ochSimpleFirewall (system plugin)

• DryRun: when enabled you can see in the log file what would have been blocked. This feature enables you to test tyour configuration without impact for visitors
• Whitelist: configure an IP address or a comma / newline separated list of IP addresses that will be considered safe and will not be handled by the plugin. Please add you own (management) IP address in this list to avoid being blocked from your own site in case you IP address is added by one of the external companies to their list of know offenders.
• Whitelist Host names: configure here the host names that must be whitelisted. e.g. google.com. This to avoid blocking the Google Search engine crawler from being blocked when its IP Address is added to a IP Set.
• Blacklist: configure an IP address or a comma / newline separated list of IP addresses that will be blocked by the plugin.
• Enable Protection On: Here you can configure to enable protection on the site (front-end), administrator (back-end), or both.
• Block Mode: configure what to do when a Visitor is blocked:
  • Show nothing (white page) with a 403 (not allowed) header
  • Show a message "Your connection to this website has been blocked by our firewall. [a.b.c.d]" with a 403 (not allowed) header
  • Redirect the offender to an external website: e.g. google.com with a 303 (redirect other) header.
  • Allow Override: prompt the blocked visitor with a form to temporarily whitelist himself (important: working captcha highly recommended / required)
• Email site administrator: select yes if you want to be mailed when a blocked visitor does a manual override.
• Exclude URLs: here you can configure (part of) an URL or multiple comma separated that should never be blocked by the plugin. This enables you to minimize the impact of a false positive.

The offending IP Addresses are gathered, maintained and sourced by FireHOL a firewall for humans!

In this plugin we have a subset of these hundreds of sets that combine multiple sets. Each set serves a specific category of traffic:

Attackers

• firehol_level1: "This IP list is a composition of other IP lists.
  The objective is to create a blacklist that can be safe enough to be used on all systems, with a firewall, to block access entirely, from and to its listed IPs.
  The key prerequisite for this cause, is to have no false positives. All IPs listed should be bad and should be blocked, without exceptions."
• firehol_level2: "An ipset made from blocklists that track attacks, during about the last 48 hours. (includes: blocklist_de dshield_1d greensnow)"
• firehol_level3: "An ipset made from blocklists that track attacks, spyware, viruses. It includes IPs than have been reported or detected in the last 30 days. (includes: bruteforceblocker ciarmy dshield_30d dshield_top_1000 malc0de maxmind_proxy_fraud myip shunlist snort_ipfilter sslbl_aggressive talosintel_ipfilter zeus vxvault)"
• firehol_level4: "An ipset made from blocklists that track attacks, but may include a large number of false positives. (includes: blocklist_net_ua botscout_30d cruzit_web_attacks cybercrime haley_ssh iblocklist_hijacked iblocklist_spyware iblocklist_webexploit ipblacklistcloud_top iw_wormlist malwaredomainlist)"
• firehol_webserver: "A web server IP blacklist made from blocklists that track IPs that should never be used by your web users. (This list includes IPs that are servers hosting malware, bots, etc or users having a long criminal history. This list is to be used on top of firehol_level1, firehol_level2, firehol_level3 and possibly firehol_proxies or firehol_anonymous) . (includes: maxmind_proxy_fraud myip pushing_inertia_blocklist stopforumspam_toxic)"

Malware

• firehol_webclient: "An IP blacklist made from blocklists that track IPs that a web client should never talk to. This list is to be used on top of firehol_level1. (includes: ransomware_online sslbl_aggressive cybercrime dyndns_ponmocup maxmind_proxy_fraud)"

Spam

• firehol_abusers_30d: "An ipset made from blocklists that track abusers in the last 30 days. (includes: cleantalk_new_30d cleantalk_updated_30d php_commenters_30d php_dictionary_30d php_harvesters_30d php_spammers_30d stopforumspam sblam)"
• cleantalk_30d: "Today's HTTP Spammers (includes: cleantalk_new_30d cleantalk_updated_30d)"
• botscout_30d: "BotScout helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots."
• stopforumspam: "StopForumSpam.com Banned IPs used by forum spammers"

Cloud Service IP Sets

• Amazon Web Services: A complete list of AWS web servers. Use this when you only want real visitors and not (malicious) web applications
• Google User Content (Web Services): A complete list of Google User Content web servers: Use this when you only want real visitors and not (malicious) web applications

read the Tips and Tricks for advice and what to configure and how to monitor!

Read more on this feature in this blog: Use Case: Actively inspect your website traffic and block hackers

• Select the enabled Active Scanner rulesets:
  • Request URI Rule Sets
  • Query String Rule Sets
  • User Agent Rule Sets
  • User Agent Crawler Rule Sets
• Specify the disabled Rule Sets ID: you can find these in the ochSimpleFirewall log file, e.g. RU-0015.
• Collect Abusers: select Yes or Always to add the Abusers to the 'collected_blacklist', Yes will add them only when they are not already on another black list, always will always add them.

The collect_blacklist is located on your server in ./media/plg_system_ochsimplefirewall/ipsets/collected_blacklist. You can add or remove entries from this list manually.

ochSimpleFirewall comes out of the box with the at time of release latest set of MaxMind GeoIP netsets. With these GeoIP NetSets you can select which countries to block (or allow) via ochSimpleFirewall.

Note when upgrading to version 2.0.0: ochSimpleFirewall switched from GeoIP provider and by doing so the name of some netsets have changed. If you are using the GeoIP functionality, please make a note of the configured countries BEFORE upgrading to version 2.0.0 and after upgrading check if all countries are still configured.

MaxMind GeoIP netsets can be periodically updated to the latest version, this can be done manually or automatically via a cronjob. In order to be able to download new GeoIP netsets, you need a free MaxMind account and a free MaxMind license key.

1. Create a free MaxMind Account: https://www.maxmind.com/en/geolite2/signup
2. Login in with your new account
3. go to the left navigation menu > Services > Click on 'My License Key' and then click on [Generate new license key]
4. Enter your description for the license key, select Yes on 'Will this key be used for GeoIP Update?'
5. Select the 'Generate a license key and config file for use with geoipupdate version 3.1.1 or newer.' and click the [Confirm] button.
6. In ochSimpleFirewall configuration enable GeopIP NetSets in tab GeoIP NetSets
7. Copy the generated License key into ochSimpleFirewall tab GeoIPNetSets tab, field 'MaxMind License key'

ochSimpleFirewall can now download and process the updated GeoIP netsets. Once downloaded and processed you can select which countries to block via ochSimpleFirewall.

1. Make sure ochSimpleFirewall is enabled and running: this is important as this is required for downloading and processing.
2. in Tab GeoIP Netsets, configure setting 'Enable GeoIP NetSets' to enable, several options will show
3. Block or Allow will either block the selected countries and allow all others, or allow the selected countries and block all others
4. set setting 'Download GeoIP NetSets' to 'Yes' and click [Save] to start the download and conversion of the GeoIP Netsets (This can take some time, please wait until you get a success or fail message)
   When download is successful, setting 'Download GeoIP NetSets' is automatically switched back to 'No', this to avoid subsequent downloads when saving the plugin.
5. When downloading succeeded, the drop down list 'Block Countries' is filled with all the countries, select one or multiple that you want to block.

Starting from version 1.9.0 you can periodically / auto download and process the GeoIP netsets via a cronjob.

1. Add a secret key in the 'GeoIP Cron Secret´ field.
2. Mail Cron Result: sent mail on completion to site administrator> No, only on error, always

Create a cronjob with your hosting provider or with a service that gives you this cron functionality and set this cron (via wget or curl) to load the following case sensitive (!) URL:

[your_site_root]?ochsfw=download-geoip&key=[Cron Secret]

Where [your_site_root] is the homepage of your website, and [Cron Secret] is the Cron Secret you configured.

When enabling Administrator Area Protection, the username(s) and password(s) you specified here will be requested by your browser before your regular Joomla! Administrator login is displayed. Administrator Protection works at server level, using a .htaccess file in your site's administrator folder. Your server must support directory password protection with .htaccess files for this protection to have any effect.

Because this is a Server Level protection, it protects your Administrator area even if you disable or uninstall ochSimpleFirewall.
If for any reason your administrator area becomes inaccessible, or you need to remove the password protection without having access to this plugin, you will need to delete the .htaccess and .htpasswd files from the administrator directory of your site using FTP or your host's File Manager.

• Enable Administrator Protection: Enable or disable Administrator protection
• Authentication prompt: configure the text that will be used in the authentication prompt
• Credentials: create one or more username / password credentials

When clicking [Save]  you will directly be prompted with the (new) authentication prompt: You must login with your created credentials to complete the saving of the plugin setting. When login is successful, your browser session will be authenticated. Only when you close your browser and start a new session you will be prompted to login again.

When enabling User notifications, you users will get notified of crusial account activities so they can take appropriate action.

You can enable the following setting:

• Only Site Administrator(s): for testing / stealth reporting, only site administrator(s) will get the notification, not the users
• BCC Site Administrator(s: when email users, send BCC to site administrator(s)
• Password Change: email on password change (via front-end only)
• Email Change: email on email change (front-end only). Mail is send to the last known email account
• New Device / Location login: email on login (both front-end and back-end) on new device (based on hashed IP address)
  • Send on First Login: send email on first login, or only on new devices after first login
  • Expire Known Device: the number of days to mark a device as known, set to 0 to disable expiring of the device.
• Protect Account Login: prevent maximum simultaneous logins with one account
• Protect User Accounts: expire (block or require password reset for) user accounts not used within configured number of days.

• Download ID: The download ID you get with your subscription
• Debug: Errors are always logged to your logs directory in plg_system_ochsimplefirewall-log.php. When enabling debug also info and warnings are logged showing you for example which IP addresses are blocked and by what ip set, what URL they where trying to visit, if the cache is created correct, who is accessing your site and is whitelisted, etc. Use this to get a good understanding of what IP Sets are best (or unused) for your site profile.
• Enable POST data logging: select:
  • No (turned off)
  • Yes, log only POST data without valid CSRF Token
  • Yes, log all POST data
• Cache IP Sets: downloading and processing of the IP Sets is time and resource intensive. So only disable caching for debugging purposes. Caching is independent of your Global Cache enabled setting. Caching is done to the Cache storage configured in your global cache setting.
• Cache Lifetime (hours): Specifiy the amount of hours you want the cache to be refreshed in. Default is 24 hours: so every 24 hours the configured IP sets are downloaded, processed and cached.
• Cache Storage: here you can use a different storage engine for your cache. Use this when using memcache as global storage engine and using IP sets that are to large to fit in memcached. You can then configure e.g. file as cache storage for the IP sets.

Starting from version 2.1.0 you can periodically / auto download and process the netsets via a cronjob. You are advised to implement and use this feature as it will make sure that your visitors are not faced with a one-time slowdown due to downloading and creating the cache files. Note that you can best configure the cache lifetime to your cron frequency + 1 hour. So if you run the cron on a daily basis (once per 24 hours), set the cache life time to 25 hours.

• Add a secret key in the 'Refresh Cache Cron Secret´ field.

Create a cronjob with your hosting provider or with a service that gives you this cron functionality and set this cron (via wget or curl) to load the following case sensitive (!) URL:

[your_site_root]?ochsfw=refresh-cache&key=[Cron Secret]

Where [your_site_root] is the homepage of your website, and [Cron Secret] is the Cron Secret you configured.