protected function get_server_config_ban_hosts_rules($server_type) { if (true !== $this->settings['enabled']) { return ''; } if (!is_array($this->settings['host_list']) || empty($this->settings['host_list'])) { return ''; } if (!class_exists('ITSEC_Ban_Users')) { require dirname(__FILE__) . '/class-itsec-ban-users.php'; } $host_rules = ''; $set_env_rules = ''; $deny_rules = ''; $require_rules = ''; // process hosts list foreach ($this->settings['host_list'] as $host) { $host = ITSEC_Lib::ip_wild_to_mask($host); $host = trim($host); if (empty($host)) { continue; } if (ITSEC_Ban_Users::is_ip_whitelisted($host)) { /** * @todo warn the user the ip to be banned is whitelisted */ continue; } if (in_array($server_type, array('apache', 'litespeed'))) { $converted_host = ITSEC_Lib::ip_mask_to_range($host); $converted_host = trim($converted_host); if (empty($converted_host)) { continue; } $set_env_host = str_replace('.', '\\.', $converted_host); $set_env_rules .= "\tSetEnvIF REMOTE_ADDR \"^{$set_env_host}\$\" DenyAccess\n"; // Ban IP $set_env_rules .= "\tSetEnvIF X-FORWARDED-FOR \"^{$set_env_host}\$\" DenyAccess\n"; // Ban IP from a proxy $set_env_rules .= "\tSetEnvIF X-CLUSTER-CLIENT-IP \"^{$set_env_host}\$\" DenyAccess\n"; // Ban IP from a load balancer $set_env_rules .= "\n"; $require_host = str_replace('.[0-9]+', '', $converted_host); $require_rules .= "\t\t\tRequire not ip {$require_host}\n"; $deny_rules .= "\t\tDeny from {$require_host}\n"; } else { if ('nginx' === $server_type) { $host_rules .= "\tdeny {$host};\n"; } } } $rules = ''; if ('apache' === $server_type) { if (!empty($set_env_rules)) { $rules .= "\n"; $rules .= "\t# " . __('Ban Hosts - Security > Settings > Banned Users', 'better-wp-security') . "\n"; $rules .= $set_env_rules; $rules .= "\t<IfModule mod_authz_core.c>\n"; $rules .= "\t\t<RequireAll>\n"; $rules .= "\t\t\tRequire all granted\n"; $rules .= "\t\t\tRequire not env DenyAccess\n"; $rules .= $require_rules; $rules .= "\t\t</RequireAll>\n"; $rules .= "\t</IfModule>\n"; $rules .= "\t<IfModule !mod_authz_core.c>\n"; $rules .= "\t\tOrder allow,deny\n"; $rules .= "\t\tAllow from all\n"; $rules .= "\t\tDeny from env=DenyAccess\n"; $rules .= $deny_rules; $rules .= "\t</IfModule>\n"; } } else { if ('litespeed' === $server_type) { if (!empty($set_env_rules)) { $rules .= "\n"; $rules .= "\t# " . __('Ban Hosts - Security > Settings > Banned Users', 'better-wp-security') . "\n"; $rules .= $set_env_rules; $rules .= "\t<IfModule mod_litespeed.c>\n"; $rules .= "\t\tOrder allow,deny\n"; $rules .= "\t\tAllow from all\n"; $rules .= "\t\tDeny from env=DenyAccess\n"; $rules .= $deny_rules; $rules .= "\t</IfModule>\n"; } } else { if ('nginx' === $server_type) { if (!empty($host_rules)) { $rules .= "\n"; $rules .= "# " . __('Ban Hosts - Security > Settings > Banned Users', 'better-wp-security') . "\n"; $rules .= $host_rules; } } } } return $rules; }
/** * Build the rewrite rules and sends them to the file writer * * @param array $input array of options, ips, etc * @param boolean $current whether the current IP can be included in the ban list * * @return array array of rules to send to file writer */ public static function build_rewrite_rules($input = null, $current = false) { //setup data structures to write. These are simply lists of all IPs and hosts as well as options to check if ($input === null) { //blocking ip on the fly $input = get_site_option('itsec_ban_users'); } $default = $input['default']; $enabled = $input['enabled']; $raw_host_list = $input['host_list']; $raw_agent_list = $input['agent_list']; $server_type = ITSEC_Lib::get_server(); //Get the server type to build the right rules //initialize lists so we can check later if we've used them $host_list = ''; $agent_list = ''; $default_list = ''; $host_rule2 = ''; //load the default blacklist if needed if ($default === true && $server_type === 'nginx') { $default_list = file_get_contents(plugin_dir_path(__FILE__) . 'lists/hackrepair-nginx.inc'); } elseif ($default === true) { $default_list = file_get_contents(plugin_dir_path(__FILE__) . 'lists/hackrepair-apache.inc'); } //Only process other lists if the feature has been enabled if ($enabled === true) { //process hosts list if (is_array($raw_host_list)) { foreach ($raw_host_list as $host) { $host = ITSEC_Lib::ip_wild_to_mask($host); if (!class_exists('ITSEC_Ban_Users')) { require dirname(__FILE__) . '/class-itsec-ban-users.php'; } if (!ITSEC_Ban_Users::is_ip_whitelisted($host, null, $current)) { $converted_host = ITSEC_Lib::ip_mask_to_range($host); if (strlen(trim($converted_host)) > 1) { if ($server_type === 'nginx') { //NGINX rules $host_rule = "\tdeny " . trim($host) . ';'; } else { //rules for all other servers $dhost = str_replace('.', '\\.', trim($converted_host)); //re-define $dhost to match required output for SetEnvIf-RegEX $host_rule = "SetEnvIF REMOTE_ADDR \"^" . $dhost . "\$\" DenyAccess" . PHP_EOL; //Ban IP $host_rule .= "SetEnvIF X-FORWARDED-FOR \"^" . $dhost . "\$\" DenyAccess" . PHP_EOL; //Ban IP from Proxy-User $host_rule .= "SetEnvIF X-CLUSTER-CLIENT-IP \"^" . $dhost . "\$\" DenyAccess" . PHP_EOL; //Ban IP for Cluster/Cloud-hosted WP-Installs $host_rule2 .= "deny from " . str_replace('.[0-9]+', '', trim($converted_host)) . PHP_EOL; } } $host_list .= $host_rule . PHP_EOL; //build large string of all hosts } else { /** * @todo warn the user the ip to be banned is whitelisted */ } } } //Process the agents list if (is_array($raw_agent_list)) { $count = 1; //to help us find the last one foreach ($raw_agent_list as $agent) { if (strlen(trim($agent)) > 1) { //if it isn't the last rule make sure we add an or if ($count < sizeof($agent)) { $end = ' [NC,OR]' . PHP_EOL; } else { $end = ' [NC]' . PHP_EOL; } if (strlen(trim($agent)) > 1) { if ($server_type === 'nginx') { //NGINX rule $converted_agent = 'if ($http_user_agent ~* "^' . quotemeta(trim($agent)) . '"){ return 403; }' . PHP_EOL; } else { //Rule for all other servers $converted_agent = 'RewriteCond %{HTTP_USER_AGENT} ^' . str_replace(' ', '\\ ', quotemeta(trim($agent))) . $end; } } $agent_list .= $converted_agent; //build large string of all agents } $count++; } } } $rules = ''; //initialize rules //Start with default rules if we have them if (strlen($default_list) > 1) { $rules .= $default_list; } //Add banned host lists if (strlen($host_list) > 1 || strlen($default_list)) { if (strlen($default_list) > 1) { $rules .= PHP_EOL; } if ($server_type === 'nginx' && strlen($host_list) > 1) { //NGINX rules $rules .= $host_list; } elseif (strlen($host_list) > 1) { $rules .= $host_list . 'order allow,deny' . PHP_EOL . 'deny from env=DenyAccess' . PHP_EOL . $host_rule2 . 'allow from all' . PHP_EOL; } } //Add banned user agents if (strlen($agent_list) > 1) { if (strlen($default_list) > 1 || strlen($host_list) > 1) { $rules .= PHP_EOL; } if ($server_type === 'nginx') { //NGINX rules $rules .= $agent_list; } else { $rules .= '<IfModule mod_rewrite.c>' . PHP_EOL; $rules .= 'RewriteEngine On' . PHP_EOL; $rules .= $agent_list; $rules .= 'RewriteRule ^(.*)$ - [F]' . PHP_EOL; $rules .= '</IfModule>' . PHP_EOL; } } if (strlen($rules) > 0) { $rules = explode(PHP_EOL, $rules); } else { $rules = false; } //create a proper array for writing return array('type' => 'htaccess', 'priority' => 1, 'name' => 'Ban Users', 'rules' => $rules); }