CleanTalk, WordPress Security Launch
Being engaged in the development of Anti-Spam service , we often face other issues related to the security of web sites. The most common questions were about brute force attacks. In addition to problems with the selection of passwords for the administrator account, often brute-force attacks cause a high load on the server, and users receive a notification from the hosting provider about exceeding the permissible values ​​of the processor load.
We thought, if we receive such requests, then why don't we solve them? Since the tasks are related to security functions, the decision to launch a separate security service was obvious.
At the moment, the Security service is designed only for WordPress, there are several reasons for this: the greatest demand, a large number of web sites use this particular CMS, the complexity of development right under several CMS.
Despite the fact that anti-spam protection is part of security, we decided to separate these two services. There are several reasons for this:
')
We decided to start with the implementation of protection against brute force attacks and then gradually expand the functionality.
Protection against brute-force attacks - implemented by adding delays between incorrect authorization attempts. On the first attempts a delay of 3 seconds is set, for the next 10 seconds. If within an hour there were 10 unsuccessful authorization attempts, the IP address will be added to the FireWall database for 24 hours. To protect against hackers trying to find a password for your account, this is enough, since they significantly increase the time between attempts, and there may be tens and hundreds of thousands of them. All logs of access attempts are available in the weekly report and in the service control panel, which allows you to quickly add IP addresses to the FireWall blacklist. Protection against brute-force attacks applies only to users with administrator rights.
Traffic control - allows you to view information about visitors, such as:
Another option in Traffic Control - “Block a visitor if the number of requests is more than” - blocks access to the site for any IP that has exceeded the number of HTTP requests per hour. The number of requests can be set in the settings, the default is 1000. If you exceed the IP, it will be added to the Firewall Blacklist for 24 hours.
This will help to solve the problem of DoS attacks on the site, when a large number of HTTP requests are sent to the site, because of which it stops responding or starts to work very slowly. This situation is possible due to a massive brute force attack.
Audit log - allows you to monitor user actions in the WordPress admin panel, keeps a log of page visits with the date / time and duration of stay. Allows you to control the actions of administrators and unauthorized access and in case of problems to understand where, by whom and what changes have been made.
Malware Scanner - scans WordPress files, plugins and themes for malicious code and changes made. If changes to the files were made unauthorized, it allows you to restore the original files.
Scanning in automatic mode occurs once every 24 hours, and can also be started manually.
Security FireWall - blocks access to the site for POST / GET requests by IP addresses. The base of IP addresses for FireWall, is formed from the common base of Black Lists CleanTalk. It gets IP addresses that have high spam activity or were seen in attempts to brute-force attacks. It is possible to use your own blacklists, both by individual IP addresses / subnets and by countries. Due to this, you can reduce the load on the site or block DOS attacks.
Preparing for release :
Everything was written from scratch, not peeping to other solutions. This was done specifically so as not to grab the mistakes of others and to develop your own vision for the application.
Further development for other CMS is planned, so it was decided to develop a modular design. Use an object-oriented approach and stuff like that. Of course, the process had to solve various problems that did not fit into this concept and could not do without “crutches”.
The result was a few classes that without significant modifications can be used on other CMS (including self-written) using a pair of wrappers, for example, for the database.
A custom Cron class was written independent of Cron Wordpress. Still, an application for security and should not rely on functionality that may or may not work, or third-party developers may interfere with the work.
To implement the heuristic code analysis, we wrote our own parser minimizer of code, which will be further developed. With it, you can track dangerous variables, functions, structures. Not sure whether other plug-ins / antiviruses / applications use similar solutions (most likely not), but this is the pros and cons of independent development, our approach probably turned out to be unique.
Example of the “minimizer”:
Source:
Result:
If you bring in a clearer view:
Some things he can do: concatenate, substitute variables, track the origin of variables (say if they used unreliable $ _POST and $ _GET), track and check file connections (include, require) using various parameters and much more. We can say that this is the basis on which the functionality will be added.
I especially did not like to support WPMS, since for each functional I had to make exceptions, taking into account whether this is the main site, whether the user of the secondary site inherits the key from the main one or enters its own access key, allowed the secondary site to activate plug-ins and the like. Unfortunately, we had to remove some of the functionality for WPMS and secondary sites due to incompatibility.
In general, it turned out to be a beautiful application in some places in terms of code, which we will develop in the future.
The plugin itself can be found in the directory.
We thought, if we receive such requests, then why don't we solve them? Since the tasks are related to security functions, the decision to launch a separate security service was obvious.
At the moment, the Security service is designed only for WordPress, there are several reasons for this: the greatest demand, a large number of web sites use this particular CMS, the complexity of development right under several CMS.
Despite the fact that anti-spam protection is part of security, we decided to separate these two services. There are several reasons for this:
')
- Complicating the plugin, which leads to an increase in errors, compatibility problems with other plugins / themes
- Search promotion
- Easier development and independent release of updates
- The interface of the plugin is not complicated by a bunch of add. options that are not needed if the user uses only one function
- Separate management and logging interface in CleanTalk control panel
We decided to start with the implementation of protection against brute force attacks and then gradually expand the functionality.
Protection against brute-force attacks - implemented by adding delays between incorrect authorization attempts. On the first attempts a delay of 3 seconds is set, for the next 10 seconds. If within an hour there were 10 unsuccessful authorization attempts, the IP address will be added to the FireWall database for 24 hours. To protect against hackers trying to find a password for your account, this is enough, since they significantly increase the time between attempts, and there may be tens and hundreds of thousands of them. All logs of access attempts are available in the weekly report and in the service control panel, which allows you to quickly add IP addresses to the FireWall blacklist. Protection against brute-force attacks applies only to users with administrator rights.
Traffic control - allows you to view information about visitors, such as:
- IP
- A country
- Last Request Date / Time
- Number of allowed / blocked HTTP requests
- Status - Banned or Allowed
- Visit Page URL
- User Agent
Another option in Traffic Control - “Block a visitor if the number of requests is more than” - blocks access to the site for any IP that has exceeded the number of HTTP requests per hour. The number of requests can be set in the settings, the default is 1000. If you exceed the IP, it will be added to the Firewall Blacklist for 24 hours.
This will help to solve the problem of DoS attacks on the site, when a large number of HTTP requests are sent to the site, because of which it stops responding or starts to work very slowly. This situation is possible due to a massive brute force attack.
Audit log - allows you to monitor user actions in the WordPress admin panel, keeps a log of page visits with the date / time and duration of stay. Allows you to control the actions of administrators and unauthorized access and in case of problems to understand where, by whom and what changes have been made.
Malware Scanner - scans WordPress files, plugins and themes for malicious code and changes made. If changes to the files were made unauthorized, it allows you to restore the original files.
Scanning in automatic mode occurs once every 24 hours, and can also be started manually.
Security FireWall - blocks access to the site for POST / GET requests by IP addresses. The base of IP addresses for FireWall, is formed from the common base of Black Lists CleanTalk. It gets IP addresses that have high spam activity or were seen in attempts to brute-force attacks. It is possible to use your own blacklists, both by individual IP addresses / subnets and by countries. Due to this, you can reduce the load on the site or block DOS attacks.
Preparing for release :
- outbound link scanner
- checking links on a database of domains that are promoted by spam
- XSS and SQL injection protection
Development notes
Everything was written from scratch, not peeping to other solutions. This was done specifically so as not to grab the mistakes of others and to develop your own vision for the application.
Further development for other CMS is planned, so it was decided to develop a modular design. Use an object-oriented approach and stuff like that. Of course, the process had to solve various problems that did not fit into this concept and could not do without “crutches”.
The result was a few classes that without significant modifications can be used on other CMS (including self-written) using a pair of wrappers, for example, for the database.
A custom Cron class was written independent of Cron Wordpress. Still, an application for security and should not rely on functionality that may or may not work, or third-party developers may interfere with the work.
To implement the heuristic code analysis, we wrote our own parser minimizer of code, which will be further developed. With it, you can track dangerous variables, functions, structures. Not sure whether other plug-ins / antiviruses / applications use similar solutions (most likely not), but this is the pros and cons of independent development, our approach probably turned out to be unique.
Example of the “minimizer”:
Source:
<?php //$some = 'n'.'o'.'t' $some = 's'.'o'.'m'.'e'; // String concatenation $stuff = 'stuff'; $first = 'first'; $func = 'func'; $first_func = $some."$first$func"; // Variable replacement ?> $some = 'n'.'o'.'t'; <?php // Variable replacement $i = 'i'; $c = 'c'; $o = 'o'; $co = $c. // some obfuscating comment $o; $ico = $i/* some obfuscating comment */.$co; require($some.'_'.$stuff.'.'.$ico); require($some.'_'.$stuff.'.php'); require($some.'_'.$stuff.'.p'.$ico); $first_func(); ?> Result:
<?php $some='some';$stuff='stuff';$first='first';$func='func';$first_func='somefirstfunc';$i='i';$c='c';$o='o';$co='co';$ico='ico';require'some_stuff.ico';require'some_stuff.php';require'some_stuff.pico';somefirstfunc();?> If you bring in a clearer view:
<?php $some='some'; $stuff='stuff'; $first='first'; $func='func'; $first_func='somefirstfunc'; $i='i';$c='c';$o='o'; $co='co'; $ico='ico'; require'some_stuff.ico'; require'some_stuff.php'; require'some_stuff.pico'; somefirstfunc(); ?> Some things he can do: concatenate, substitute variables, track the origin of variables (say if they used unreliable $ _POST and $ _GET), track and check file connections (include, require) using various parameters and much more. We can say that this is the basis on which the functionality will be added.
I especially did not like to support WPMS, since for each functional I had to make exceptions, taking into account whether this is the main site, whether the user of the secondary site inherits the key from the main one or enters its own access key, allowed the secondary site to activate plug-ins and the like. Unfortunately, we had to remove some of the functionality for WPMS and secondary sites due to incompatibility.
In general, it turned out to be a beautiful application in some places in terms of code, which we will develop in the future.
The plugin itself can be found in the directory.
Source: https://habr.com/ru/post/349420/
All Articles