World's first PHP FIREWALL Script - Perfect to protect against attackers
 

http://www.clicknowmedia.com/firewal...wallscript.jpg

FireWall Script

FireWall Script is the world's first fully configurable PHP-based website firewall. It can work with any PHP application, and we even offer "packs" of pre-written rules to protect some of the most popular software such was Wordpress, Invision Power Board, Mambo, Joomla, Drupal, and more! It is so easy beginners can install and use it.

Protect against:

- DDOS Attacks
- Webapp exploits
- Security scans of your assets
- Hackers & common embedding viruses

Features of FireWall Script:
* Can work with any PHP script
* Included admin control panel allows full configuration of the software
* Support for multiple administrators. You can add, edit, and delete accounts from the admin panel.
* Admin panel update notification and news feeds keep you up to date on FWS
* Fully configurable DOS protection allows you to block access to your site for a user when they have multiple requests in a short period of time
* Fully configurable rules
* CAPTCHA support in rules allows you to show a CAPTCHA verification on any matched request
* Akismet integration allows you to do everything you can with rules when submitted text is identified as spam
* Admin login logs allow you to keep track of which administrators are using the admin panel
* Traffic logs for all traffic on your site (archived daily)
* Blocked request logs show you what was blocked and show you everything PHP had available during the request so you can review blocked requests
* Spam logs show you requests identified as spam through Akismet
* DOS logs show you requests identified as DOS attacks and subsequently blocked
* Help section gives you quick access to support for the software
* Specify rule title, notes and category for your own referencing and categorization
* Ability to log requests blocked by rule
* Ability to get email notifications for requests blocked by rules
* For requests matching a rule you can allow the request, exit script execution, show an error, show specified HTML, redirect to another page, execute a custom php plugin, or even show a CAPTCHA verification
* Ability to look in all PHP superglobals
* Full regex power gives you the ability to look for what you want, where you want

Check out FireWall Script for more information and product pricing.
http://www.idevaffiliate.com/31216/i...ate.php?id=123

$85... it will sell. Good luck!

NIce good luck

What kind of overhead does all this nifty stuff before each request cause?

A firewall coded in PHP? That's definitely a first.

I like the sound of this script :thumbsup

LOL it's not first there is already tons of script as this.And they are free.

100% protection guaranteed

Bold statement. And if you're proven wrong, how much will that cost you?

Uhm, not quite. There's generators, but not full-blown firewalls. Point some out if you think I'm wrong. And by the way, a firewall coded in PHP is vulnerable to everything PHP is. I would have coded one in C if you wanted to get the job done right. :2 cents:

Sounds interesting!

Thank you for the kind words.

I think firewall is more of a marketing term, it's supposed to be blanket protection for php scripts, etc.. but either way your right, it's still vulnerable to everything php is (as far as actual php exploits, not saying it's coded poorly and allows mysql injection, etc..). And also, if it's written in php, unless they've found some crazy voodoo shit, this code is being executed ontop of the script already being executed for anything it's protected, which could be an issue on high traffic sites (wish we could get an answer on overhead).

Either way, i agree, if you wanted to do this right, you should of wrote an apache module / php extension or something w/ a compiled language, this isn't something i feel should be scripted.

i doubt that php script can block a major ddos attack.

dont provide promises you cant keep

Heh, I was just going to ask how a php script manages to prevent packet bombardment, billions of ping requests or even img sourcing.

A ddos attack happens at the server level, long before any php script ever gets run.

This isn't something to be run on a standard site such as a TGP or paysite. This is to protect common webapps such as wordpress, invision power board, vbulletin, joomla, which have widespread use and are often mass defaced or compromised. Custom rulesets are available for free in the members area for each application.

There is obviously a small amount of overhead, but unless you are pushing 25mb/s traffic all day you will not notice any impact.

Regarding PHP vulnerabilities, it has nothing to do with the script and is entirely PHP. If you are running the latest stable version of PHP and apply updates as they are released you will not have any problems. PHP is the issue, not the script, and saying that this script will not improve security is very misleading.

Three words:
Atomic Secured Linux

Filter this shit out in the kernel.

Thinking this is comprable to a $50,000 hardware appliance is ignorant. It will block small ddos attacks directed at your website, not a bandwidth consumption ddos attack.

As mentioned this is a script to provide additional security for blogs, forums, and template type websites that use joomla, mambo, etc.

firewall written in php makes as much sense as a solar powered flashlight...
but I guess there are ton of clueless idiots out there, it should sell well :thumbsup

you are obviously one of them, you do not even understand the practical uses for this. go crying to the forums next time your blog gets hacked.

Whatever,since i installed script which i use for security,i have no problems with hackers anymore.

Hate to rain on your parade... http://php-ids.org/

if you want to protect mambo, joomla or wordpress blog... install some antispam protection OR hire a pro to modify your server/script

You clearly have no clue who he is. :1orglaugh

He has forgotten more about coding than you will ever know. He's widely known to be one of the best programmers in the business. Now, who are you?

Nice,i wonder does it have anything more of script which i use.

nice, good job

Tomud

Hate to rain on your parade, but IDS = intrusion DETECTION system will let you know you are getting hacked, but will do nothing stop the attacks.

Quoted directly from their website:

"The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt."

antispam will do nothing to stop your site or blog from being compromised, it will just filter out annoying spam messages.

Why hire a pro to manage your blog when this software does everything you need?

dont waste your money

I'm still waiting for the punchline.

I fully agree, that if you're going to try to add "protection" that you shouldn't make a PHP script, it should be a actual extension to PHP or better yet what you mentioned apache module, which I, myself, feel would be better than a extension to PHP. It could do better. I honestly wouldn't pay $85 for a php script called a "firewall".

One great apache module that will prevent most of the sql injection is MOD_SECURITY for apache. Much better than going with this will do, and it is FREE!

Mine's free.

<?php
$badFunctions = array( "a...", "dom_import_simplexml", "domattr", "domattribute_name", "domattribute_set_value", "domattribute_specified", "domattribute_value", "domcharacterdata", "domcomment", "domdocument", "domdocument_add_root", "domdocument_create_attribute", "domdocument_create_cdata_section", "domdocument_create_comment", "domdocument_create_element", "domdocument_create_element_ns", "domdocument_create_entity_reference", "domdocument_create_processing_instruction", "domdocument_create_text_node", "domdocument_doctype", "domdocument_document_element", "domdocument_dump_file", "domdocument_dump_mem", "domdocument_get_element_by_id", "domdocument_get_elements_by_tagname", "domdocument_html_dump_mem", "mysql_get_client_info", "mysql_get_host_info", "mysql_get_proto_info", "mysql_get_server_info", "mysql_info", "mysql_insert_id", "mysql_list_dbs", "mysql_list_fields", "mysql_list_processes", "mysql_list_tables", "mysql_num_fields", "mysql_num_rows", "mysql_pconnect", "mysql_ping", "mysql_query", "mysql_real_escape_string", "mysql_result", "mysql_select_db", "mysql_set_charset", "mysql_stat", "mysql_tablename", "mysql_thread_id", "mysql_unbuffered_query", "mysqli", "mysqli_bind_param", "mysqli_bind_result", "mysqli_client_encoding", "mysqli_disable_reads_from_master", "mysqli_disable_rpl_parse", "mysqli_driver", "mysqli_enable_reads_from_master", "mysqli_enable_rpl_parse", "mysqli_escape_string", "mysqli_execute", "mysqli_fetch", "mysqli_get_metadata", "mysqli_master_query", "mysqli_param_count", "mysqli_report", "mysqli_result", "mysqli_rpl_parse_enabled", "mysqli_rpl_probe", "mysqli_rpl_query_type", "mysqli_send_long_data", "mysqli_send_query", "mysqli_set_opt", "z...");
foreach ($badFunctions as $disable) {
if (function_exists("$disable"))
die("Unsafe function '$disable' found. Aborting!\n");
}
?>

Yes, the first version of my post had every known PHP function. Obviously, the board puked on a message that long. :(

I didn't write this script and collected good revenue from this post. :1orglaugh

Anyone bashing this script either didn't read the full thread or doesn't understand it's purpose.
This is NOT a full security solution designed to replace premium hardware appliance firewalls. This is NOT a single solution, but works well as a layer in a multiple layer of defense setup.

I agree that "firewall" isn't an appropriate term for the script, although it does provide good protection for vulnerable and commonly targeted webapps.

Lastly, you get what you pay for, and anyone mentioning any sort of script as a total solution is a fuckin' idiot who isn't fit to tie their own shoe laces let alone give network security advice. If you want 100% protection unplug the power.

If you want protection, and you pay $85 for a PHP script, I have a wooden knob that makes your sound more true with a digital amp..

They can't block a major ddos attack. I've been coding for years and I don't see any possible way outside of this being a module for apache. The server will still get the requests, still process them and this script will still have to use overhead on top of what the regular requests already do.

Your site states:
"100% protection guaranteed
When properly configured, FWS can block any attacks on your site, guaranteed."

:error

where did I say I wrote the script or this was my site?

I don't even know why I bother responding, not one person in here has read all my responses to the questions in the thread.

proper configuration being "deny from *.*.*.*" :1orglaugh:1orglaugh:1orglaugh

Is this a joke? Protecting from DDOS in PHP? Yeah right!

Ok so its protecting the exploits on current scripts but this script can have exploits on its own.. This is filling water to a leak bottle if you ask me..

Suddenly you have nothing to do with this sca errr script?? hmmm I guess this is the punchline lol

Do you also create php scripts for backpeddling?

:1orglaugh:1orglaugh:1orglaugh

I'll do you one better... hit the button called Power - now that's the ultimate firewall.

ust to add a serious re-reply in this thread.

If you're interesed in this type of functionality, consider getting Atomic Secured Linux.
http://www.atomicrocketturtle.com/Jo...t/view/137/34/

It's very, very affordable [think $130], runs in the *kernel* layer, [as opposed to php - muffled giggles], and will protect you from ddos to sql injection.

I happen to know the guy who writes it - his credentials include 5 years in the whitehouse heading digital security.

'Onlineriches' credentials? who knows...