Elxis CMS Forum

Support => Security => Topic started by: datahell on January 24, 2016, 10:54:20

Title: Patch for new Elxis 4.4 Defender
Post by: datahell on January 24, 2016, 10:54:20
Elxis 4.4 has a new Elxis Defender that catches 3 times more attacks and spammers than the previous version. The Defender was redesigned, the old filters removed and new ones added that use different filtering technology and also supports logging attacks in security.log file. The patch I provide is for Elxis 4.2 and 4.3 sites, I didn't tested it with previous versions so don't apply it in Elxis 4.0 and 4.1. Read carefully the instructions I give below and do exactly as I say in order to apply the patch.

This patch is experimental. Use it at your own risk.

1. Open configuration.php file and make the site offline:
private $ONLINE = 0;
change DEFENDER options to this:
private $DEFENDER = 'GRI';
Add these configuration options:
private $DEFENDER_IPAFTER = 1;
private $DEFENDER_LOG = 1;
If DEFENDER_NOTIFY does not exist add it to:
private $DEFENDER_NOTIFY = 1;
Save the file. The site is offline now.

2. Go to your repository folder and locate folder logs
Upload these files from the patch zip:
{repository}/logs/defender_ips.php
{repository}/logs/defender_ip_ranges.php
{repository}/logs/security.log
Make sure all these files are write-able.

3. Go to folder includes/libraries/elxis/defender/ and DELETE these files:
agents.php
custom.php
general.php
hosts.php
ips.php
post.php
Upload in the same folder these files:
general.rules.php
custom.rules.php

4. Go to the parent folder (includes/libraries/elxis/) and update these files:
defender.class.php
exit.class.php
performance.class.php
uri.class.php
session.class.php

5. Go to folder includes/ and update Elxis loader:
includes/loader.php

The update is complete, turn the site back online by opening configuration.php and setting
private $ONLINE = 1;

IMPORTANT NOTES / TIPS
1. Don't save elxis configuration from the administration interface because you will lose the new configuration options (we updated only the defender, not the whole elxis, so you cant configure the new options from the admin area).
2. If you get too many security alerts disable sending emails them by setting DEFENDER_NOTIFY = 0 (I believe you will get 3-4 times more alerts)
3. Inspect the security.log file to see what defender caught. You can disable logging if you wish by setting DEFENDER_LOG = 0. Make sure log rotate is enabled: LOG_ROTATE = 1
4. The lists of blacklisted IPs are automated automatically. If you want to experiment set DEFENDER_IPAFTER = 0. If 0 slows down your site turn it back to 1.

Write me your experience of the new Elxis Defender for Elxis 4.4. Report any problems or false alarms you may find.
Title: Re: Patch for new Elxis 4.4 Defender
Post by: datahell on January 24, 2016, 18:49:16
I updated the patch for Defender above removing retail.telecomitalia.it from bad hosts and adding some other filters. If you get any false positives please report them below.
Title: Re: Patch for new Elxis 4.4 Defender
Post by: adus on January 26, 2016, 11:56:46
just implemented the Patch.
Thanks for that.
......
2. Go to your repository folder and locate folder logs
Upload these files from the patch zip:
{repository}/logs/defender_ips.php
{repository}/logs/defender_ip_ranges.php
{repository}/logs/security.log
Make sure all these files are write-able.
.....
But I didn't find a security.log in the zip-file.
So I copied the warning.log and renamed it to security.log
Will this work??
Title: Re: Patch for new Elxis 4.4 Defender
Post by: adus on January 26, 2016, 20:00:28
 :o
Right at the moment I got the following:

Quote
Security alert
Request dropped!
You have been banned! If you think this is wrong contact the site administrator.
Reference code: SEC-DEFB-0001
What should I do, to unban myself?
Thanks for yor reply..
Title: Re: Patch for new Elxis 4.4 Defender
Post by: perseas on January 26, 2016, 21:17:50
If you have open the administrator panel go to : Logs>(select row)>Defender bans and press Cear File.

This action will clear all IPs addreses from the file defender_ban.php.

Other option is with FTP .
Go to your Repository file > logs > defender_ban.php

Download and Open defender_ban.php and clear your IP address from the list of banned IPs and upload again.
Title: Re: Patch for new Elxis 4.4 Defender
Post by: adus on January 26, 2016, 23:31:52
Thanks for your reply
If you have open the administrator panel go to : Logs>(select row)>Defender bans and press Cear File.

This action will clear all IPs addreses from the file defender_ban.php.
Not possibble to log-in as admin

Other option is with FTP .
Go to your Repository file > logs > defender_ban.php

Download and Open defender_ban.php and clear your IP address from the list of banned IPs and upload again.
Last entry was from last week; no entry from today.

I loaded up my back-up of that file.   Still banned..

So I revoked all changes - works as before

Title: Re: Patch for new Elxis 4.4 Defender
Post by: datahell on January 27, 2016, 14:43:21
For your information: In the final version we added an option that limits email notifications and logs only to attacks. So you can exclude bad user agents, bad hosts and blocked IPs from sending email alerts or been logged. Off cource defender still blocks them you just not get notified about these.
Title: Re: Patch for new Elxis 4.4 Defender
Post by: Amigamerlin on January 28, 2016, 08:56:54
Hello,
I don't know if this option is already scheduled to be realized then take it like just a suggestions but can be really useful having an admin interface for the Defender  :).
What I means is to can have the availability to can administrate BAD host, Banned IP, etc. enabling disabling them all via a control panel without need to do this via FTP.
Bye
I'll post this in the suggestions for Elxis 4.4 too