The strength of ochSimpleFirewall is that it blocks abusers before they can abuse your website: when an abuser is caught on another website somewhere in the world, this abuser is placed on a list. ochSimpleFirewall reads and uses these lists to block these abusers from even entering your website!
But what if an abuser is not (yet) on a blocklist, or your website is the first he will try to hack?
Challenge: How do I block abuse and hack attempts when not blocked by a maintained IP block list?
How do you handle visitors that are not 'marked' as abuser? They can visit your site like any visitor because they are like any visitor. What makes them a hacker or abuser is that they try to find and use weaknesses on your website. There are several ways that this can be done: by adding parameters to the url, by adding scripts to the request header, by modifying the user agent information that is sent with every request.
So it is best to block these users altogether so that they cannot try anything, but when that is not possible, they should be 'caught-in-the-act' and blocked based on their (first) abuse attempts.
Solution: ochSimpleFirewall Active Scanner
In the new version of ochSimpleFirewall I have implemented an 'Active Scanner'.
What this does is actively inspect every request to your server and test for the following weaknesses and exploit techniques:
- Directory Traversal
- HTTP Response Splitting
- (XSS) Cross-Site Scripting
- Cache Poisoning
- Dual-Header Exploits
- SQL/PHP/Code Injection
- File Injection/Inclusion
- Null Byte Injection
- WordPress exploits such as revslider, timthumb, fckeditor, et al
- Exploits such as c99shell, phpshell, remoteview, site copier, et al
- PHP information leakage
The inspection rules come from: 7G Firewall > 7G is the seventh generation of a firewall/blacklist that comprises over a decade of research, testing, and development.
I have converted the 7G Firewall rules into PHP so that they can now be used by ochSimpleFirewall
All rules (more then a hundred) can be turned off when for example they lead to false positives.
The addition of the 7G Firewall rules into ochSimpleFirewalls 'Active Scanner' functionality makes this the most robust and feature complete Firewall solution for Joomla!
When an Active Scanner rule is triggered, the visitors IP address is automatically added to a (on-site) block list: this blocks the user for any further attempts or visits, not even allowed to override by the user!