webdevartisan/laravel-shield
Block bad bots and users that visit certain (exploit) urls for a set amount of time.
Downloads
Stars
Version
Block bad bots and IPs that visit exploit URLs
Your application is hammered by malicious requests that try out exploit URLs. This package detects those and blocks their IP addresses. Blocked users are denied access to your application until their block expires.
- Block exploit URLs like
/wp-adminand?invokefunction&function=call_user_func_array&vars[0]=phpinfo. - Block user Agents like
Seznam,FlexbotandMail.ru. - Set the expiration time for IP blocks.
- Set IP whitelist/blacklist.
Installation
Step 1: Install the package via composer:
composer require webdevartisan/laravel-shield
Step 2: Make sure to register the Middleware.
To use it on all requests, add it as the first option to the web section under $middlewareGroups in file app/Http/Kernel.php.
protected $middlewareGroups = [
'web' => [
\Webdevartisan\LaravelShield\Http\Middleware\BlockMaliciousUsers::class,
],
];
To use it on specific requests, add it to any group or to the protected $middleware property in file app/Http/Kernel.php.
protected $middleware = [
\Webdevartisan\LaravelShield\Http\Middleware\BlockMaliciousUsers::class,
];
Step 3: Optionally publish the config file with:
php artisan vendor:publish --provider="Webdevartisan\LaravelShield\LaravelShieldServiceProvider" --tag="config"
Usage
The package uses auto discover. The package uses a middleware class that does the checking and blocking.
Config settings
Enabling shield
You can enable or disable the shield in the published config file, or by setting the value in .env (enabled by default).
SHIELD_PROTECTION_ENABLED=true
Expiration time
Set the block expiration time (in seconds) in the published config file, or by setting this value in .env (3600 seconds by default).
SHIELD_EXPIRATION_TIME=3600
Maximum Attempts
Set the maximum allowed number of malicious requests, before blocking the IP. Default is 5. You can change it in the config or the .env.
SHIELD_MAX_ATTEMPTS=5
Define malicious URLs
Define malicious URLs in the published config file. You need only use part of the malicious string. Matching is case insensitive.
Example: setting wp-admin will block both '/wp-admin', '/index.php/wp-admin/foo' and '/?p=wp-admin'.
Define malicious User Agents
Define malicious User Agents in the published config file.
Example: setting seznam will block User Agent 'Mozilla/5.0 (compatible; SeznamBot/3.2-test4; +http://napoveda.seznam.cz/en/seznambot-intro/)'.
Define storage class implementation
By default, blocked IPs are stored in cache, using storage implementation \Webdevartisan\LaravelShield\Services\BlockedIpStoreRateLimiter::class.
You can create a different storage class you wish to use, and replace it in the config file, or by setting this value in .env:
- \Webdevartisan\LaravelShield\Services\BlockedIpStoreRateLimiter
SHIELD_STORAGE_IMPLEMENTATION_CLASS='\Webdevartisan\LaravelShield\Services\BlockedIpStoreRateLimiter'
Testing
composer test
XDEBUG_MODE=coverage vendor/bin/phpunit tests --coverage-html code-coverage
Changelog
Please see CHANGELOG for more information what has changed recently.
Security
If you discover any security related issues, please email [email protected] instead of using the issue tracker.
Credits
License
The MIT License (MIT). Please see License File for more information.
Laravel Package Boilerplate
This package was generated using the Laravel Package Boilerplate.
