Drupal - Malicious Activity Detection


^ Download the drupal IpWatch PHP Insert Code

I found that from an admin perspective that the Drupal reports for detecting nefarious activity is quite limited and somewhat cumbersome to pop in and out of. I wanted something quick and easy to say "hey, something does not look right coming from this IP address". 500 hits to nothing but user login is obviously coming from something that is not actually browsing articles.
Though the Recent hits report will give you some idea that something is going on, you have to click on details to get any information about the machine creating the top hits. (It should include the IP without forcing you to do a popup window to get the IP of the machine)

The Block List

What I came up with was an easier way to check these types of activities.
It consists of a drupal "block" that lists some of the top hitters, excluding my admin UID (though it is good to also view your ID activity to insure it was not compromised) of top hits by IP.
I set the role on the block to only display for administrators.
Each IP in the list links to another page that will display more details about the IPs activity.
Currently, I am only using a get statement and will change that to a post, but it allows me to just put in the IP in the address bar as well. I also have yet to input validation, so you will need to include that before putting it on your site. I figure a IPV4 dot notation regex with numeric conversion on each index should do the trick.
This gives me a front page view of activity with a simple click to pull up the machine...ezpz

The IP Page

On the IP page, I can see what that machine has been up to. To make it easier, the question mark column links to Arin.net for a quick lookup of who actually owns the IP. (I may just put that in the IP addr header at the top of the page instead of waisting resources per line though)
I have also placed a quick link to the IP blocking administrative page. This allows me to easily click and block the IP in question.

The IP Selected Page

The IP Selected page will display a per page count based on the IP address passed to it. You can use this to determine what the IP was attempting to hit and also includes a link to the IP block admin page.
Though not all incluse, it makes it much easier to minimize malicious activity on the site.
I will add a link on this page on how to set it all up once I have that completed. I may also include a lookup to see if the IP has already been blocked.


To accomplish this, you do have to turn on the ability to use php code in blocks and articles. You can block this ability to only be available for administrators. If you have multiple administrators and do not want it for all, you will need to create a new role.
It uses the same code for both the drupal list "block" and the table "page", you just need to turn on or off a few settings and they are desribed at the beginning of the code.
The short version:
First off, on the list block I switch to list mode and do not allow the IP to be passed via the get query string. I updated the code so you can only pass an IP when you are in table mode. I also set it to display only 10 entries sorted by hits

Then I set the paged version to table mode and increase the rows to return to a higher number. I also set the number of rows higher if IP is passed.
When you have created your patch, change the $pageuri variable to that page so it knows where to set the links.
I recently added an IP regex to check for a valid IP addr (v4).

I have uploaded the code.

Basic Instructions
Download the compressed file above or below.
Turn on module to allow php scripts. (Warning: check with drupal if this is unadvisable since it could potentially become exploitable)
Make sure that only Administrators can access php by setting the security tab.
Create a block and assign it only Admin role and then create an article which will be your table page.
Paste the text in the admin block and set the variables for "no table" and set the # of rows you want displayed. Enter the table page ?q=pagename without the ?q= part
Edit the new page and paste in the php code and set to table and # of rows in the table.
Settings examples:
If you created your display article as ipwatch, set $pageurl=ipwatch.
On block set $tbl=0 so it shows a list and on the display article page set $tbl=1 so it shows a table.
On block set $std_rows=10 to display 10 and on the article set $std_rows=50 and $ip_rows=100 to show more rows if IP is passed.
Be sure to select PHP from the dropdown and not text or html on both the block and the page.
Cross fingers, it should just work.
A brief article on blocking IP ranges and access via the .htaccess file in the root of the drupal directory may help:
Binary Data DrupalIPWatch.tar.gz1.26 KB