
} catch (Throwable) {
return 0;
}
}
public function isIpSuspicious(string $ip, int $threshold = 10, int $hours = 24): bool
{
return $this->getAttemptsFromIp($ip, $hours) >= $threshold;
}
private function extractComponentName(Request $request): ?string
{
try {
$components = $request->input('components', []);
if (empty($components)) {
return null;
}
$snapshot = json_decode($components[0]['snapshot'] ?? '{}', true);
return $snapshot['memo']['name'] ?? null;
} catch (Throwable) {
return null;
}
}
private function extractTargetProperty(Throwable $exception): ?string
{
$message = $exception->getMessage();
if (preg_match('/\[([^\]]+)\]/', $message, $matches)) {
return $matches[1];
}
return null;
}
private function sanitizePayload(Request $request): ?array
{
try {
$payload = $request->input('components', []);
$jsonPayload = json_encode($payload);
// Truncate if too large
if (strlen($jsonPayload) > self::MAX_PAYLOAD_SIZE) {
return [
'_truncated' => true,
'_original_size' => strlen($jsonPayload),
'summary' => $this->extractPayloadSummary($payload),
];
}
return $payload;
} catch (Throwable) {
return ['_error' => 'Could not serialize payload'];
}
}
private function extractPayloadSummary(array $payload): array
{
$summary = [];
try {
foreach ($payload as $index => $component) {
$summary[$index] = [
'has_snapshot' => isset($component['snapshot']),
'updates_count' => count($component['updates'] ?? []),
'update_keys' => array_keys($component['updates'] ?? []),
'calls_count' => count($component['calls'] ?? []),
];
}
} catch (Throwable) {
// Ignore
}
return $summary;
}
private function determineSeverity(Throwable $exception, ?array $payload): string
{
// Check for injection patterns in payload
$payloadJson = json_encode($payload) ?: '';
foreach (self::MALICIOUS_PATTERNS as $pattern) {
if (stripos($payloadJson, $pattern) !== false) {
return self::SEVERITY_HIGH;
}
}
// Locked property tampering is medium severity
if (str_contains(get_class($exception), 'LockedProperty')) {
return self::SEVERITY_MEDIUM;
}
return self::SEVERITY_LOW;
}
private function getIpAddress(Request $request): string
{
// Handle proxied requests
$ip = $request->header('X-Forwarded-For');
if ($ip) {
// Take the first IP if there are multiple
$ips = explode(',', $ip);
return trim($ips[0]);
}
return $request->ip() ?? 'unknown';
}
private function truncate(?string $value, int $length): ?string
{
if ($value === null) {
return null;
}
if (strlen($value) <= $length) {
return $value;
}
return substr($value, 0, $length - 3).'...';
}
}