Activity Control with Google reCAPTCHA
1C-Bitrix is the only system in which there is a proactive protection module. It includes:
And today I wanted to dwell on one method of protection: Activity Control.
')
When activating this protection method, you specify the parameters at which the user's session will be blocked and the record of it will be recorded in the log. For example, if a user makes 30 hits in 10 seconds, then his session will be blocked, and a report about it will reach the site administrator and instead of the content of your site an error 503 will be displayed with a message that access is denied.
But when this protection method is enabled, the situation is not excluded when people, not “robots”, fall under the lock. In the standard version, there is no way to remove this block yourself and continue to browse the content of your site, thus we lose users who are disappointed and simply leave the site.
To prevent this from happening, we in our projects used the Google reCAPTCHA technology to check and disable the blocking of users of the site.
Currently, Google reCAPTCHA has a very user-friendly interface. She does not ask you to recognize a text or a number. This is extremely inconvenient and a lot of errors are possible. The minimum that Google reCAPTCHA can ask from you is to tick that you are not a robot:
Or will offer you to choose pictures with an image such as an orange.
Easy and convenient. But how to include this functionality in your project? So easy.
(Suppose you already have an account on Google, if not, then go to register)
Log in to www.google.com and then follow the link: www.google.com/recaptcha/admin
We are offered to register our site in the reCAPTCHA system. The registration process is quite simple:
After registration you will be generated 2 keys. One key will be used to display reCAPTCHA on the site, and the second will be used to check whether the user has passed the test or not.
The keys we got goes now to our site.
Adjusting the page lock.
In the 1C-Bitrix system in the / bitrix / folder there is an activity_limit.php file in which the page template is displayed when the user is blocked. You can include your own site design in it, or create a new template just for the blocking page. (we’ll skip the interface preparation stage because everyone will have their own approach to how to design this page)
After we have prepared the main interface of the page, we will connect the Google module reCAPTCHA for this into the body of the HTML document before the tag we need to insert the Google JS scripts
In the body of the document, we add a verification form and indicate our public key in it to form Google reCAPTCHA:
We intentionally left the action at the form blank so that the sending was executed in the same file.
Check and unlock method.
And you can also make a message in the HTML body of the file about the successful completion of the check:
This page can be enhanced with a code to automatically block the IP address in the event of frequent session blocking to protect against annoying robots.
But regardless of whether the user passed the test or not, you will receive a report stating that measures were taken to block his session. Will provide an opportunity to analyze his latest hits at the moment of blocking and you will have the opportunity, if necessary, to enter his IP address on the block list.
I hope my form will help you reduce the number of "robots" on your sites.
PS Do not be afraid that search engines will fall under blocking. For them there are special methods in the system for which the hits of the search engines will not be taken into account and the indexation of your site will not suffer.
- A proactive filter (Web Application Firewall *) provides protection against most known attacks on web applications.
- Web anti-virus - a system to counter site infection.
- Two-step authorization .
- File integrity control .
- Protection of the administrative part with access to it only from certain IP addresses.
- Session Security
- Protecting redirects from phishing.
- Protection against frames.
- Activity control.
And today I wanted to dwell on one method of protection: Activity Control.
Activity control allows you to set protection from overly active users, software robots, certain categories of DDoS attacks, as well as to cut attempts to brute force.
')
When activating this protection method, you specify the parameters at which the user's session will be blocked and the record of it will be recorded in the log. For example, if a user makes 30 hits in 10 seconds, then his session will be blocked, and a report about it will reach the site administrator and instead of the content of your site an error 503 will be displayed with a message that access is denied.
But when this protection method is enabled, the situation is not excluded when people, not “robots”, fall under the lock. In the standard version, there is no way to remove this block yourself and continue to browse the content of your site, thus we lose users who are disappointed and simply leave the site.
To prevent this from happening, we in our projects used the Google reCAPTCHA technology to check and disable the blocking of users of the site.
Currently, Google reCAPTCHA has a very user-friendly interface. She does not ask you to recognize a text or a number. This is extremely inconvenient and a lot of errors are possible. The minimum that Google reCAPTCHA can ask from you is to tick that you are not a robot:
Or will offer you to choose pictures with an image such as an orange.
Easy and convenient. But how to include this functionality in your project? So easy.
(Suppose you already have an account on Google, if not, then go to register)
Log in to www.google.com and then follow the link: www.google.com/recaptcha/admin
We are offered to register our site in the reCAPTCHA system. The registration process is quite simple:
- Specify the name of your site
- Specify the domains for which reCAPTCHA will be used. (One domain per line)
- Specify the owner. (Here we indicate your account on GMail for example: habrhabr@gmail.com)
After registration you will be generated 2 keys. One key will be used to display reCAPTCHA on the site, and the second will be used to check whether the user has passed the test or not.
The keys we got goes now to our site.
Adjusting the page lock.
In the 1C-Bitrix system in the / bitrix / folder there is an activity_limit.php file in which the page template is displayed when the user is blocked. You can include your own site design in it, or create a new template just for the blocking page. (we’ll skip the interface preparation stage because everyone will have their own approach to how to design this page)
After we have prepared the main interface of the page, we will connect the Google module reCAPTCHA for this into the body of the HTML document before the tag we need to insert the Google JS scripts
<script src='https://www.google.com/recaptcha/api.js?hl=ru'></script> In the body of the document, we add a verification form and indicate our public key in it to form Google reCAPTCHA:
<form action="" method="post"> <div class="g-recaptcha" data-sitekey="_"></div> <br/> <input type="submit" class="btn btn-system" value=""> </form> We intentionally left the action at the form blank so that the sending was executed in the same file.
Check and unlock method.
<? if (isset($_REQUEST["g-recaptcha-response"])) // { require($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/main/include/prolog_before.php"); // $request = new \Bitrix\Main\Web\HttpClient(); // HttpClient // Google $post = $request->post("https://www.google.com/recaptcha/api/siteverify", Array( "secret" => "_", // Google "response" => $_REQUEST["g-recaptcha-response"], // "remoteip" => $_SERVER["REMOTE_ADDR"] //IP )); $post = json_decode($post); // Google if ($post->success == 'true') // { $_SESSION["SESS_GRABBER_STOP_TIME"] = ""; // }else{ // reCAPTCHA } } ?> And you can also make a message in the HTML body of the file about the successful completion of the check:
<?if ($post->success == 'true'){?> <h2>, .</h2> <a class="btn btn-system" href="<?=$APPLICATION->GetCurPageParam("", array("g-recaptcha-response"))?>"> </a> <script type="text/javascript"> document.addEventListener('DOMContentLoaded', function() { window.location.replace('<?=$APPLICATION->GetCurPageParam("", array("g-recaptcha-response"))?>'); window.location.reload(); }); </script> <?}?> This page can be enhanced with a code to automatically block the IP address in the event of frequent session blocking to protect against annoying robots.
But regardless of whether the user passed the test or not, you will receive a report stating that measures were taken to block his session. Will provide an opportunity to analyze his latest hits at the moment of blocking and you will have the opportunity, if necessary, to enter his IP address on the block list.
I hope my form will help you reduce the number of "robots" on your sites.
PS Do not be afraid that search engines will fall under blocking. For them there are special methods in the system for which the hits of the search engines will not be taken into account and the indexation of your site will not suffer.
Source: https://habr.com/ru/post/267689/
All Articles