Skip to content

Bfp whitelists.ag #465

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 14 commits into
base: master
Choose a base branch
from
Open

Bfp whitelists.ag #465

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
137b58d
Mod. Bruteforce protection. BFP module now can use FW whitelists.
alexandergull Sep 24, 2024
0a30a8e
Merge branch 'dev' of https://github.com/CleanTalk/security-malware-f…
AntonV1211 Jan 20, 2025
d526058
Merge branch 'refs/heads/fix' into bfp_whitelists.ag
alexandergull Feb 26, 2025
23f6766
Fix. Firewall. BFP logic fixed.
Glomberg Feb 19, 2025
13798ac
Fix. Firewall. BFP was removed from common FW flow.
Glomberg Feb 19, 2025
7bc21c3
Fix. Firewall. Modules running refactored.
Glomberg Mar 4, 2025
493f6d7
Upd. Backup Restore. Collecting a deletion error message from backup …
AntonV1211 Feb 6, 2025
cc29a15
Upd. Backup Restore. Error output, exception handling
AntonV1211 Feb 6, 2025
b68aab1
Mod. Backup Restore. Separation of logic after deleting backup after …
AntonV1211 Feb 19, 2025
6047370
Upd. Backup Restore. Changing the logic of error collection and output
AntonV1211 Feb 20, 2025
5461ef7
Mod. GetKeyAuto. Checking the query result code
AntonV1211 Feb 24, 2025
a1d6765
Fix. GetKeyAuto. Removed localization
AntonV1211 Feb 26, 2025
b25ec95
Version 2.152.99-dev
AntonV1211 Feb 24, 2025
8af5634
Fix. Http. Hard coded cleantalk IPs removed. (#481)
Glomberg Mar 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 58 additions & 0 deletions lib/CleantalkSP/SpbctWP/Firewall/BFP.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,10 @@

namespace CleantalkSP\SpbctWP\Firewall;

use CleantalkSP\SpbctWP\DB;
use CleantalkSP\SpbctWP\Helpers\Helper;
use CleantalkSP\Security\Firewall\Result;
use CleantalkSP\SpbctWP\Helpers\IP;

class BFP extends FirewallModule
{
Expand All @@ -17,6 +19,7 @@ class BFP extends FirewallModule

protected $chance_to_clean = 100; // Chance to clean log table from old entries. In percents.
public static $is_checked = false;
protected $use_fw_personal_whitelists = false;

/**
* @psalm-suppress PossiblyUnusedProperty
Expand All @@ -33,6 +36,7 @@ public function __construct($params = array())
{
$params['count_period'] = $params['count_period'] ?: $this->count_period;
$params['block_period'] = $params['block_period'] ?: $this->block_period;
$this->use_fw_personal_whitelists = !empty($params['use_fw_personal_whitelists']) ?: $this->use_fw_personal_whitelists;

parent::__construct($params);
}
Expand All @@ -47,6 +51,11 @@ public function check()

if ( ( $this->is_login_page && ! $this->is_logged_in ) || ( defined('XMLRPC_REQUEST') && XMLRPC_REQUEST ) ) {
foreach ( $this->ip_array as $_ip_origin => $current_ip ) {
if ($this->use_fw_personal_whitelists && $this->isPersonalWhitelisted($current_ip)) {
//probably we should log this case
continue;
}

$rand = rand(1, 100000);
$md5_ip = md5($current_ip);
$query = "SELECT md5_ip as blocked
Expand Down Expand Up @@ -181,4 +190,53 @@ private function clearTable()
}
}
}

/**
* Check if the IP is whitelisted in the personal FW whitelist.
* @param $current_ip
* @return bool
*/
private function isPersonalWhitelisted($current_ip)
{
global $spbc;
$result = false;
$fw = new FW(
array(
'data_table__personal_countries' => SPBC_TBL_FIREWALL_DATA__COUNTRIES,
'log_table' => SPBC_TBL_FIREWALL_LOG,
'state' => $spbc,
'api_key' => $spbc->api_key,
)
);
$fw->setDb(new DB());
try {
$version = IP::validate($current_ip);
if ( $version === 'v6' ) {
//IPV6 handling logic
$db_results = $fw->ipv6GetResultsFromDb($current_ip);
} elseif ($version === 'v4') {
//IPV4 handling logic
$db_results = $fw->ipv4GetResultsFromDb($current_ip);
} else {
throw new \Exception('IP address record is invalid.');
}
} catch (\Exception $e) {
error_log('Security by CleanTalk. Firewall IP handling error: ' . $e->getMessage());
}
if (isset($db_results) && is_array($db_results)) {
foreach ($db_results as $_key => $result) {
if (
isset($result['is_personal']) &&
$result['is_personal'] === '1' &&
isset($result['status']) &&
$result['status'] === '1'
) {
$result = true;
break;
}
}
}

return $result;
}
}
4 changes: 2 additions & 2 deletions lib/CleantalkSP/SpbctWP/Firewall/FW.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,7 @@ public function check()
* @param $ip
* @return array|null|object
*/
protected function ipv4GetResultsFromDb($ip)
public function ipv4GetResultsFromDb($ip)
{
$current_ipv4 = sprintf('%u', ip2long($ip));
$needles = IP::getNetworkNeedles([$current_ipv4]);
Expand Down Expand Up @@ -183,7 +183,7 @@ protected function ipv4GetResultsFromDb($ip)
* @return array
* @throws \Exception
*/
protected function ipv6GetResultsFromDb($ip)
public function ipv6GetResultsFromDb($ip)
{
$needles = IP::getNetworkNeedles(IP::getFourIPv4FromIP($ip));
$data_table__common_v6 = SPBC_TBL_FIREWALL_DATA_V6;
Expand Down
1 change: 1 addition & 0 deletions security-malware-firewall.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -585,6 +585,7 @@ function spbc_authenticate__check_brute_force()
'bf_limit' => $spbc->settings['bfp__allowed_wrong_auths'],
'block_period' => $spbc->settings['bfp__block_period__5_fails'],
'count_period' => $spbc->settings['bfp__count_interval'],
'use_fw_personal_whitelists' => true, //we can also manage it with settings
)
);

Expand Down
Loading