readme fix 2

szepeviktor · szepeviktor · commit ed15272f54ee · 2014-10-26T21:32:06.000+01:00
diff --git a/wordpress-fail2ban/README.md b/wordpress-fail2ban/README.md
@@ -2,7 +2,7 @@
 
 Trigger banning on malicious requests by the fail2ban daemon running on a server.
 Shared hosting has no server-wide banning (because of security reasons)
-but you can use it without fail2ban to stop attack temporarily by setting trigger count to 1.
+but you can use it without fail2ban to stop attacks temporarily by setting trigger count to 1.
 
 ### block-bad-requests
 
diff --git a/wordpress-fail2ban/ban-methods/apache2.php b/wordpress-fail2ban/ban-methods/apache2.php
@@ -0,0 +1,68 @@
+<?php
+
+/*
+*Apache
+*NGINX
+*other environments
+*/
+
+function htaccess_rules() {
+
+    -> better-wp-security/core/class-itsec-files.php
+
+define() custom HTTP header to get IP default:'X-CLUSTER-CLIENT-IP'
+preg_quote $host_ip
+"SetEnvIF " . array( 'REMOTE_ADDR', 'X-FORWARDED-FOR' ) $deny_env;
+# Apache < 2.3, # Apache ≥ 2.3
+<IfModule !mod_authz_core.c>
+    Order allow,deny
+    Deny from env=$deny_env
+#    Deny from $host_ip
+    Allow from all
+    Satisfy All
+</IfModule>
+<IfModule mod_authz_core.c>
+    Require not env $deny_env
+#    Require not ip $host_ip
+</IfModule>
+
+}
+
+function singleton_put_contents( $path, $marker, $content, $timeout ) {
+
+    // wp-admin/includes/misc.php
+        save_mod_rewrite_rules()
+        clone: insert_with_markers()
+    - gethome(htaccess) normal/subdir install
+
+    //1. exists, writeable ...
+    ! fstat()/mod -> then @chmod( $htaccess, 0664 );
+
+    //2. lock || wait and loop
+    "If the file has been locked with LOCK_EX in another process, the CALL WILL BLOCK UNTIL ALL OTHER LOCKS have been released."
+    // must use "@"
+    $fp = @fopen( $path, 'w' )
+    check $fp
+
+    $give_up = time() + 30;
+    while ( ! flock( $file_handle, LOCK_EX | LOCK_NB ) ) {
+        //Lock not acquired, try again in:
+        usleep( round( rand( 0, 100 ) * 1000 ) );
+        if ( $give_up >= time() )
+    }
+
+    //3. read rules
+    $file_stat = fstat( $handle );
+    $contents = fread( $handle, $file_stat['size'] );
+    // line ends
+    $contents = preg_replace( '/\n|\r\n?/', PHP_EOL, $contents );
+    //already contains?
+    preg_match multiline "# BEGIN " . $marker . PHP_EOL -> "# END " . $marker . PHP_EOL;
+
+    //4. ftruncate($fp, 0); write new rules in one go
+
+    // 5. release lock
+    fflush
+    flock( $handle, LOCK_UN );
+    fclose
+}
diff --git a/wordpress-fail2ban/block-bad-requests/README.md b/wordpress-fail2ban/block-bad-requests/README.md
@@ -56,7 +56,7 @@ define( 'O1_BAD_REQUEST_CDN_HEADERS', 'HTTP_X_AMZ_CF_ID:HTTP_VIA:HTTP_X_FORWARDE
 ```
 
 - (integer) `O1_BAD_REQUEST_COUNT` fail2ban trigger limit, `maxretry`
-- (string) `O1_BAD_REQUEST_CDN_HEADERS` a colon separated list of HTTP headers your CDN is recognized by **can be faked**
+- (string) `O1_BAD_REQUEST_CDN_HEADERS` a colon separated list of HTTP headers your CDN is recognized by
 - (boolean) `O1_BAD_REQUEST_ALLOW_REG` allow WP registration, disabled referer and test cookie checks
 - (boolean) `O1_BAD_REQUEST_ALLOW_IE8` allow login with IE8 too (IE8 is not a `Mozilla/5.0` browser)
 - (boolean) `O1_BAD_REQUEST_ALLOW_OLD_PROXIES` allow `HTTP/1.0` login requests
diff --git a/wordpress-fail2ban/mu-plugin/wp-fail2ban-mu.php b/wordpress-fail2ban/mu-plugin/wp-fail2ban-mu.php
@@ -355,4 +355,8 @@ private function exit_with_instructions() {
     error_log( 'em:' . $em );
     return $em;
 }, 0 );
+- general
+    - bad queries https://github.com/wp-plugins/block-bad-queries/
+    - bad UAs
+    - strlen( $_SERVER['REQUEST_URI'] ) > 255
 */
