• Dear Sirs,

    Looking further into NinjaWP docs, I found out that with .htninja file
    it’s possible to create custom rules to use with the FW engine.

    I’ve put this file in public_html folder and it’s loaded correctly by
    the FW (see attached screenshot).

    I was doing some tests using a WPScan web service
    (https://hackertarget.com/wordpress-security-scan/) and trying to block
    some IP I found looking at FW’s log.

    Here’s the rule that I used from your .htninja-sample file:

    $ip_array = array( ‘104.237.147.13’ , ‘104.237.147.13’ , ‘104.211.30.57’
    , ‘34.230.71.33’ );
    if ( in_array( $_SERVER[“REMOTE_ADDR”], $ip_array ) ) {
    return ‘BLOCK’; // blacklist
    }

    However, running the scan service nothing happens…. IPs are not
    blocked…

    Am I missing something? Do I have to set something else in .htninja
    file?

    Thanks for any help!

    Best regards

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author nintechnet

    (@nintechnet)

    What kind of files are you scanning? NinjaFirewall is a PHP firewall, so if you scan PHP and HTML files, it will block you. If you scan .txt or .gif files for instance, it won’t block you.

    Hi,

    This is an example of what WPscan does and what NinjaFW logs:

    03/Sep/19 23:08:43 #2647995 HIGH – 104.237.147.13 GET /index.php – User enumeration scan (author archives) – [author=1] – wpninja.sicurezza-wordpress.it
    03/Sep/19 23:08:43 #7373199 HIGH – 104.237.147.13 GET /index.php – User enumeration scan (author archives) – [author=2] – wpninja.sicurezza-wordpress.it

    With the rule included in .htninja file, this IP should be blocked by this rule, right?

    Why this rule is not triggered by NinjaFW?

    Regards

    Here are some other attempts logged by NinjaFW live log:
    [04/Sep/19:22:27:15 +0200] – 104.211.30.57 “GET /” “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36” “-” “wpninja.sicurezza-wordpress.it”
    [04/Sep/19:22:27:18 +0200] – 104.237.147.13 “GET /readme.html” “-” “Mozilla/5.0 (X11; U; Linux i686) Gecko/20071127 Firefox/2.0.0.11” “-” “wpninja.sicurezza-wordpress.it”
    [04/Sep/19:22:27:18 +0200] – 104.237.147.13 “GET /wp-content/uploads/” “-” “Mozilla/5.0 (X11; U; Linux i686) Gecko/20071127 Firefox/2.0.0.11” “-” “wpninja.sicurezza-wordpress.it”
    [04/Sep/19:22:27:18 +0200] – 104.237.147.13 “GET /wp-content/plugins/” “-” “Mozilla/5.0 (X11; U; Linux i686) Gecko/20071127 Firefox/2.0.0.11” “-” “wpninja.sicurezza-wordpress.it”

    Plugin Author nintechnet

    (@nintechnet)

    The GET /index.php should be blocked indeed.
    Maybe there’s a syntax error in your .htninja? Make sure it starts with the <?php tag.

    This is the code to add to the .htninja:

    <?php
    $ip_array = array( '104.237.147.13', '104.237.147.13', '104.211.30.57', '34.230.71.33' );
    if ( in_array( $_SERVER['REMOTE_ADDR'], $ip_array ) ) {
       return 'BLOCK'; // blacklist
    }
    

    Hi,
    I’m using the .htninja-sample file.
    The code you sent me is the same I sent you.

    NinjaFW log still shows the remote WPscan attempt:
    05/Sep/19 18:49:40 #4302844 HIGH – 104.237.147.13 GET /index.php – User enumeration scan (author archives) – [author=1] – wpninja.sicurezza-wordpress.it
    05/Sep/19 18:49:40 #4259313 HIGH – 104.237.147.13 GET /index.php – User enumeration scan (author archives) – [author=2] – wpninja.sicurezza-wordpress.it

    These lines mean that NinjaFW is *not* blocking these scannings?

    Please note that in my case the configuration file path is: /home/user/public_html/.htninja

    The setting you recommend (/home/user/.htninja ) didn’t work in my case (Overview’s configuration file line empty).

    This maybe has something to do with the problem I have with blocking code?

    Plugin Author nintechnet

    (@nintechnet)

    These lines mean that NinjaFW is *not* blocking these scannings?

    It is blocking them. But they should be blocked earlier by the .htninja.
    I looks like your .htninja is not loaded.
    Try the following:
    1. Add this line of code to your .htninja (before any other line of code):

    define( 'NFW_ALLOWED_ADMIN', '**you**' );
    

    Replace **you** with your admin login name.
    2. Log in to WordPress, click on the “Overview” page. Do you see this line: Restrictions: Access to NinjaFirewall is restricted to specific users.

    If you see it, the .htninja is loaded. If you don’t see it, the .htninja is not loaded.

Viewing 7 replies - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.