module Blackhole

[horst]

My personal preference is not to update the .htaccess file automatic. If something breaks, the complete site may become unrenderable. Also warning mechanism may not get invoked then(!). Additionally I only allow read access to the file for security reasons. 

So my favourite would be to collect candidates and provide them as alphabetically sorted markup on demand  

[ceberlin]

Simple question, in your instructions, what do you mean by

1. Call the module from your home.php template $modules->get('Blackhole')->blackhole();

If I add this code somewhere on the homepage's php code, I get a 404 in the frontend, which I actually expected to happen (same behavior as on blackhole.php).

(problem gone)

Edited September 18, 2022 by ceberlin
problem gone

[flydev]

Hi,

This message is to be taken as informational and being transparency, NOT as a security alert.

 

In short: The module code do not contain vulnerabilities, you are safe to use it.

In depth:

Years ago, I could spot some offsec users cloning/forking the project on Github. Theses last days, the project got more activities that can be seen on this graph and it look like the module is now included in some open-source offensive security tools.

I took a few hours to find and go back to these tools and took the liberty of testing them myself on three online sites, based on Processwire with the module installed. I obtained no negative results, no red flags to deplore. What's more, the code is now monitored to automatically find and correct vulnerabilities in open source code and dependencies with security tools and DeepCode AI. 

If you ever find something or even if you are not sure about it, feel free to contact me by following the Security Policy.

Have a nice day.

[howdytom]

@flydev I stumbled upon this wonderful module. Thank you so much! 

I have noticed that version Blackhole 1.1.0 does not block the entire site as stated. Once the IP address has been blocked, it is still possible to load any sub pages. It only blocks access to the front and blockhole page. I have tested it with a clean PW 3.0.229 install. Can you reproduce it?

[flydev]

Thanks @howdytom! I just answered on your github issue. 

Just in case you are not aware of, you can also find a Pro module made by @ryan that use mainly htaccess to kill bad bots.

The Pros of RequestBlocker that is a Cons in Blackhole is the fact that agressive bots could degrade the server resources. sort of denial of service. 

Anyway, when used for example, behind a well configured reverse proxy or a service like cloudflare, the cons is really mitiged.

[howdytom]

@flydev  Oh sorry, I got it now. ??‍♂️ I followed the Readme without thinking. To call the module on all templates I have added it to the  _init.php. Now it is working as expected.

Ryans Prod module looks like a good alternative. For now, I do prefer the Blackhole module. It is lightweight, quick and easy to implement.