Basic setup

There are a few steps involved to setup Tripwire.

Malicious requests need to be recognized and responded to
Malicious users need to be blocked

Definitions

Log

Definition: Log

Every request that is recognized as a hack attempt is logged regardless it blocks the rest of the request or not.

Block

Definition: Block

A block prevents a certain user or Ip from accessing your site. As long a the block is valid no requests will continue to your site. This block is only temporarily and will be removed after a few seconds. However if the same user/ip continues their attempts and gets blocked again the time will increase exponentially. A block can be based on a ip address, user id, and or browser-fingerprint (if supplied by your frontend)

Definition: Reject

When a request is suspicious it is rejected and this could lead eventually to a block

Wire

Definition: Wire

A checked that parses the request to see it if violates certain rules. If a wire is triggered it is considered as a hack attempt

Honeypot Wire

Definition: Honeypot wire

A honeypot is a security mechanism that creates a virtual trap to lure attackers. When Tripwire recognizes that certain illegal fields are filled in, then we know this is not a normal user and an action will be taken

AttackScore

Definition: AttackScore

Every wire has a attackScore (either specified or default), the higher the score the more severe and certain you are that this is a malicious request.

Punish

Definition: Punish

When the user attempts too many times, the user is blocked (or punished).

Recognizing and blocking malicious requests

Recognizing malicious requests happen through the so called wires. When a wire is tripped, actions will be taken. These actions can be defined (see configuration). But we first need to define which wires to use. There are many different wires and wire groups but start with the basics

In your kernel.php make the following additions

php

protected $middlewareGroups = [ 
    'web' => [ 
        \App\Http\Middleware\EncryptCookies::class,
        \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
        \Illuminate\Session\Middleware\StartSession::class,
        TripwireBlockHandlerAll::class, // will block malicious ips/users
        'tripwire.main'// will recognize and action on malicious requests
        ...

If you also have an api section, you need to add it there too

php

protected $middlewareGroups = [ 
    'api' => [ 
        \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
        \Illuminate\Routing\Middleware\SubstituteBindings::class,
        TripwireBlockHandlerAll::class, // will block malicious ips/users
        'tripwire.main'// will recognize and action on malicious requests

    ],

Order is important

First include your blockhandler (ie: TripwireBlockHandlerAll::class) and then your tripwires (ie 'tripwire.main). This will ensure that no blocked user is getting trough to your tripwire handlers. This makes the response faster

Blocking Users or Blocking Early

There is a fundamental choice you must make in when to block requests

Option 1: Block as soon as possible in the request cycle
Option 2 (recommended): Block a userId if the request came from a recognized user.

Option 1: Block as soon as possible

This will block a request as soon as possible, but that includes also before a userId is known. Consequences, there will be no block on userId, only on IP or browserFingerprint

Setup

php

protected $middlewareGroups = [
  'web' => [
        TripwireBlockHandlerAll::class,
        'tripwire.main'
        // ... rest of the middleware
    ]

    'api' => [
        TripwireBlockHandlerAll::class,
        'tripwire.main'
        // ... rest of the middleware
    ]

or even just in the root middleware

php

protected $middleware = [
    TripwireBlockHandlerAll::class,
    'tripwire.main'
    // ... rest of the middleware

Option 2 (recommended) : Block a userId if present

Consequences: the block will happen a bit later in the request cycle, but if a user it blocked then if they use a different IP they are still blocked on a userId level This is a more secure block

php

protected $middlewareGroups = [
  'web' => [
        // ... middleware for authentications
        TripwireBlockHandlerAll::class,
        'tripwire.main'
        // ... rest of the middleware
    ]

    'api' => [
        // ... middleware for authentications
        TripwireBlockHandlerAll::class,
        'tripwire.main'
        // ... rest of the middleware
    ]

Basic setup ​

Definitions ​

Log ​

Block ​

​

Wire ​

Honeypot Wire ​

AttackScore ​

Punish ​

Recognizing and blocking malicious requests ​

Blocking Users or Blocking Early ​

Option 1: Block as soon as possible ​

Setup ​

Option 2 (recommended) : Block a userId if present ​