I think someone tries to hack in Slim 3 setup
On my live site, system logs. getting a lot of WordPress execution links not found, this is just the tip of the iceberg
[Sat Dec 24 04:01:27.215174 2022] [fcgid:warn] [pid 11059:tid 140565622552320] [client 81.0.219.240:61403] mod_fcgid: stderr: 404 Not Found, referer: http://…/wordpress
[Sat Dec 24 04:01:28.602787 2022] [fcgid:warn] [pid 11059:tid 140566151030528] [client 81.0.219.240:61403] mod_fcgid: stderr: 404 Not Found, referer: http://…/wp
[Sat Dec 24 04:01:29.294789 2022] [fcgid:warn] [pid 11059:tid 140566260070144] [client 81.0.219.240:61403] mod_fcgid: stderr: 404 Not Found, referer: http://…/bc
[Sat Dec 24 04:01:30.189828 2022] [fcgid:warn] [pid 11059:tid 140565588981504] [client 81.0.219.240:61403] mod_fcgid: stderr: 404 Not Found, referer: http://…/bk
[Sat Dec 24 04:01:30.908745 2022] [fcgid:warn] [pid 11059:tid 140566251677440] [client 81.0.219.240:61403] mod_fcgid: stderr: 404 Not Found, referer: http://…/backup
[Sat Dec 24 04:01:31.493801 2022] [fcgid:warn] [pid 11059:tid 140565605766912] [client 81.0.219.240:61403] mod_fcgid: stderr: 404 Not Found, referer: http://…/old
[Sat Dec 24 04:01:32.303286 2022] [fcgid:warn] [pid 11059:tid 140566151030528] [client 81.0.219.240:61403] mod_fcgid: stderr: 404 Not Found, referer: http://…/new
[Sat Dec 24 04:01:33.555753 2022] [fcgid:warn] [pid 11059:tid 140566159423232] [client 81.0.219.240:61403] mod_fcgid: stderr: 404 Not Found, referer: http://…/main
[Sat Dec 24 04:01:34.007523 2022] [fcgid:warn] [pid 11059:tid 140566125852416] [client 81.0.219.240:61403] mod_fcgid: stderr: 404 Not Found, referer: http://…/home
have lockdown geolocation, know they can bypass using a proxy.
Tried to follow best practices.
Running on PHP 8 and all Apache patches loaded.
Updated all 3rd party packages via composer.
Any other clever tricks I can implement. Please help
Was thinking to get the IP and logout when Page not found after 2 attempts…
There are a few ways you can block invalid HTTP requests:
Use a Web Application Firewall (WAF), e.g. ModSecurity: A WAF is a security solution that sits between your website and the Internet. It analyzes incoming traffic and blocks requests that contain malicious payloads or violate your security policies.
Implement rate limiting (middleware): Rate limiting is a technique that limits the number of requests that a user or IP address can make to your website within a specified time period. This can help to prevent hackers from using automated tools to send a large number of invalid requests in a short period of time.
With the Web Application Firewall, do I need to over right my current user login procedures. I have written timeouts, logout after 3 attempts.
The WAF “allows” only requests that are valid. Your web server and slim application respond only to “valid” / “allowed” HTTP requests. This means this should not affect your login procedure directly.
Is this good Shieldon (WAF) for PHP
ModSecurity is EOL in July 2024, so this makes no sense to use it anymore.
Shieldon is a PHP and PSR-15 based middleware that would fit perfect into a Slim 4 application.
The only drawback is that the HTTP request will reach you webserver anyway.
In the E-book Symfony Rate Limiter
Yes, my eBook Vol. 2 contains an article about the Symfony Rate Limiter that can be used as well.
Note that a Rate Limiter just blocks too many requests in a specific time range. But it does not protects you from single malicious request.
In practice you might need a combination of multiple solutions to protect your application against different kind of attacks.
The website is hosted on a shared hosting. I dont have full access to the apache server, was looking at Shadow Daemon also WAF Architecture of Shadow Daemon (zecure.org).
If I understand it correctly, if you use a WAF product that utilizes Slim Middleware, the request is already accessing SLIM and the best is to filter request before it reach slim.
With ModSecurity does the full package get installed under Public_html similar to WordPress are do you also need to tweak Apache
Im just brain storming, I probably need to look or write a standalone php program with separate db to filter the request, do you know of other WAF that could fit my situation. I dont think I’m the first person that encountered it.
This is a complex topic and I can only give some general advice here.
The solution depends on your system and the (security) requirements.
ModSecurity needs to be installed on the server and forwards the request only if it’s valid / allowed.
This means you Slim application receives only the filtered requests.
On a shared hosting it’s not possible to install any software, so you may find another way, such as a PSR-15 middleware based approach.