Ultimate Website Firewall [Stop Attacks On Your Website]

Amrik

New Member
Messages
8
Reaction score
0
Points
0
With this script you can protect your Website against SQL injections, Http Ddos, Remote File Inclusion, Local File Inclusion, XSS attacks, Null Byte Injection, Flood DOS, CPU Over-Use, Bad User Agents, Bad Referer, Users using proxy server and many more online threats.

SQL injection protection
XSS attack protection
Malicious Code Finder
Remote File Inclusion protection
Guest Port Checking function
Local File Inclusion protection
Null Byte Injection protection
Flood DOS protection
CPU Over-Use protection
Bad Referer protection
Http Ddos protection
Users using proxy server protection
Bad User Agents protection
Database user blocking
.htaccess user blocking
Attack logs viewer
Banned Ip manager
Admin Account manager
Updates Manager

Authors:
BlackDream, hack8


Code:
http://img685.imageshack.us/slideshow/webplayer.php?id=14841494.png

Download: https://sourceforge.net/projects/web-firewall/
 

callumacrae

not alex mac
Community Support
Messages
5,257
Reaction score
97
Points
48
PHP:
if (!defined('IN_SCRIPT'))
{
    header("HTTP/1.0 404 Not Found");
    exit;
}

This kind of code is old (PHP4 era) and should be avoided. When using OOP properly, the script will not be ran, so you should be using OOP properly :)


PHP:
$tor_exit_node_list = '<?die;?>' . "\n" . '<!' . date('G') . '!>' . "\n" . $tor_exit_node_list;

When I first saw this code, my syntax highlighter displayed it wrong, taking the ?> as a closing tag, not part of the string. You could have an issue with this, I could recommend splitting it up like so:

PHP:
$tor_exit_node_list = '<?die;?'.'>' . "\n" . '<!' . date('G') . '!>' . "\n" . $tor_exit_node_list;


Function parseCleanValue can be replaced with htmspecialchars.


You should never use @ to suppress errors, as it is slow. You should never use globals - perhaps experiment with the Singleton pattern for the database class.


How about cleaning out register_globals?


You're releasing it under GPLv3, meaning that anyone who downloads can do whatever they want to do with it, as long as they release it under GPLv3 themselves. Therefore "DO NOT REMOVE THE COPYRIGHT, I WILL TAKE LEGAL ACTION" violates the license.



Moving to the appropriate forum, too.




It looks like a pretty good script!
 

GtoXic

x10 Support
Messages
636
Reaction score
17
Points
0
@callumacrae: Most syntax Highlighters are made NOT to notice <?php and ?> in quotes (double and single). And that's why it's not a good idea to use what you use :D
 

bd-pb

New Member
Messages
2
Reaction score
0
Points
0
Hello there

i am glad to see my project being published on more and more websites. Thanks for your comments guys but let me explain some things.


PHP:
if (!defined('IN_SCRIPT'))
{
    header("HTTP/1.0 404 Not Found");
    exit;
}

You are definitely true in this one but i am not using OOP in all files. All the protections have been written without OOP so i cant think now any other way to protect the files from browsing access. Maybe this is the right way


Function parseCleanValue can be replaced with htmspecialchars.

unfortunately no, htmlspecialchars will convert almost any special char to html entities. I dont want this to be done. I dont want all the special chars to be converted, just some of them. In other way it may cause some problems.

as i have already written in the protection file(sanitize) this protection is not mine, it is used by Invision Power Board.

You should never use @ to suppress errors, as it is slow. You should never use globals - perhaps experiment with the Singleton pattern for the database class.

When you have developped a big project it is impossible to handle all the errors. As you can see i am not using the char @ always in the project, just in some points which are less important for users.

As for the global variables you are right and maybe the next version of the project will get rid of it
---------------

Ultimate web firewall upgraded to v2.1.0 with a lot of new feautures. Just go to the website: http://www.ufirewall.org
 
Last edited:

callumacrae

not alex mac
Community Support
Messages
5,257
Reaction score
97
Points
48
You are definitely true in this one but i am not using OOP in all files. All the protections have been written without OOP so i cant think now any other way to protect the files from browsing access. Maybe this is the right way

Use OOP, then :p


unfortunately no, htmlspecialchars will convert almost any special char to html entities. I dont want this to be done. I dont want all the special chars to be converted, just some of them. In other way it may cause some problems.

As per the manual, htmlspecialchars only converts &, <, >, " and '.


When you have developped a big project it is impossible to handle all the errors. As you can see i am not using the char @ always in the project, just in some points which are less important for users.

Only if you've coded it wrong from the beginning :)
 

bd-pb

New Member
Messages
2
Reaction score
0
Points
0
Use OOP, then :p

Using OOP in all the files is a bit confused at least for me. Its better but no necessary 8)



As per the manual, htmlspecialchars only converts &, <, >, " and '.

I see, but looking at the parsecleanvlue function you will see more chars to be converted :p Haha i had a lot time to see that file. It must be changed immidiatelly.



Only if you've coded it wrong from the beginning :)

NO i disagree. Even if you have made a class which handles the errors you will still have some problems. Just think about it...There are some php functions that returns errors even if you have parse them with the right way. Lets take for example fsockopen
 
Last edited:

callumacrae

not alex mac
Community Support
Messages
5,257
Reaction score
97
Points
48
fsockopen will only throw an error if you give it an invalid domain or it can't make the connection. Instead of suppressing the errors, a try / catch statement should be used.
 

vv.bbcc19

Community Advocate
Community Support
Messages
1,524
Reaction score
92
Points
48
Finally, is it safe to use the same on X10hosting or is it still to get to a conclusion?
Will that eat resources and create high resource suspensions?
 

vv.bbcc19

Community Advocate
Community Support
Messages
1,524
Reaction score
92
Points
48
Is the firewall working without any HRU suspenstions?
Did anyone checked it out yet on X10 free hosting services?
Plz post.
 

callumacrae

not alex mac
Community Support
Messages
5,257
Reaction score
97
Points
48
Is the firewall working without any HRU suspenstions?
Did anyone checked it out yet on X10 free hosting services?
Plz post.

For a "firewall", it looks fairly heavyweight, but I don't reckon it will trigger a HRU.
 

vv.bbcc19

Community Advocate
Community Support
Messages
1,524
Reaction score
92
Points
48
For a "firewall", it looks fairly heavyweight, but I don't reckon it will trigger a HRU.
Ahah..Nice to have your suggestion.
I need to read on further into the firewall before it is applied.
Do you know how can that be applied to a Wordpress site?
 
Last edited:

callumacrae

not alex mac
Community Support
Messages
5,257
Reaction score
97
Points
48
Ahah..Nice to have your suggestion.
I need to read on further into the firewall before it is applied.
Do you know how can that be applied to a Wordpress site?

Wordpress has all the stuff like that built in already :)
 
Top