Post by JNeuhoff » Fri Nov 19, 2021 6:04 pm

Perhaps your 404 page triggers additional requests to retrieve other components of your 404 page. But you should always see an initial 404 responses in your access log.

Override Engine * Integrated VQMod * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Rich Snippets * Google Tag Manager * Export/Import Tool * SpamBot Buster * Survey Plus


User avatar
Guru Member
Online

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by JNeuhoff » Wed Nov 24, 2021 10:27 pm

I just changed the original thread title, removing the '[SOLVED' prefix.

Reason for this: We have tried the Bitninja WAF. It repels about 90% or so of the bruteforce attackers' POST requests, but that still leaves too many to slip through to our websites. Some of Bitninja's rules are based on an old Google reCaptcha, and invisible captcha, and/or a honeypot trap. These may be good enough for rejecting simply spambots, but are insufficient for bruteforce attacks. Ours resulted in over a million gray-listed IP addresses in a matter of a few weeks.

Also, the Bitninja caused some 405 errors, especially for Safari web browser users. Safari has known autofill bugs anyway, so server-side honeypot traps often result in false rejections for Safari.

So it's back to square one: A decent WAF is needed here!

BTW.: This simple PHP script in our admin/index.php rejects the bruteforce attackers' POST requests to the /admin quite effectively:

Code: Select all

if ($_SERVER['HTTP_USER_AGENT'] == 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0') {
	header('HTTP/1.0 403 Forbidden');
	exit;
}
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
	if (empty($_GET)) {
		header('HTTP/1.0 403 Forbidden');
		exit;
	}
}
But such a rule should really be implemented on a firewall level!

Override Engine * Integrated VQMod * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Rich Snippets * Google Tag Manager * Export/Import Tool * SpamBot Buster * Survey Plus


User avatar
Guru Member
Online

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by OSWorX » Wed Nov 24, 2021 11:25 pm

JNeuhoff wrote:
Wed Nov 24, 2021 10:27 pm
..
So it's back to square one: A decent WAF is needed here!
..
As written prior: viewtopic.php?f=179&t=225771#p829883
May cost around 250,- Euro per month (and you should own the server by yourself), this money is worth every Cent.

Because: those stupid script kiddies will never give up.

Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.


User avatar
Guru Member
Online

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by Zanato » Fri Nov 26, 2021 9:28 pm

Astra offer a firewall for $20/month. I've no affiliation and haven't used them myself. I'm just shopping around and they look good.

https://www.getastra.com/pricing

New member

Posts

Joined
Fri Oct 04, 2013 4:58 am
Location - Dublin, Ireland

Post by EvolveWebHosting » Sat Nov 27, 2021 11:33 am

Zanato wrote:
Fri Nov 26, 2021 9:28 pm
Astra offer a firewall for $20/month. I've no affiliation and haven't used them myself. I'm just shopping around and they look good.

https://www.getastra.com/pricing
Astra is very good and we are partnered with them. $20 / month is if you pay for a year up front. Now through Nov 30th, we are offering 1 year for $179.88 - After Nov 30th, 1 year will be $16.99/month paid Annually ($203.88)

https://www.evolvewebhost.com/security/astra

Image
$2.75 per month hosting w/ DirectAdmin - free transfers
Detailed guide on how to install Opencart


User avatar
Active Member

Posts

Joined
Fri Mar 27, 2015 11:13 pm
Location - Denver, Colorado, USA

Post by Khal » Wed Jan 12, 2022 1:12 am

@JNeuhoff
BTW.: This simple PHP script in our admin/index.php rejects the bruteforce attackers' POST requests to the /admin quite effectively:
Code: Select all

if ($_SERVER['HTTP_USER_AGENT'] == 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0') {
header('HTTP/1.0 403 Forbidden');
exit;
}
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
if (empty($_GET)) {
header('HTTP/1.0 403 Forbidden');
exit;
}
}
But such a rule should really be implemented on a firewall level!
I have the BitNinja firewall and have been having hack attempts on Admin and the front-end. Can I just paste that code into my admin/index.php file like that?
What do you mean it has to be implemented on a firewall level?
I have oc 2.0.1.1
Thank you

Active Member

Posts

Joined
Thu May 24, 2012 9:24 pm
Location - Teesside, UK

Post by JNeuhoff » Wed Jan 12, 2022 1:48 am

Yes, just put this script at the beginning of your admin/index.php .

We gave up on Bitninja, it's not up to task with this kind of bruteforce attacks. It relies too much on outdated captchas.

Override Engine * Integrated VQMod * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Rich Snippets * Google Tag Manager * Export/Import Tool * SpamBot Buster * Survey Plus


User avatar
Guru Member
Online

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by Khal » Wed Jan 12, 2022 2:10 am

Thank you foe getting back to me.
I've added that code- hopefully it will stop some of the attacks.

BTW I meant I have Ninja Firewall, not BitNinja lol
I just added it today so I don't know how well it is performing.

I seem to notice small changes to some pages over a day or two, then the entire website is taken over. This has just started happening recently in the past week or so. But hopefully the firewall and this script will be enough to resolve it. I have also added the latest Google recaptcha 3

Thank you for the help

Active Member

Posts

Joined
Thu May 24, 2012 9:24 pm
Location - Teesside, UK

Post by JNeuhoff » Wed Jan 12, 2022 2:26 am

Just a quick thought: If you use the Ninja Firewall, then you could also add our script to its '.htninja' file. This way, you won't get an inflated server raw access log, because these rules would be on the firewall level now, instead of in the admin/index.php, see this docs.

Override Engine * Integrated VQMod * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Rich Snippets * Google Tag Manager * Export/Import Tool * SpamBot Buster * Survey Plus


User avatar
Guru Member
Online

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by Khal » Wed Jan 12, 2022 2:51 am

JNeuhoff wrote:
Wed Jan 12, 2022 2:26 am
Just a quick thought: If you use the Ninja Firewall, then you could also add our script to its '.htninja' file. This way, you won't get an inflated server raw access log, because these rules would be on the firewall level now, instead of in the admin/index.php, see this docs.
Sounds good, I'll do that. Thank you!

Active Member

Posts

Joined
Thu May 24, 2012 9:24 pm
Location - Teesside, UK
Who is online

Users browsing this forum: No registered users and 3 guests