/** * @return array */ public static function ajax_blockIPUARange_callback() { $ipRange = trim($_POST['ipRange']); $hostname = trim($_POST['hostname']); $uaRange = trim($_POST['uaRange']); $referer = trim($_POST['referer']); $reason = trim($_POST['reason']); if (preg_match('/\\|+/', $ipRange . $uaRange . $referer . $hostname)) { return array('err' => 1, 'errorMsg' => "You are not allowed to include a pipe character \"|\" in your IP range, browser pattern or referer"); } if (!$ipRange && wfUtils::isUABlocked($uaRange)) { return array('err' => 1, 'errorMsg' => "The browser pattern you specified will block you from your own website. We have not accepted this pattern to protect you from being blocked."); } if (fnmatch($referer, site_url(), FNM_CASEFOLD)) { return array('err' => 1, 'errorMsg' => "The referer pattern you specified matches your own website and will block visitors as they surf from one page to another on your site. You can't enter this pattern."); } if ($ipRange) { list($start_range, $end_range) = explode('-', $ipRange); if (!wfUtils::isValidIP($start_range) || !wfUtils::isValidIP($end_range)) { return array('err' => 1, 'errorMsg' => "The IP range you specified is not valid. Please specify an IP range like the following example: \"1.2.3.4 - 1.2.3.8\" without quotes."); } $ip1 = wfUtils::inet_pton($start_range); $ip2 = wfUtils::inet_pton($end_range); if (strcmp($ip1, $ip2) >= 0) { return array('err' => 1, 'errorMsg' => "The first IP address in your range must be less than the second IP address in your range."); } $clientIP = wfUtils::inet_pton(wfUtils::getIP()); if (strcmp($ip1, $clientIP) <= 0 && strcmp($ip2, $clientIP) >= 0) { return array('err' => 1, 'errorMsg' => "You are trying to block yourself. Your IP address is " . wp_kses(wfUtils::getIP(), array()) . " which falls into the range " . wp_kses($ipRange, array()) . ". This blocking action has been cancelled so that you don't block yourself from your website."); } $ipRange = wfUtils::inet_ntop($ip1) . '-' . wfUtils::inet_ntop($ip2); } if ($hostname && !preg_match('/^[a-z0-9\\.\\*\\-]+$/i', $hostname)) { return array('err' => 1, 'errorMsg' => 'The Hostname you specified is not valid'); } $range = $ipRange . '|' . $uaRange . '|' . $referer . '|' . $hostname; self::getLog()->blockRange('IU', $range, $reason); return array('ok' => 1); }
public static function ajax_blockIPUARange_callback() { $ipRange = trim($_POST['ipRange']); $uaRange = trim($_POST['uaRange']); $reason = trim($_POST['reason']); if (preg_match('/\\|+/', $ipRange . $uaRange)) { return array('err' => 1, 'errorMsg' => "You are not allowed to include a pipe character \"|\" in your IP range or browser pattern"); } if (!$ipRange && wfUtils::isUABlocked($uaRange)) { return array('err' => 1, 'errorMsg' => "The browser pattern you specified will block you from your own website. We have not accepted this pattern to protect you from being blocked."); } if ($ipRange && !preg_match('/^\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\-\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}$/', $ipRange)) { return array('err' => 1, 'errorMsg' => "The IP range you specified is not valid. Please specify an IP range like the following example: \"1.2.3.4 - 1.2.3.8\" without quotes."); } if ($ipRange) { $ips = explode('-', $ipRange); $ip1 = wfUtils::inet_aton($ips[0]); $ip2 = wfUtils::inet_aton($ips[1]); if ($ip1 >= $ip2) { return array('err' => 1, 'errorMsg' => "The first IP address in your range must be less than the second IP address in your range."); } $clientIP = wfUtils::inet_aton(wfUtils::getIP()); if ($ip1 <= $clientIP && $ip2 >= $clientIP) { return array('err' => 1, 'errorMsg' => "You are trying to block yourself. Your IP address is " . htmlentities(wfUtils::getIP()) . " which falls into the range " . htmlentities($ipRange) . ". This blocking action has been cancelled so that you don't block yourself from your website."); } $ipRange = $ip1 . '-' . $ip2; } $range = $ipRange . '|' . $uaRange; self::getLog()->blockRange('IU', $range, $reason); return array('ok' => 1); }
public function firewallBadIPs() { $IP = wfUtils::getIP(); if ($this->isWhitelisted($IP)) { return; } $IPnum = wfUtils::inet_pton($IP); //New range and UA pattern blocking: $r1 = $this->getDB()->querySelect("select id, blockType, blockString from " . $this->ipRangesTable); foreach ($r1 as $blockRec) { if ($blockRec['blockType'] == 'IU') { $ipRangeBlocked = false; $uaPatternBlocked = false; $refBlocked = false; $bDat = explode('|', $blockRec['blockString']); $ipRange = $bDat[0]; $uaPattern = $bDat[1]; $refPattern = isset($bDat[2]) ? $bDat[2] : ''; if ($ipRange) { list($start_range, $end_range) = explode('-', $ipRange); if (preg_match('/[\\.:]/', $start_range)) { $start_range = wfUtils::inet_pton($start_range); $end_range = wfUtils::inet_pton($end_range); } else { $start_range = wfUtils::inet_pton(long2ip($start_range)); $end_range = wfUtils::inet_pton(long2ip($end_range)); } if (strcmp($IPnum, $start_range) >= 0 && strcmp($IPnum, $end_range) <= 0) { $ipRangeBlocked = true; } } if ($uaPattern) { if (wfUtils::isUABlocked($uaPattern)) { $uaPatternBlocked = true; } } if ($refPattern) { if (wfUtils::isRefererBlocked($refPattern)) { $refBlocked = true; } } $doBlock = false; if ($uaPattern && $ipRange && $refPattern) { if ($uaPatternBlocked && $ipRangeBlocked && $refBlocked) { $doBlock = true; } } if ($uaPattern && $ipRange) { if ($uaPatternBlocked && $ipRangeBlocked) { $doBlock = true; } } if ($uaPattern && $refPattern) { if ($uaPatternBlocked && $refBlocked) { $doBlock = true; } } if ($ipRange && $refPattern) { if ($ipRangeBlocked && $refBlocked) { $doBlock = true; } } else { if ($uaPattern) { if ($uaPatternBlocked) { $doBlock = true; } } else { if ($ipRange) { if ($ipRangeBlocked) { $doBlock = true; } } else { if ($refPattern) { if ($refBlocked) { $doBlock = true; } } } } } if ($doBlock) { $this->getDB()->queryWrite("update " . $this->ipRangesTable . " set totalBlocked = totalBlocked + 1, lastBlocked = unix_timestamp() where id=%d", $blockRec['id']); wfActivityReport::logBlockedIP($IP); $this->do503(3600, "Advanced blocking in effect."); } } } //End range/UA blocking // Country blocking if (wfConfig::get('isPaid')) { $blockedCountries = wfConfig::get('cbl_countries', false); $bareRequestURI = wfUtils::extractBareURI($_SERVER['REQUEST_URI']); $bareBypassRedirURI = wfUtils::extractBareURI(wfConfig::get('cbl_bypassRedirURL', '')); $skipCountryBlocking = false; if ($bareBypassRedirURI && $bareRequestURI == $bareBypassRedirURI) { //Run this before country blocking because even if the user isn't blocked we need to set the bypass cookie so they can bypass future blocks. $bypassRedirDest = wfConfig::get('cbl_bypassRedirDest', ''); if ($bypassRedirDest) { self::setCBLCookieBypass(); $this->redirect($bypassRedirDest); //exits } } $bareBypassViewURI = wfUtils::extractBareURI(wfConfig::get('cbl_bypassViewURL', '')); if ($bareBypassViewURI && $bareBypassViewURI == $bareRequestURI) { self::setCBLCookieBypass(); $skipCountryBlocking = true; } if (!$skipCountryBlocking && $blockedCountries && !self::isCBLBypassCookieSet()) { if (is_user_logged_in() && !wfConfig::get('cbl_loggedInBlocked', false)) { //User is logged in and we're allowing logins //Do nothing } else { if (strpos($_SERVER['REQUEST_URI'], '/wp-login.php') !== false && !wfConfig::get('cbl_loginFormBlocked', false)) { //It's the login form and we're allowing that //Do nothing } else { if (strpos($_SERVER['REQUEST_URI'], '/wp-login.php') === false && !wfConfig::get('cbl_restOfSiteBlocked', false)) { //It's the rest of the site and we're allowing that //Do nothing } else { if ($country = wfUtils::IP2Country($IP)) { foreach (explode(',', $blockedCountries) as $blocked) { if (strtoupper($blocked) == strtoupper($country)) { //At this point we know the user has been blocked if (wfConfig::get('cbl_action') == 'redir') { $redirURL = wfConfig::get('cbl_redirURL'); $eRedirHost = wfUtils::extractHostname($redirURL); $isExternalRedir = false; if ($eRedirHost && $eRedirHost != wfUtils::extractHostname(home_url())) { //It's an external redirect... $isExternalRedir = true; } if (!$isExternalRedir && wfUtils::extractBareURI($redirURL) == $bareRequestURI) { //Is this the URI we want to redirect to, then don't block it //Do nothing /* Uncomment the following if page components aren't loading for the page we redirect to. Uncommenting is not recommended because it means that anyone from a blocked country can crawl your site by sending the page blocked users are redirected to as the referer for every request. But it's your call. } else if(wfUtils::extractBareURI($_SERVER['HTTP_REFERER']) == $redirURL){ //If the referer the page we want to redirect to? Then this might be loading as a component so don't block. //Do nothing */ } else { $this->redirect(wfConfig::get('cbl_redirURL')); } } else { $this->do503(3600, "Access from your area has been temporarily limited for security reasons"); wfConfig::inc('totalCountryBlocked'); } } } } } } } } } if ($rec = $this->getDB()->querySingleRec("select blockedTime, reason from " . $this->blocksTable . " where IP=%s and (permanent=1 OR (blockedTime + %s > unix_timestamp()))", $IPnum, wfConfig::get('blockedTime'))) { $this->getDB()->queryWrite("update " . $this->blocksTable . " set lastAttempt=unix_timestamp(), blockedHits = blockedHits + 1 where IP=%s", $IPnum); $now = $this->getDB()->querySingle("select unix_timestamp()"); $secsToGo = $rec['blockedTime'] + wfConfig::get('blockedTime') - $now; if (wfConfig::get('other_WFNet') && strpos($_SERVER['REQUEST_URI'], '/wp-login.php') !== false) { //We're on the login page and this IP has been blocked wordfence::wfsnReportBlockedAttempt($IP, 'login'); } $this->do503($secsToGo, $rec['reason']); } }
public function firewallBadIPs() { $IP = wfUtils::getIP(); if ($this->isWhitelisted($IP)) { return; } $IPnum = wfUtils::inet_pton($IP); $hostname = null; //New range and UA pattern blocking: $r1 = $this->getDB()->querySelect("select id, blockType, blockString from " . $this->ipRangesTable); foreach ($r1 as $blockRec) { if ($blockRec['blockType'] == 'IU') { $ipRangeBlocked = false; $uaPatternBlocked = false; $refBlocked = false; $bDat = explode('|', $blockRec['blockString']); $ipRange = $bDat[0]; $uaPattern = $bDat[1]; $refPattern = isset($bDat[2]) ? $bDat[2] : ''; if ($ipRange) { list($start_range, $end_range) = explode('-', $ipRange); if (preg_match('/[\\.:]/', $start_range)) { $start_range = wfUtils::inet_pton($start_range); $end_range = wfUtils::inet_pton($end_range); } else { $start_range = wfUtils::inet_pton(long2ip($start_range)); $end_range = wfUtils::inet_pton(long2ip($end_range)); } if (strcmp($IPnum, $start_range) >= 0 && strcmp($IPnum, $end_range) <= 0) { $ipRangeBlocked = true; } } if (!empty($bDat[3])) { $ipRange = true; /* We reuse the ipRangeBlocked variable */ if ($hostname === null) { $hostname = wfUtils::reverseLookup($IP); } if (preg_match(wfUtils::patternToRegex($bDat[3]), $hostname)) { $ipRangeBlocked = true; } } if ($uaPattern) { if (wfUtils::isUABlocked($uaPattern)) { $uaPatternBlocked = true; } } if ($refPattern) { if (wfUtils::isRefererBlocked($refPattern)) { $refBlocked = true; } } $doBlock = false; if ($uaPattern && $ipRange && $refPattern) { if ($uaPatternBlocked && $ipRangeBlocked && $refBlocked) { $doBlock = true; } } if ($uaPattern && $ipRange) { if ($uaPatternBlocked && $ipRangeBlocked) { $doBlock = true; } } if ($uaPattern && $refPattern) { if ($uaPatternBlocked && $refBlocked) { $doBlock = true; } } if ($ipRange && $refPattern) { if ($ipRangeBlocked && $refBlocked) { $doBlock = true; } } else { if ($uaPattern) { if ($uaPatternBlocked) { $doBlock = true; } } else { if ($ipRange) { if ($ipRangeBlocked) { $doBlock = true; } } else { if ($refPattern) { if ($refBlocked) { $doBlock = true; } } } } } if ($doBlock) { $this->getDB()->queryWrite("update " . $this->ipRangesTable . " set totalBlocked = totalBlocked + 1, lastBlocked = unix_timestamp() where id=%d", $blockRec['id']); wfActivityReport::logBlockedIP($IP); $this->currentRequest->actionDescription = 'UA/Referrer/IP Range not allowed'; $this->do503(3600, "Advanced blocking in effect."); } } } //End range/UA blocking // Country blocking if (wfConfig::get('isPaid')) { $blockedCountries = wfConfig::get('cbl_countries', false); $bareRequestURI = wfUtils::extractBareURI($_SERVER['REQUEST_URI']); $bareBypassRedirURI = wfUtils::extractBareURI(wfConfig::get('cbl_bypassRedirURL', '')); $skipCountryBlocking = false; if ($bareBypassRedirURI && $bareRequestURI == $bareBypassRedirURI) { //Run this before country blocking because even if the user isn't blocked we need to set the bypass cookie so they can bypass future blocks. $bypassRedirDest = wfConfig::get('cbl_bypassRedirDest', ''); if ($bypassRedirDest) { self::setCBLCookieBypass(); $this->redirect($bypassRedirDest); //exits } } $bareBypassViewURI = wfUtils::extractBareURI(wfConfig::get('cbl_bypassViewURL', '')); if ($bareBypassViewURI && $bareBypassViewURI == $bareRequestURI) { self::setCBLCookieBypass(); $skipCountryBlocking = true; } if (!$skipCountryBlocking && $blockedCountries && !self::isCBLBypassCookieSet()) { // If everything is checked, make sure this always runs. if (wfConfig::get('cbl_loggedInBlocked', false) && wfConfig::get('cbl_loginFormBlocked', false) && wfConfig::get('cbl_restOfSiteBlocked', false)) { $this->checkForBlockedCountry(); } // Block logged in users. if (wfConfig::get('cbl_loggedInBlocked', false) && is_user_logged_in()) { $this->checkForBlockedCountry(); } // Block the login form itself and any attempt to authenticate. if (wfConfig::get('cbl_loginFormBlocked', false)) { if (self::isAuthRequest()) { $this->checkForBlockedCountry(); } add_filter('authenticate', array($this, 'checkForBlockedCountry'), 1, 0); } // Block requests that aren't to the login page, xmlrpc.php, or a user already logged in. if (wfConfig::get('cbl_restOfSiteBlocked', false) && !self::isAuthRequest() && !defined('XMLRPC_REQUEST') && !is_user_logged_in()) { $this->checkForBlockedCountry(); } // XMLRPC is inaccesible when public portion of the site and auth is disabled. if (wfConfig::get('cbl_loginFormBlocked', false) && wfConfig::get('cbl_restOfSiteBlocked', false) && defined('XMLRPC_REQUEST')) { $this->checkForBlockedCountry(); } } } if ($rec = $this->getDB()->querySingleRec("select blockedTime, reason from " . $this->blocksTable . " where IP=%s and (permanent=1 OR (blockedTime + %s > unix_timestamp()))", $IPnum, wfConfig::get('blockedTime'))) { $this->getDB()->queryWrite("update " . $this->blocksTable . " set lastAttempt=unix_timestamp(), blockedHits = blockedHits + 1 where IP=%s", $IPnum); $now = $this->getDB()->querySingle("select unix_timestamp()"); $secsToGo = $rec['blockedTime'] + wfConfig::get('blockedTime') - $now; if (wfConfig::get('other_WFNet') && self::isAuthRequest()) { //It's an auth request and this IP has been blocked $this->getCurrentRequest()->action = 'blocked:wfsnrepeat'; wordfence::wfsnReportBlockedAttempt($IP, 'login'); } $this->do503($secsToGo, $rec['reason']); } }