• Roberto Jobet

    (@robertojobet)


    Dear Sirs,

    Looking further into NinjaWP docs, I found out that with .htninja file
    it’s possible to create custom rules to use with the FW engine.

    I’ve put this file in public_html folder and it’s loaded correctly by
    the FW (see attached screenshot).

    I was doing some tests using a WPScan web service
    (https://hackertarget.com/wordpress-security-scan/) and trying to block
    some IP I found looking at FW’s log.

    Here’s the rule that I used from your .htninja-sample file:

    $ip_array = array( ‘104.237.147.13’ , ‘104.237.147.13’ , ‘104.211.30.57’
    , ‘34.230.71.33’ );
    if ( in_array( $_SERVER[“REMOTE_ADDR”], $ip_array ) ) {
    return ‘BLOCK’; // blacklist
    }

    However, running the scan service nothing happens…. IPs are not
    blocked…

    Am I missing something? Do I have to set something else in .htninja
    file?

    Thanks for any help!

    Best regards

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author nintechnet

    (@nintechnet)

    What kind of files are you scanning? NinjaFirewall is a PHP firewall, so if you scan PHP and HTML files, it will block you. If you scan .txt or .gif files for instance, it won’t block you.

    Roberto Jobet

    (@robertojobet)

    Hi,

    This is an example of what WPscan does and what NinjaFW logs:

    03/Sep/19 23:08:43 #2647995 HIGH – 104.237.147.13 GET /index.php – User enumeration scan (author archives) – [author=1] – wpninja.sicurezza-wordpress.it
    03/Sep/19 23:08:43 #7373199 HIGH – 104.237.147.13 GET /index.php – User enumeration scan (author archives) – [author=2] – wpninja.sicurezza-wordpress.it

    With the rule included in .htninja file, this IP should be blocked by this rule, right?

    Why this rule is not triggered by NinjaFW?

    Regards

    Roberto Jobet

    (@robertojobet)

    Here are some other attempts logged by NinjaFW live log:
    [04/Sep/19:22:27:15 +0200] – 104.211.30.57 “GET /” “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36” “-” “wpninja.sicurezza-wordpress.it”
    [04/Sep/19:22:27:18 +0200] – 104.237.147.13 “GET /readme.html” “-” “Mozilla/5.0 (X11; U; Linux i686) Gecko/20071127 Firefox/2.0.0.11” “-” “wpninja.sicurezza-wordpress.it”
    [04/Sep/19:22:27:18 +0200] – 104.237.147.13 “GET /wp-content/uploads/” “-” “Mozilla/5.0 (X11; U; Linux i686) Gecko/20071127 Firefox/2.0.0.11” “-” “wpninja.sicurezza-wordpress.it”
    [04/Sep/19:22:27:18 +0200] – 104.237.147.13 “GET /wp-content/plugins/” “-” “Mozilla/5.0 (X11; U; Linux i686) Gecko/20071127 Firefox/2.0.0.11” “-” “wpninja.sicurezza-wordpress.it”

    Plugin Author nintechnet

    (@nintechnet)

    The GET /index.php should be blocked indeed.
    Maybe there’s a syntax error in your .htninja? Make sure it starts with the <?php tag.

    This is the code to add to the .htninja:

    <?php
    $ip_array = array( '104.237.147.13', '104.237.147.13', '104.211.30.57', '34.230.71.33' );
    if ( in_array( $_SERVER['REMOTE_ADDR'], $ip_array ) ) {
       return 'BLOCK'; // blacklist
    }
    
    Roberto Jobet

    (@robertojobet)

    Hi,
    I’m using the .htninja-sample file.
    The code you sent me is the same I sent you.

    NinjaFW log still shows the remote WPscan attempt:
    05/Sep/19 18:49:40 #4302844 HIGH – 104.237.147.13 GET /index.php – User enumeration scan (author archives) – [author=1] – wpninja.sicurezza-wordpress.it
    05/Sep/19 18:49:40 #4259313 HIGH – 104.237.147.13 GET /index.php – User enumeration scan (author archives) – [author=2] – wpninja.sicurezza-wordpress.it

    These lines mean that NinjaFW is *not* blocking these scannings?

    Roberto Jobet

    (@robertojobet)

    Please note that in my case the configuration file path is: /home/user/public_html/.htninja

    The setting you recommend (/home/user/.htninja ) didn’t work in my case (Overview’s configuration file line empty).

    This maybe has something to do with the problem I have with blocking code?

    Plugin Author nintechnet

    (@nintechnet)

    These lines mean that NinjaFW is *not* blocking these scannings?

    It is blocking them. But they should be blocked earlier by the .htninja.
    I looks like your .htninja is not loaded.
    Try the following:
    1. Add this line of code to your .htninja (before any other line of code):

    define( 'NFW_ALLOWED_ADMIN', '**you**' );
    

    Replace **you** with your admin login name.
    2. Log in to WordPress, click on the “Overview” page. Do you see this line: Restrictions: Access to NinjaFirewall is restricted to specific users.

    If you see it, the .htninja is loaded. If you don’t see it, the .htninja is not loaded.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Block a remote IP’ is closed to new replies.