At itoctopus, one of the things we are fascinated by is security – we are always researching new ways to improve the security of our managed websites. Our Joomla honeypot experiment, for example, was a huge success and we implemented it for our major clients. It also helped us better understand attack patterns, which, in turn, helped us develop the appropriate counter measures.
A common pattern in attacks on Joomla websites, as we noticed from our Joomla Honeypot Experiment, is long URLs. When a URL is abnormally long, then it’s almost a certainty that it’s an attack, and not a legitimate visit. An obvious counter measure would be to block long URLs from accessing the website. But how? And, how about false positives resulting from this aggressive security measure?
Well, the first thing that needs to be done is to check the Apache access logs, and generate a list of all the URLs sorted by their length. Here’s how (we are assuming that you are using WHM/CentOS as your hosting platform):
- ssh to the server as root.
-
Change to the /usr/local/apache/domlogs by issuing the following command:
cd /usr/local/apache/domlogs -
Run the below code (substitute yourjoomlawebsite.com with your domain):
awk '{print $7 }' /usr/local/apache/domlogs/yourjoomlawebsite.com | sort -nr | uniq -c | awk '{ print length($2) " " $2; }' | sort -nr -k1 > urls-by-length.txtNote: The above code may take some time on high traffic websites, so please be patient.
-
Open the file urls-by-length.txt, and you will see a list of all the URLs accessed, reversely sorted by length. The length of each URL will be printed next to it.
-
Take note of the length of the longest legitimate URL that you have on your website (you will find it at the top of the list, not necessarily in the first row, as the first row may contain an attack URL). You will need it afterwards.
Now that you have the length of the longest legitimate URL on your website, you can create a simple condition in the defines.php file to block URLs that exceed the maximum legitimate length. Here’s how:
- Open or create the file defines.php under the root directory of your Joomla website.
-
Add the following code to it:
<?php $maximumAllowedCharacters = [number you got from running the awk command above + some padding]; // Replace 'http' with 'https' if your website runs in SSL mode $currentURL = 'http://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; if (strlen($currentURL) > $maximumAllowedCharacters){ header('HTTP/1.0 403 Forbidden'); die('Unauthorized'); }?> -
That’s it! Now abnormally long URLs will be blocked from accessing your website.
Note that this can also be done at the ModSecurity level (if you have it installed on your server), and it is even more efficient to do it in ModSecurity, because multiple requests from the same IP can be blocked at the server level. Of course, ModSecurity is a huge realm, and developing a rule that enforces the above simple condition is not what anyone would consider a walk in the park.
But what about false positives?
There is a possibility that you will have false positives when implementing the above on your website, and that’s why it’s always a good idea to monitor your logs (especially 403 errors) in order to address any false positive.
Of course, there is much room for improvement in the defines.php code above. So if you are interested in enhancing it so that it works seamlessly on your website, then please contact us. We are experts in Joomla security, we are hard workers, and our fees are not scary!