7G Firewall

010101

I'm sharing this 7G .htaccess firewall code from Perishable Press. This version is in beta. You can also google and find the previous version which is stable (6G).

https://perishablepress.com/7g-firewall/

I've used this for WordPress sites and I think it does help with security. So far, I haven't noticed or heard about false positives (good guys accidentally getting blocked).

I assume, it can be used for any type of website where you have a .htaccess file which is why I'm sharing and suggesting it for Flarum users. I added it to my Flarum root .htaccess file and again, no issues... yet...

clarkwinkelmann

Interesting. Too bad nobody did any benchmark on it, I'm very curious what penalty it could have on a website. Do you have any numbers from your own usage ?

Also I have some doubts about this rule:

RewriteCond %{REQUEST_METHOD} ^(connect|debug|delete|move|put|trace|track) [NC]

Wouldn't this block all PUT and DELETE requests to the API ? I'm not sure if Flarum front-end uses the _method over POST trick that would work around that... But anyway it doesn't make sense to me to block those.

Also having a look at the anti-sql injection section, I'm pretty sure you can find multiple false positives on any forum dedicated to web development 😅 I doubt any of those is useful for Flarum because all queries are prepared and built with the Laravel Query builder, and also almost all data is sent as JSON anyway (not query string), and this "firewall" dones't appear to care about JSON at all.

I'm sure it would cause some headache to the admins or mods if they aren't aware of that "firewall", because a false positive page would likely be blocked from direct access, but would still be accessible from the discussion list because Flarum is a single page app and the discussion would be loaded via the API, which probably won't trigger the false positive.

If I find the time I want to do more testing with that, but my first impression is that many rules aren't useful at all against an app build with a modern framework like Laravel. They will catch bad guys, sure, but the tricks they were using weren't going to succeed anyway. If used in that way, this should be paired with a script to blacklist the IPs at least.

010101

clarkwinkelmann It was built by someone who seems very into WordPress. So, I'm sure it is designed mostly for a platform coded like WordPress is.

I don't have any data yet around how it works with Flarum.

The guy that made this has been doing it for many, many years and he seems to get a lot of positive feedback. But, you know more about Flarum than me so I believe you when you say that it's probably not necessary for Flarum.

I'll probably keep it in my .htaccess for now though because I haven't experienced any issues yet.

It also may be more for an inexperienced hacker maybe? You mentioned there being ways around certain things, but I guess if it stops an inexperience hacker or bot, it might be worth it. As long as it's not blocking real people from using the site. Which I don't know. My forum doesn't get any traffic. So I may never know. 😆

clarkwinkelmann

010101 some rules, mostly around null bytes might be useful depending on the operating system or software versions I guess, so this could still save the day. But I don't think any up to date versions of apache or php would allow that in the first place (at least, I hope 😬 ). If it was the case, there would be a CVE, a logo and a website assigned to it and the whole web would be in panic.

Or if you're running outdated software... Well you shouldn't and Flarum would likely not run on it anyway 😇

I'm wondering how people rate how good it is. Is it based on the optional logging you can add to the script ? Did they check it actually saved them from anything ? As I said above I'm sure plenty of malicious actors will be "catched" by the filters, but how many of these exploits would actually have worked against the website ?

That's more like "seeing" bad guys pass by. Not much more that can be done if your software is robust 🙃

I believe one useful case would be if you're running extensions (particularly for wordpress) made by inexperienced developers, who might have left open holes in their code, like direct command line or sql injection.

While this could totally apply to Flarum as well, the code quality here is very good. Even new developers make use of the framework helpers and so it's hard to leave such mistakes. The most dangerous aspect I believe is database but the use of the Laravel query builder and models make it pretty safe.

With sql injection pretty much impossible, the next possible mistakes are far more complex to detect, and not covered at all by those filters. It could be for example missing authorization checks or HTML injection through saved data in the backend.

Right now with Flarum we have plenty of experienced developers testing most of the third party extensions and usually noticing any issue with them, but it might become a bigger problem as the ecosystem grows and that untested extensions get downloaded by forum owners without much (if any) development experience.

In that regard, a firewall (running in Flarum, as an extension), or maybe a "code smell" running in the marketplace (once there is one) or just simple review of extensions will help mitigate this problem in our ecosystem. The Flarum firewall should definitely be JSON-aware and also mithril-aware, because the front-end of Flarum also has its own kind of possible injections.

Happy to hear other thoughts on the subject.