Phase 6: AIOS security plugin with conservative login lockdown config (10 attempts)

2025-11-28 17:19:54 -06:00
parent 78a744ef06
commit abbd3502e8
430 changed files with 137111 additions and 7 deletions
@@ -0,0 +1,62 @@
+<?php
+namespace AIOWPS\Firewall;
+
+/**
+ * Rule that blocks certain kinds of data from the query string
+ */
+class Rule_Block_Query_Strings_6g extends Rule {
+
+	/**
+	 * Implements the action to be taken
+	 */
+	use Action_Forbid_and_Exit_Trait;
+
+	/**
+	 * Construct our rule
+	 */
+	public function __construct() {
+		// Set the rule's metadata
+		$this->name     = 'Block query strings';
+		$this->family   = '6G';
+		$this->priority = 0;
+	}
+
+	/**
+	 * Determines whether the rule is active
+	 *
+	 * @return boolean
+	 */
+	public function is_active() {
+		global $aiowps_firewall_config;
+		return (bool) $aiowps_firewall_config->get_value('aiowps_6g_block_query');
+	}
+
+	/**
+	 * The condition to be satisfied for the rule to apply
+	 *
+	 * @return boolean
+	 */
+	public function is_satisfied() {
+		
+		if (empty($_SERVER['QUERY_STRING'])) return Rule::NOT_SATISFIED;
+
+		//Patterns to match against
+		$patterns = array(
+			'/[a-z0-9]{2000,}/i',
+			'/(eval\()/i',
+			'/(127\.0\.0\.1)/i',
+			'/(javascript:)(.*)(;)/i',
+			'/(base64_encode)(.*)(\()/i',
+			'/(GLOBALS|REQUEST)(=|\[|%)/i',
+			'/(<|%3C)(.*)script(.*)(>|%3)/i',
+			'#(\|\.\.\.|\.\./|~|`|<|>|\|)#i',
+			'#(boot\.ini|etc/passwd|self/environ)#i',
+			'/(thumbs?(_editor|open)?|tim(thumb)?)\.php/i',
+			'/(\'|\")(.*)(drop|insert|md5|select|union)/i',
+		);
+
+		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- PCP warning. Sanitizing will interfere with 6g rules.
+		return Rule_Utils::contains_pattern(rawurldecode($_SERVER['QUERY_STRING']), $patterns);
+	}
+
+}
@@ -0,0 +1,52 @@
+<?php
+namespace AIOWPS\Firewall;
+
+/**
+ * Rule that blocks certain referrers recommended by 6G
+ */
+class Rule_Block_Refs_6g extends Rule {
+
+	/**
+	 * Implements the action to be taken
+	 */
+	use Action_Forbid_and_Exit_Trait;
+
+	/**
+	 * Construct our rule
+	 */
+	public function __construct() {
+		// Set the rule's metadata
+		$this->name     = 'Block referrer strings';
+		$this->family   = '6G';
+		$this->priority = 0;
+	}
+
+	/**
+	 * Determines whether the rule is active
+	 *
+	 * @return boolean
+	 */
+	public function is_active() {
+		global $aiowps_firewall_config;
+		return (bool) $aiowps_firewall_config->get_value('aiowps_6g_block_referrers');
+	}
+
+	/**
+	 * The condition to be satisfied for the rule to apply
+	 *
+	 * @return boolean
+	 */
+	public function is_satisfied() {
+		
+		if (empty($_SERVER['HTTP_REFERER'])) return Rule::NOT_SATISFIED;
+
+		//Patterns to match against
+		$patterns = array(
+			'/[a-z0-9]{2000,}/i',
+			'/(semalt.com|todaperfeita)/i',
+		);
+
+		return Rule_Utils::contains_pattern($_SERVER['HTTP_REFERER'], $patterns); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput -- This is not a WordPress context. Also this only evaluates to a boolean.
+	}
+
+}
@@ -0,0 +1,67 @@
+<?php
+namespace AIOWPS\Firewall;
+
+/**
+ * Rule that blocks certain kinds of data from the request string
+ */
+class Rule_Block_Request_Strings_6g extends Rule {
+
+	/**
+	 * Implements the action to be taken
+	 */
+	use Action_Forbid_and_Exit_Trait;
+
+	/**
+	 * Construct our rule
+	 */
+	public function __construct() {
+		// Set the rule's metadata
+		$this->name     = 'Block request strings';
+		$this->family   = '6G';
+		$this->priority = 0;
+	}
+
+	/**
+	 * Determines whether the rule is active
+	 *
+	 * @return boolean
+	 */
+	public function is_active() {
+		global $aiowps_firewall_config;
+		return (bool) $aiowps_firewall_config->get_value('aiowps_6g_block_request');
+	}
+
+	/**
+	 * The condition to be satisfied for the rule to apply
+	 *
+	 * @return boolean
+	 */
+	public function is_satisfied() {
+		
+		if (empty($_SERVER['REQUEST_URI'])) return Rule::NOT_SATISFIED;
+		
+		// ensure we get the request uri without the query string
+		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- PCP warning. Sanitizing will interfere with 6g rules.
+		$uri = (string) parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);
+		
+		if ('' == $uri) return Rule::NOT_SATISFIED;
+		
+		//Patterns to match against
+		$patterns = array(
+			'/[a-z0-9]{2000,}/i',
+			'#(https?|ftp|php):/#i',
+			'#(base64_encode)(.*)(\()#i',
+			'#(=\'|=\%27|/\'/?)\.#i',
+			'#/(\$(\&)?|\*|\"|\.|,|&|&amp;?)/?$#i',
+			'#(\{0\}|\(/\(|\.\.\.|\+\+\+|\\"\\")#i',
+			'#(~|`|<|>|:|;|,|%|\|\s|\{|\}|\[|\]|\|)#i',
+			'#/(=|\$&|_mm|cgi-|etc/passwd|muieblack)#i',
+			'#(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)#i',
+			'#\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$#i',
+			'#/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php#i',
+		);
+
+		return Rule_Utils::contains_pattern(rawurldecode($uri), $patterns);
+	}
+
+}
@@ -0,0 +1,53 @@
+<?php
+namespace AIOWPS\Firewall;
+
+/**
+ * Rule that blocks certain user-agents recommended by 6G
+ */
+class Rule_Block_User_Agents_6g extends Rule {
+
+	/**
+	 * Implements the action to be taken
+	 */
+	use Action_Forbid_and_Exit_Trait;
+
+	/**
+	 * Construct our rule
+	 */
+	public function __construct() {
+		// Set the rule's metadata
+		$this->name     = 'Block user-agents';
+		$this->family   = '6G';
+		$this->priority = 0;
+	}
+
+	/**
+	 * Determines whether the rule is active
+	 *
+	 * @return boolean
+	 */
+	public function is_active() {
+		global $aiowps_firewall_config;
+		return (bool) $aiowps_firewall_config->get_value('aiowps_6g_block_agents');
+	}
+
+	/**
+	 * The condition to be satisfied for the rule to apply
+	 *
+	 * @return boolean
+	 */
+	public function is_satisfied() {
+		
+		if (empty($_SERVER['HTTP_USER_AGENT'])) return Rule::NOT_SATISFIED;
+
+		//Patterns to match against
+		$patterns = array(
+			'/[a-z0-9]{2000,}/i',
+			'/(archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune)/i',
+		);
+
+		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- PCP warning. Sanitizing will interfere with 6g rules.
+		return Rule_Utils::contains_pattern($_SERVER['HTTP_USER_AGENT'], $patterns);
+	}
+
+}
@@ -0,0 +1,53 @@
+<?php
+namespace AIOWPS\Firewall;
+
+/**
+ * Rule that blocks certain kinds of HTTP request methods (e.g DEBUG or PUT)
+ */
+class Rule_Request_Method_6g extends Rule {
+
+	/**
+	 * Implements the action to be taken
+	 */
+	use Action_Forbid_and_Exit_Trait;
+
+	/**
+	 * List of request methods to block
+	 *
+	 * @var array
+	 */
+	private $blocked_methods;
+
+	/**
+	 * Construct our rule
+	 */
+	public function __construct() {
+		global $aiowps_firewall_config;
+
+		// Set the rule's metadata
+		$this->name     = 'Block request methods';
+		$this->family   = '6G';
+		$this->priority = 0;
+
+		$this->blocked_methods = $aiowps_firewall_config->get_value('aiowps_6g_block_request_methods');
+	}
+
+	/**
+	 * Determines whether the rule is active
+	 *
+	 * @return boolean
+	 */
+	public function is_active() {
+		return !empty($this->blocked_methods);
+	}
+
+	/**
+	 * The condition to be satisfied for the rule to apply
+	 *
+	 * @return boolean
+	 */
+	public function is_satisfied() {
+		return isset($_SERVER['REQUEST_METHOD']) && in_array(strtoupper($_SERVER['REQUEST_METHOD']), $this->blocked_methods);
+	}
+
+}