module Blackhole

[horst]

My personal preference is not to update the .htaccess file automatic. If something breaks, the complete site may become unrenderable. Also warning mechanism may not get invoked then(!). Additionally I only allow read access to the file for security reasons. 

So my favourite would be to collect candidates and provide them as alphabetically sorted markup on demand  

[ceberlin]

Simple question, in your instructions, what do you mean by

1. Call the module from your home.php template $modules->get('Blackhole')->blackhole();

If I add this code somewhere on the homepage's php code, I get a 404 in the frontend, which I actually expected to happen (same behavior as on blackhole.php).

(problem gone)

Edited September 18, 2022 by ceberlin
problem gone

[flydev]

Hi,

This message is to be taken as informational and being transparency, NOT as a security alert.

 

In short: The module code do not contain vulnerabilities, you are safe to use it.

In depth:

Years ago, I could spot some offsec users cloning/forking the project on Github. Theses last days, the project got more activities that can be seen on this graph and it look like the module is now included in some open-source offensive security tools.

I took a few hours to find and go back to these tools and took the liberty of testing them myself on three online sites, based on Processwire with the module installed. I obtained no negative results, no red flags to deplore. What's more, the code is now monitored to automatically find and correct vulnerabilities in open source code and dependencies with security tools and DeepCode AI. 

If you ever find something or even if you are not sure about it, feel free to contact me by following the Security Policy.

Have a nice day.

[howdytom]

@flydev I stumbled upon this wonderful module. Thank you so much! 

I have noticed that version Blackhole 1.1.0 does not block the entire site as stated. Once the IP address has been blocked, it is still possible to load any sub pages. It only blocks access to the front and blockhole page. I have tested it with a clean PW 3.0.229 install. Can you reproduce it?

[flydev]

Thanks @howdytom! I just answered on your github issue. 

Just in case you are not aware of, you can also find a Pro module made by @ryan that use mainly htaccess to kill bad bots.

The Pros of RequestBlocker that is a Cons in Blackhole is the fact that agressive bots could degrade the server resources. sort of denial of service. 

Anyway, when used for example, behind a well configured reverse proxy or a service like cloudflare, the cons is really mitiged.

[howdytom]

@flydev  Oh sorry, I got it now. ??‍♂️ I followed the Readme without thinking. To call the module on all templates I have added it to the  _init.php. Now it is working as expected.

Ryans Prod module looks like a good alternative. For now, I do prefer the Blackhole module. It is lightweight, quick and easy to implement.

[marie.mdna]

This seems very useful! I might have a silly question as I haven't read the module's code yet, how can I simply test if the blackhole page works as expected (on local) without eventually being blocked myself? And when some bots are caught, will I see it in my backend ?

[howdytom]

@marie.mdna I don't know about local testing. Personally I prefer real-life field testing. 😃 You won’t find a visual UI in the PW backend. It's headless. You can set up custom email alerts which is send out immediately. This is really nice. Once a bad spyder has been blocked, it will be written to the MySQL database listed in the modules → ban_logged_users table. To unblock yourself, simply remove your local ip address. The Blackhole module is pretty reliable. So far I haven't experience any false-positives or major downgrade from Google or Bing.   

[flydev]

Hi, I think banned bad bots are written in  blackhole.dat file located on module’s folder.

The ban_logged_users thing is a module config option that is used to choose banning logged user.

If you want to test locally, just enable banning logged users and then visit the trap page; To get access again, just remove the correspondant line in the file 🙂

[howdytom]

wow. I didn't noticed that, yet. I just gave it try and it is working as excepted. blackhole.dat is even better.

Thanks for sharing. 

[marie.mdna]

thank you both! just tested it all and it already feels amazing