Use Case: Actively inspect your website traffic and block hackers

Written by: Ruud van Lent Published: 31 March 2020

Category: Best Practice

Top BlogHits: 4194Reading time: 02:04

The strength of ochSimpleFirewall is that it blocks abusers before they can abuse your website: when an abuser is caught on another website somewhere in the world, this abuser is placed on a list. ochSimpleFirewall reads and uses these lists to block these abusers from even entering your website!

But what if an abuser is not (yet) on a blocklist, or your website is the first he will try to hack?

Challenge: How do I block abuse and hack attempts when not blocked by a maintained IP block list?

How do you handle visitors that are not 'marked' as abuser? They can visit your site like any visitor because they are like any visitor. What makes them a hacker or abuser is that they try to find and use weaknesses on your website. There are several ways that this can be done: by adding parameters to the url, by adding scripts to the request header, by modifying the user agent information that is sent with every request.

So it is best to block these users altogether so that they cannot try anything, but when that is not possible, they should be 'caught-in-the-act' and blocked based on their (first) abuse attempts.

Solution: ochSimpleFirewall Active Scanner

In the new version of ochSimpleFirewall I have implemented an 'Active Scanner'.

What this does is actively inspect every request to your server and test for the following weaknesses and exploit techniques:

• Directory Traversal
• HTTP Response Splitting
• (XSS) Cross-Site Scripting
• Cache Poisoning
• Dual-Header Exploits
• SQL/PHP/Code Injection
• File Injection/Inclusion
• Null Byte Injection
• WordPress exploits such as revslider, timthumb, fckeditor, et al
• Exploits such as c99shell, phpshell, remoteview, site copier, et al
• PHP information leakage

The inspection rules come from: 7G Firewall > 7G is the seventh generation of a firewall/blacklist that comprises over a decade of research, testing, and development.

I have converted the 7G Firewall rules into PHP so that they can now be used by ochSimpleFirewall

All rules (more then a hundred) can be turned off when for example they lead to false positives.

The addition of the 7G Firewall rules into ochSimpleFirewalls 'Active Scanner' functionality makes this the most robust and feature complete Firewall solution for Joomla!

When an Active Scanner rule is triggered, the visitors IP address is automatically added to a (on-site) block list: this blocks the user for any further attempts or visits, not even allowed to override by the user!

Result: your site and your visitors will be safer!

Interesting blog? Like it on Facebook, Post it or share this article on other bookmarking websites.

 

Written by: Ruud van Lent

Pro-BloggerTop BloggerThought Leader

With a solid background in ICT (operational, tactical and strategic) and years of experience in the community life, I see in communities and community thinking the future for companies.

This future requires another way of thinking and doing; both for executives and employees. It's not about me; it's about you. Your well-being and your (personal) growth.

'What comes around - goes around'

In the world of communities, the old 'management laws' no longer work and are even counterproductive.

I coach leaders and organizations in their quest for how new and servant leadership can contribute to communities and community thinking, and as a result to the growth of the organization.

I do this from the following initiatives:

• ruudOntwikkelt | Leadership coaching and Organisation development
• Platform Lerende Leiders | The #1 Community for and by Leaders
• Onlinecommunityhub | It's all about the Community...