terrylinooo / shieldon Goto Github PK

Class 'Shieldon\Firewall\Intergration\CodeIgniter4' not found

I get access to the login page of shieldon but even if i click on the connect button without fill the form login, i have a 404 error. The routes are not defined. How i can proceed to resolve the problem ?

Hello!

I made a wrong setting and it remained that way.

I use codeigniter as the PHP library.
Although I installed it from scratch, this problem does not improve. I connect from a different network, but it's still the same.

How can i set this up in Laravel 8. Think i'm missing something. I have installed it in Laravel 8 Project and implemented the firewall on a global scope by adding the code in bootstrap/app.php as told in the documentation, and registered the routs as well. But i when i try to access localhost/myproject/firewall/panel I'm getting a blankpage. Shouldn't i run any migrations or anything, if so how am i supposed to publish those ?

Please consider using only LF line ends

https://www.php-fig.org/psr/psr-2/#22-files

git clients can be configured to store LF in the repo and checkout CRLF in the work tree

No webpage was found for the web address:
i have trying shieldon in laravel 10 it showing page can’t be found. Kindly help me

I am using for laravel and forgot password for firewall panel. Please help

Pagination doesn't have:

• space between "buttons"
• any styles applied to make it more obvious (like link underlines, bold style, etc.)

It appears as this to me:
Previous123Next

The "buttons" work correctly though, so it's a matter of appearance and formatting.

I'm not sure if this is just a Demo page issue, or an issue with Shieldon.

Hi, i just installed your firewall and despite using the settings of this link https://shieldon.io/en/guide/yii.html, the following errors are being presented:

1 - Fatal error: Declaration of Shieldon\Driver\FileDriver::doInitialize($dbCheck = true): void must be compatible with Shieldon\Driver\AbstractDriver::doInitialize(bool $dbCheck = true): void in {mypath}\vendor\terrylinooo\shieldon\src\Shieldon\Driver\FileDriver.php on line 32
-- I'm using php 7.1.17 if it matters
-- If I change to FileDriver::doInitialize(booln $dbCheck = true), the following error occur:

2 - Argument 1 passed to Shieldon\FirewallPanel::__construct() must be an instance of Shieldon\object, instance of Shieldon\Firewall given, called in {mypath}\controllers\FirewallPanelController.php on line 20
-- The controller code is exactly the same presented in the guide

3 - Another question would be about the documentation. In https://shieldon.io/en/docs/configuration.html it shows these snippets:

In https://shieldon.io/en/guide/yii.html

It is not clear where in Yii I should use the config code and how to relate the two objects.

• $shieldon = new \Shieldon\Shieldon($config);
• $firewall = new \Shieldon\Firewall($firewallstorage);

Hi, eh installed on an instance and I filed the following error.
Both Windows and Linux keep the same situation in mind.
Php7.2 and php7.3 with the following issue.
Targeting the required tutorial in the Filters.php eh installing in "composer install" and "composer update"
Please need help to solve this problem.

I'm getting error when I enter the iptables page, may you check it please?

Please run phpstan analyse src/ -l 0 and raise level one-by-one.

Powered by @phpstan

Initialized per instructions
An uncaught Exception was encountered
Type: InvalidArgumentException

Message: Unsupported HTTP protocol version number. "1.0" provided.

Filename: /vendor/shieldon/psr-http/src/Psr7/Message.php

Line Number: 483

Please help me

Unable to add products to cart when using Woocommerce

Argument 2 passed to Shieldon\Firewall\Integration\Laravel::handle() must be an instance of Shieldon\Firewall\Integration\Closure, instance of Closure given, called in /var/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php on line 167

My route
Route::get('/{any}', 'App\Http\Controllers\SpaController@index')->where('any', '.*')->middleware('firewall');

Hey there!

I'd like to report a security issue but cannot find contact instructions on your repository.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

Can i use that for laravell 11

Hi, I accedently block out google bosts crawler. how to whitelist it? I tried to use Firewall > Components > Trusted Bots. but it not enabling after save. I find no instructions how to manage this.
Please help ASAP.

I've installed this on a Laravel app (v7) following your guide. The problem is that after I click "Test" for example for SlackWeebHook nothing seems to happen. It keeps loading. I figured out there must be a problem, looked in the config and changed the "confirm_test" value to true and I get the message: "Class 'Messenger\SlackWebhook' not found". Any idea?

This seems like a really nice project, but unfortunately I'm not able to reach the website https://shieldon.io/. No matter what IP address I use (and I've tried at least 10 different IPs), I always get this message:

The IP address you are using has been blocked.

Could it be that the WAF has been configured a bit too strict?

I'd really like to give this project a try, but I need access to the website to be able to read the documentation.

Any help is appreciated.

Hi i trying to install it using composer and seems it doesn't work as its haves an case error in the 147 line:

In RootPackageLoader.php line 147:

require.dirkgroenen/Pinterest-API-PHP is invalid, it should not contain uppercase characters. Please use dirkgroenen/pinterest-api-php instead.

I'm getting an 500 error with an incoming request with IPv6

Can i use the code but without any of way which you has tell in readme?

hi, I am working with yii2 with many sub modules application like yii2-advanced template..

so my question is, if I install this app, it must be install to every sub module (like in yii2-advanced, its have 2 sub module, frontend and backend) or just install to one of sub module to cover whole sub modules??

Hi,

I get a warning on the call to private function operationTemplateVarsOfStatistics when a $ruleInfo['reason'] is not predefined by getInfoDefault().

Simple patch is to add before $counter[$reason]++; (line 255)

$counter[$reason] = $counter[$reason] ?? 0;

Thank you for your work.

I have a "pure PHP project" that I am trying to deploy/test this on and I can't seem to figure it out.

When I try to access /firewall/panel all I get is a blank page and no php/nginx errors.

The install guide says to have "pretty urls" enabled. What should I rewrite /firewall/panel to? /vendor/autoload.php ?

Hi,
Im using Slim3 with PHP-DI container and Twig.

The problem im having is with the csrf, the $request->getAttribute is returning null.
In my routes im not returning or using $args, because I can return the actual attributes by name.

Managed to get is working by bypassing the SCRF, it's setup and im using it
In Twig im also using SCRF but adding

public function fw101(Request $request, Response $response) {

        $firewall = new \Shieldon\Firewall\Firewall($request);
        $firewall->configure(__DIR__ . '/../cache/shieldon_firewall');
        $firewall->controlPanel('/firewall/panel/');
        $panel = new \Shieldon\Firewall\Panel();

// the   $request->getAttribute is returning null
//        $csrfName = $request->getAttribute('csrf_name');
//        $csrfVale = $request->getAttribute('csrf_value');

  
        $nameKey = $this->csrf->key();
        $valueKey = $this->csrf->token();

        $csrfName = $this->csrf->key();
        $csrfVale = $this->csrf->token();

        $panel->csrf(
                [$nameKey => $csrfVale],
                [$valueKey => $csrfVale]
        );

        $panel->entry();
    }

Dear Terry,

First of all, thank you for this awesome WAF!

I've found an issue with session processing in case of using https://github.com/php-pm/php-pm. Your code has direct access to $_SESSION super-global variable but projects based on the php-pm are fetching session from every request (e.q. PSR-7 message). Using $_SESSION in this case is useless because all requests will share the same session data. The best way to fix this is to extract session processing to separate interface, create default adapter for $_SESSION and [optional] adapters for each framework. This will allow developers to provide the correct session implementation and adopt their projects to php-pm, even without [optional] first-party framework-related adapters. $_SESSION adapter may be used by default so no BC break is expected.

AFAIK, using any super-globals like $_SERVER / $_GET / $_POST / $_COOKIE will break php-pm. So it seems that not only session processing needs to be rewritten but all super-global usages.

I would be happy to help you with this issue.

Regards,
Denis.

I'll list some of the language problems in the demo control panel. There's more things that could be changed, but I don't know the context well enough to do so, so I'll just list the ones that I'm sure of. I checked just the pages until, and including, Firewall > Settings > Daemon.

Status > Firewall

• Check whether visitors can create cookie by JavaScript. --> Check whether visitors can create cookies with JavaScript.
• Detect whether multiple sessions created by the same visitor. --> Detect whether multiple sessions were created by the same visitor.
• Check how often does a visitor view the pages. --> Check how often a visitor views pages.
• Allow popular search engines crawl your website. --> Allow popular search engines to crawl your website.
• Analyze header information from visitors. -->Analyze visitor header information.
• Identify IP resolved hostname (RDNS) from visitors. --> Identify visitor IP resolved hostname (RDNS).
• Analyze user-agent information from visitors. --> Analyze visitor user-agent information.

Status > Operation

• Check whether visitors can create cookie by JavaScript. --> Check whether visitors can create cookies with JavaScript.
• Detect whether multiple sessions created by the same visitor. --> Detect whether multiple sessions were created by the same visitor.
• Check how often does a visitor view the pages. --> Check how often a visitor views pages.
• Block requests by the rules set by IP Manager. --> Block requests using the rules set in the IP Manager.
• Block requests which are identified as fake search engine. --> Block requests which are identified to be from fake search engines.
• Block requests without RDNS record. --> Block requests without a RDNS record.

Data Circle > IP Rules

I've never seen "circle" and "cycle" used like this, there should be some other, more traditional words used for this, but they escape me for now.

• It is the place where the Shieldon temporarily allows or denies users in the current cycle. --> Shieldon temporarily allows or denies access to users in this table. (I removed the cycle reference, since it's mentioned below.)
• All processes are automatic and instant, you can ignore that. (What does this mean? It can all probably be removed, or at least the "you can ignore that" part.)
• Rule table will be reset when new cycle begins. --> Rule table will be reset when a new cycle begins.
• Identified as fake search engine. --> Identified as a fake search engine.
• Secondly limit reached. --> Secondary limit reached.

Data Circle > Sessions

• Keep-alive period. (minutes) --> Keep-alive period (in minutes).
• Online user amount. --> Online user count.
• Read-time logs for Online Session Controll. --> Real-time logs for Online Session Control. (Did you mean to say "real-time"?)
• All processes are automatic and instant, you can ignore that. (Same as before, what does this mean? Remove all or just the last part.)
• Notice this is only working when you have enabled that function. --> Notice: this only works when enabled.

Table headers:

• Time (This can be changed to "Start" or "Created" to make it clearer.)
• Remain Seconds --> Seconds Remaining

Firewall > Settings > Daemon

Enable

• Not recommended for high-traffic website. --> Not recommended for high-traffic websites.
• Is your website behind the CDN service? --> Is your website behind a CDN service?

Session Limit

• When the online user amount has reached the limitation, other users not in the queue have to line up! --> When the number of users online has reached the limit, users that are not in the queue have to line up!
• The maximum amount of online user. --> The maximum number of users online.
• Users with multiple sessions will be kicked off. --> Users with multiple sessions will be kicked.

Action Logs

• Not recommended for high-traffic website. --> Not recommended for high-traffic websites.

System Firewall

• Make sure you have installed iptables and ip6tables already in your server, and employ iptables_bridge.sh in crontab correctly. --> Make sure you have iptables and ip6tables already installed on your server, and employ iptables_bridge.sh in crontab correctly.
• Watching Folder --> Watch Folder
• Please use this code into the crontab file on your server. --> Please insert this code into the crontab file on your server.
• iptables_bridge.sh will watch the changes in this folder to employ command to iptables. --> iptables_bridge.sh will watch the changes in this folder to employ commands to iptables.
• Please move iptables_bridge.sh to a safe place that only you know, changing the path for security reason. -->Please move iptables_bridge.sh to a safe place only accessible to you, changing the path for security reasons.

Deny Attempts

• Say goodbye to bad behavior visitors. --> Say goodbye to badly behaved visitors.
• A larger value of this filed means more strict. --> A larger value of this filed is more strict.
• Ban a user permanently in current data cycle. -->Ban user in current data cycle
• This event is triggered typically when a user fails too many times due to invalid CAPTCHA in a row. --> This event is typically triggered when a user fails too many CAPTCHAs in a row.
• Ban a user permanently in system firwall --> Permanently ban user in system firewall
• This event is triggered typically when a user is already banned permanently in curent data cycle, but they are still access the warning pages too many times in a row, we can confirm that they are malicious bots. --> This event is typically triggered when a user is already banned in the current data cycle, but they still access the warning pages too many times in a row - we can conclude that they are malicious bots.

I've opened it only by looking at mask_string().
There are IPv6 processing elsewhere.

Hello @terrylinooo !

In the last 5 years I was watching access logs and analyzing POST body dumps.
The result is 60+ rules.

• https://github.com/szepeviktor/waf4wordpress/tree/master/http-analyzer
• https://github.com/szepeviktor/waf4wordpress/tree/master/core-events

They are implemented in only 2 PHP files starting here
https://github.com/szepeviktor/waf4wordpress/blob/master/http-analyzer/waf4wordpress-http-analyzer.php#L322

I hope you benefit from them!

I'm using Laragon on localhost and pretty url enable, so I can open my https://shieldon.test/ with no erros.
But I can't open https://shieldon.test/firewall/panel/ because I receive a 404 error not found.

My code is:

<?php 

require_once(__DIR__.'/vendor/autoload.php');

$shieldon = new \Shieldon\Firewall\Integration\Bootstrap();
$shieldon->run();

What A'm I doing wrong?

I'm deployed shieldon on all my site with different server but all visitor are visited throw single proxy and on proxy I was cached all page but some time an IP was banned by Shieldon and that IP try to access other page and all page and banned but it cached on proxy too so other visitor they see banned page too I want to exclude that page from proxy caching what should I do? which page I need to add in proxy configure?

https://enphp.djunny.com/

https://github.com/djunny/enphp

using the php bootstrap with no framework
have xss protection enabled for GET, POST, COOKIE at firewall/panel/security/xssProtection/

the url mysite.com/someurl/test=<script>alert(1)</script> is not blocked.

Am I doing something wrong?

thanks!

In \shieldon\templates\panel\setting\components.php

on line 42 you have an error:
<input type="checkbox" name="components__trusted_bot__enable" class="toggle-block" value="on" data-target="component-trustedbot-section" checked('online_session_limit.enable', true); ?> />

It have to be:
<input type="checkbox" name="components__trusted_bot__enable" class="toggle-block" value="on" data-target="component-trustedbot-section" checked('components.trusted_bot.enable', true); ?> />

to make "trustedbot-section" switch working!

Is it possible to add support for invision power board?

Steps to reproduce:
Activate plugin > Add New Post > Save Draft
It produces "Updating failed" error and doesn't allow any draft to be saved.

Units in controllPanel for Sesion limits says Minute..so 300 minute or 300 seconds like in the image? I change onlineLimit to 2 and 1 unit keepalive and never shows the message when i test it..

The How to Use Slim 4 link directs to Slim 3 page. Should redirect to this page: https://github.com/terrylinooo/shieldon/wiki/Slim-4-Framework

demo/demo is invalid

First of all, thank you for the library, I installed it in my Laravel application, now I am looking to test it with flood requests. any tool which you recommend.

Could you please provide a MySQL driver implementation example? As well as SqLITE and Redis?

Thank you!

Csrf class not found middleware laravel 8 what is nampace of the Csrf class

I try to access https://shieldon.io/ website by reload page many times.
Then it need me a enter the captcha.

After that i try reload page many times again.
It block my IP :).

Please Help me.

Hello i installed shieldon on symfony 4.4 and i had this error

Notice: Undefined variable: csrfValue

i replaced in the controller

$controlPanel->csrf('_token', $token);

with

$controlPanel->csrf('_token', $token->getValue());

no more the big error but now i just have the http login form always following by this message : "Permission required."

Issue

When I visited https://shieldon.io/demo/report/operation/#context, I saw a stack trace. This leaks sensitive information about the web server such as:

• Which versions of software it is running
• Source code

This is helpful for attackers in exploiting bugs in the server.

Suggested fixes

1. Set the environment variable DEBUG_MODE = OFF
2. Set the environment to production