ochSimpleFirewall (package)

• DryRun: when enabled you can see in the log file what would have been blocked. This feature enables you to test your configuration without impact for visitors
• Enable Protection On: Here you can configure to enable protection on the site (front-end), administrator (back-end), or both.
• Block Mode: configure what to do when a Visitor is blocked:
  • Show nothing (white page) with a 403 (not allowed) header
  • Show a message "Your connection to this website has been blocked by our firewall. [a.b.c.d]" with a 403 (not allowed) header
  • Redirect the offender to an external website: e.g. google.com with a 303 (redirect other) header.
  • Allow Override: prompt the blocked visitor with a form to temporarily whitelist himself (important: working captcha highly recommended / required)
• Email site administrator: select 'Yes' if you want to be mailed when a blocked visitor does a manual override.
• Exclude URLs: here you can configure (part of) an URL or multiple comma separated that should never be blocked by the firewall. This enables you to minimize the impact of a false positive.

• Cache Lifetime (Hours): set to the configured scheduled task 'ochSimpleFirewall: Refresh cache' schedule + 1 hour. e.g. set to 25 when scheduled task is run daily

The offending IP Addresses are gathered, maintained and sourced by FireHOL a firewall for humans!

In this component we have a subset of these hundreds of sets that combine multiple sets. Each set serves a specific category of traffic:

Attackers

• firehol_level1: "This IP list is a composition of other IP lists.
  The objective is to create a blacklist that can be safe enough to be used on all systems, with a firewall, to block access entirely, from and to its listed IPs.
  The key prerequisite for this cause, is to have no false positives. All IPs listed should be bad and should be blocked, without exceptions."
• firehol_level2: "An ipset made from blocklists that track attacks, during about the last 48 hours. (includes: blocklist_de dshield_1d greensnow)"
• firehol_level3: "An ipset made from blocklists that track attacks, spyware, viruses. It includes IPs than have been reported or detected in the last 30 days. (includes: bruteforceblocker ciarmy dshield_30d dshield_top_1000 malc0de maxmind_proxy_fraud myip shunlist snort_ipfilter sslbl_aggressive talosintel_ipfilter zeus vxvault)"
• firehol_level4: "An ipset made from blocklists that track attacks, but may include a large number of false positives. (includes: blocklist_net_ua botscout_30d cruzit_web_attacks cybercrime haley_ssh iblocklist_hijacked iblocklist_spyware iblocklist_webexploit ipblacklistcloud_top iw_wormlist malwaredomainlist)"
• firehol_webserver: "A web server IP blacklist made from blocklists that track IPs that should never be used by your web users. (This list includes IPs that are servers hosting malware, bots, etc or users having a long criminal history. This list is to be used on top of firehol_level1, firehol_level2, firehol_level3 and possibly firehol_proxies or firehol_anonymous) . (includes: maxmind_proxy_fraud myip pushing_inertia_blocklist stopforumspam_toxic)"

Malware

• firehol_webclient: "An IP blacklist made from blocklists that track IPs that a web client should never talk to. This list is to be used on top of firehol_level1. (includes: ransomware_online sslbl_aggressive cybercrime dyndns_ponmocup maxmind_proxy_fraud)"

Spam

• firehol_abusers_30d: "An ipset made from blocklists that track abusers in the last 30 days. (includes: cleantalk_new_30d cleantalk_updated_30d php_commenters_30d php_dictionary_30d php_harvesters_30d php_spammers_30d stopforumspam sblam)"
• cleantalk_30d: "Today's HTTP Spammers (includes: cleantalk_new_30d cleantalk_updated_30d)"
• botscout_30d: "BotScout helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots."
• stopforumspam: "StopForumSpam.com Banned IPs used by forum spammers"

Cloud Service IP Sets

• Amazon Web Services: A complete list of AWS web servers. Use this when you only want real visitors and not (malicious) web applications
• Google User Content (Web Services): A complete list of Google User Content web servers: Use this when you only want real visitors and not (malicious) web applications

read the Tips and Tricks for advice and what to configure and how to monitor!

Read more on this feature in this blog: Use Case: Actively inspect your website traffic and block hackers

• Select the enabled Active Scanner rulesets:
  • Request URI Rule Sets
  • Query String Rule Sets
  • User Agent Rule Sets
  • User Agent Crawler Rule Sets
  • User Agent AI Bot Rule Sets
• Specify the disabled Rule Sets ID: you can find these in the ochSimpleFirewall log file, e.g. RU-0015.
• Collect Abusers: Select 'Yes' to add Abusers that are NOT on another ipset to collected_blocklist or 'Always' to always add Abusers to collected_blocklist. By doing this, they will be blocked for further and future access to your site.

The collected_blocklist IP Addresses can be managed via menu Component > ochSimpleFirewall > Allow/Block

ochSimpleFirewall comes out of the box with the at time of release latest set of MaxMind GeoIP netsets. With these GeoIP NetSets you can select which countries to block (or allow) via ochSimpleFirewall.

MaxMind GeoIP netsets can be periodically updated to the latest version, this can be done manually or automatically via scheduled task 'ochSimpleFirewall: Refresh GeoIP'. In order to be able to download new GeoIP netsets, you need a free MaxMind account and a free MaxMind license key.

1. Create a free MaxMind Account: https://www.maxmind.com/en/geolite2/signup
2. Login in with your new account
3. go to the left navigation menu > Services > Click on 'My License Key' and then click on [Generate new license key]
4. Enter your description for the license key, select Yes on 'Will this key be used for GeoIP Update?'
5. Select the 'Generate a license key and config file for use with geoipupdate version 3.1.1 or newer.' and click the [Confirm] button.
6. In ochSimpleFirewall configuration enable GeopIP NetSets in tab GeoIP NetSets
7. Copy the generated License key into ochSimpleFirewall tab GeoIPNetSets tab, field 'MaxMind License key'

ochSimpleFirewall can now download and process the updated GeoIP netsets. Once downloaded and processed you can select which countries to block via ochSimpleFirewall.

1. Make sure ochSimpleFirewall is enabled and running: this is important as this is required for downloading and processing.
2. in Tab GeoIP Netsets, configure setting 'Enable GeoIP NetSets' to enable, several options will show
3. Block or Allow will either block the selected countries and allow all others, or allow the selected countries and block all others
4. set setting 'Download GeoIP NetSets' to 'Yes' and click [Save] to start the download and conversion of the GeoIP Netsets (This can take some time, please wait until you get a success or fail message)
   When download is successful, setting 'Download GeoIP NetSets' is automatically switched back to 'No', this to avoid subsequent downloads when saving the plugin.
5. When downloading succeeded, the drop down list 'Block Countries' is filled with all the countries, select one or multiple that you want to block.
6. Mail Cron Result: sent mail on completion to site administrator> No, only on error, always

When enabling Administrator Area Protection, the username(s) and password(s) you specified here will be requested by your browser before your regular Joomla! Administrator login is displayed. Administrator Protection works at server level, using a .htaccess file in your site's administrator folder. Your server must support directory password protection with .htaccess files for this protection to have any effect.

Because this is a Server Level protection, it protects your Administrator area even if you disable or uninstall ochSimpleFirewall.
If for any reason your administrator area becomes inaccessible, or you need to remove the password protection. Without having access to this plugin, you will need to delete the .htaccess and .htpasswd files from the administrator directory of your site using FTP or your host's File Manager.

• Enable Administrator Protection: Enable or disable Administrator protection
• Reset Custom Error Pages: Restores Apache's custom error pages for HTTP 401 and 403 to their default configurations. This action avoids encountering a 404 Article Not Found error when attempting to access the administrator login page after activating the Administrator Password Protection feature. It's highly recommended to maintain this option enabled, unless it triggers an HTTP 500 Internal Server Error issue.
• Authentication prompt: configure the text that will be used in the authentication prompt
• Allow from IP: You can configure IP exceptions, when met these users will NOT be prompted for a username / password
• Credentials: create one or more username / password credentials

When clicking [Save]  you will directly be prompted with the (new) authentication prompt: You must login with your created credentials to complete the saving of the plugin setting. When login is successful, your browser session will be authenticated. Only when you close your browser and start a new session you will be prompted to login again.

When enabling User notifications, you users will get notified of crucial account activities so they can take appropriate action.

You can enable the following setting:

• Only Site Administrator(s): for testing / stealth reporting, only site administrator(s) will get the notification, not the users
• BCC Site Administrator(s: when email users, send BCC to site administrator(s)
• Password Change: email on password change (via front-end only)
• Email Change: email on email change (front-end only). Mail is send to the last known email account
• New Device / Location login: email on login (both front-end and back-end) on new device (based on hashed IP address)
  • Send on First Login: send email on first login, or only on new devices after first login
  • Expire Known Device: the number of days to mark a device as known, set to 0 to disable expiring of the device.
• Protect Account Login: prevent maximum simultaneous logins with one account
• Protect User Accounts: expire (block or require password reset for) user accounts not used within configured number of days
  • User Account Protection is enforced via a Scheduled Task (ochSimpleFirewall: Account Protection).
    The advised task frequency is once per day.

Site Copy protection loads a small JS script on your site that checks the domain name in the URL of your pages. When your site gets copied, this script will notice that the domain name is different and will automatically redirect the visitor of the copied site to your homepage.

• Enable Site Copy Protection: Yes / No
• Redirect Visitor: Redirect the visitor on the Copied Site to your home page. Note: this setting is copied together with the complete copied page so it needs to be set before the site gets copied.
• Report to Logfile: The visited (copied) URL will be reported in the logfile. Note that 'Redirect Visitor' needs to be turned on for this feature.

Action Logs logs all blocked and whitelisted IP addresses. This data is used for creating the graphs.

• Retension Days: Configure the number of days to keep in the Action Logs. Older entries will be removed automatically.

• Fail2Ban Log: Fail2Ban is an intrusion prevention software framework. Fail2ban operates by monitoring configured log files for selected IP Addresses and block them using your server's firewall rules. When enabled, all blocked IP Addresses will be logged to ochsimplefirewall-fail2ban log. You need to configure fail2ban with a JAIL and FILTER to automatically block all IP Addresses in that logfile.

• Debug: Errors are always logged to your logs directory in plg_system_ochsimplefirewall-log.php. When enabling debug also info and warnings are logged showing you for example which IP addresses are blocked and by what ip set, what URL they where trying to visit, if the cache is created correct, who is accessing your site and is whitelisted, etc. Use this to get a good understanding of what IP Sets are best (or unused) for your site profile.
• Enable POST data logging: select:
  • No (turned off)
  • Yes, log only POST data without valid CSRF Token
  • Yes, log all POST data
• Exclude WhiteListed: Select Yes to exclude POST data logging from whitelisted IP addresses.
• Administrators Email(s): Configure the Administrators Email(s), comma separated or each email on a new line. Leave empty to use Emails from User Accounts which have enabled 'Receive System Emails'.