accentinteractive / laravel-blocker
Block bad bots and users that visit certain (exploit) urls for a set amount of time.
Installs: 2 606
Dependents: 0
Suggesters: 0
Security: 0
Stars: 4
Watchers: 2
Forks: 3
Open Issues: 0
Requires
- php: ^7.3|^7.4|^8.0
- guzzlehttp/guzzle: ^7.5
- illuminate/console: ^6.0|^7.0|^8.0|^9.0|^10.0
- illuminate/filesystem: ^6.0|^7.0|^8.0|^9.0|^10.0
- illuminate/support: ^6.0|^7.0|^8.0|^9.0|^10.0
Requires (Dev)
- orchestra/testbench: 4.*|5.*|6.*|^7.0|^8.0
- phpunit/phpunit: ^8.4|^9.0|^10.0
README
Your application is hammered by malicious bots and visitors that try out exploit URLs. This package detects those and blocks their IP addresses. Blocked users are denied access to your application until their block expires.
- Block exploit URLs like
/wp-admin
and?invokefunction&function=call_user_func_array&vars[0]=phpinfo
. - Block user Agents like
Seznam
,Flexbot
andMail.ru
. - Set the expiration time for IP blocks.
Installation
Step 1: Install the package via composer:
composer require accentinteractive/laravel-blocker
Step 2: Make sure to register the Middleware.
To use it on all requests, add it as the first option to the web
section under $middlewareGroups
in file app/Http/Kernel.php.
protected $middlewareGroups = [ 'web' => [ \Accentinteractive\LaravelBlocker\Http\Middleware\BlockMaliciousUsers::class, ], ];
To use it on specific requests, add it to any group or to the protected $middleware
property in file app/Http/Kernel.php.
protected $middleware = [ \Accentinteractive\LaravelBlocker\Http\Middleware\BlockMaliciousUsers::class, ];
Step 3: Optionally publish the config file with:
php artisan vendor:publish --provider="Accentinteractive\LaravelBlocker\LaravelBlockerServiceProvider" --tag="config"
Step 4: there is no step 4 :)
Usage
The package uses auto discover. The package uses a middleware class that does the checking and blocking.
Config settings
Enabling checking
You can enable or disable URL checking and User Agent checking in the published config file, or by setting these values in .env (enabled by default).
URL_DETECTION_ENABLED=true USER_AGENT_DETECTION_ENABLED=true
Expiration time
Set the block expiration time (in seconds) in the published config file, or by setting this value in .env (3600 seconds by default).
AI_BLOCKER_EXPIRATION_TIME=3600
Define malicious URLs
Define malicious URLs in the published config file, or by setting this value in .env, separated by a pipe. You need only use part of the malicious string. Matching is case insensitive.
Example: setting wp-admin
will block both '/wp-admin', '/index.php/wp-admin/foo' and '/?p=wp-admin'.
Defaults: call_user_func_array|invokefunction|wp-admin|wp-login|.git|.env|install.php|/vendor
AI_BLOCKER_MALICIOUS_URLS='call_user_func_array|invokefunction|wp-admin|wp-login|.git|.env|install.php|/vendor'
Define malicious User Agents
Define malicious User Agents in the published config file, or by setting this value in .env, separated by a pipe. You need only use part of the malicious string. Matching is case insensitive.
Example: setting seznam
will block User Agent 'Mozilla/5.0 (compatible; SeznamBot/3.2-test4; +http://napoveda.seznam.cz/en/seznambot-intro/)'.
AI_BLOCKER_MALICIOUS_USER_AGENTS='dotbot|linguee|seznam|mail.ru'
Define storage class implementation
By default, blocked IPs are stored in cache, using storage implementation \Accentinteractive\LaravelBlocker\Services\BlockedIpStoreCache::class
.
You can set the storage class you wish to use in the published config file, or by setting this value in .env. You can choose from:
- \Accentinteractive\LaravelBlocker\Services\BlockedIpStoreCache
- \Accentinteractive\LaravelBlocker\Services\BlockedIpStoreDatabase
AI_BLOCKER_STORAGE_IMPLEMENTATION_CLASS='\Accentinteractive\LaravelBlocker\Services\BlockedIpStoreCache'
Testing
composer test
XDEBUG_MODE=coverage vendor/bin/phpunit tests --coverage-html code-coverage
Changelog
Please see CHANGELOG for more information what has changed recently.
Contributing
Please see CONTRIBUTING for details.
Security
If you discover any security related issues, please email joost@accentinteractive.nl instead of using the issue tracker.
Credits
License
The MIT License (MIT). Please see License File for more information.
Laravel Package Boilerplate
This package was generated using the Laravel Package Boilerplate.