How To Protect Joomla! with CloudFlare Firewall Rules

OVERVIEW

CloudFlare recently added Firewall Rules to all accounts, including free accounts. With these rules, you can help protect your Joomla! installation against common attacks for both known and undisclosed vulnerabilities.

PROCEDURE

For more detailed information on how CloudFlare Firewall Rules work, and how to set them up, please read the main article, How To Protect WordPress with CloudFlare Firewall Rules.

Here are some recommended CloudFlare Firewall Rules to start with as protection for your Joomla! web site.  Copy and paste these into three separate firewall rules, and set the Actions as shown.

  • Unwanted Bots and User Agents:
    Action: Block
    Rule:
    (http.user_agent contains "AhrefsBot/") or 
    (http.user_agent contains "BaiDuSpider") or 
    (http.user_agent contains "baidu.com") or 
    (http.user_agent contains "/bin/bash") or 
    (http.user_agent contains "[email protected]") or 
    (http.user_agent contains "DnyzBot/") or 
    (http.user_agent contains "DotBot/") or 
    (http.user_agent contains "eval(") or 
    (http.user_agent contains "Go-http-client/") or 
    (http.user_agent contains "Nikto") or 
    (http.user_agent contains "Nimbostratus") or 
    (http.user_agent contains "python-requests") or 
    (http.user_agent contains "Scrapy/") or 
    (http.user_agent contains "SemrushBot/") or 
    (http.user_agent contains "SeznamBot/") or 
    (http.user_agent contains "Sogou web spider/") or 
    (http.user_agent contains "spbot/") or 
    (http.user_agent contains "Uptimebot/") or 
    (http.user_agent contains "WebDAV-MiniRedir") or 
    (http.user_agent contains "WinHttp.WinHttpRequest") or 
    (http.user_agent contains "ZmEu")
    
  • Content Protection:
    Action: Block
    Rule:
    (not http.request.method in {"GET" "POST" "HEAD"}) or 
    (http.request.uri.path contains "phpmyadmin") or 
    (http.request.full_uri contains "passwd") or 
    (http.request.full_uri contains "wpad.") or 
    (http.request.full_uri contains "vuln.") or 
    (http.request.uri.query contains "<script") or 
    (http.request.uri.query contains "%3Cscript")  or 
    (http.request.uri.query contains "base64") or 
    (http.request.uri.query contains "JDatabaseDriverMysql") or 
    (http.request.uri.query contains "proc/self/environ") or 
    (http.request.uri.query contains "mosConfig_") or 
    (http.request.uri.query contains "template=") or 
    (http.request.uri.query contains "=http://") or (http.request.uri.query contains "=https://") or 
    (http.request.uri.query contains "$_GLOBALS[") or (http.request.uri.query contains "$_REQUEST[") or (http.request.uri.query contains "$_POST[")
    

    Note: If you use any extensions that use a REST API, you might want to remove (not http.request.method in {"GET” "POST” "HEAD”}) or from the first line.

  • Login Protection:
    Action: Challenge (Captcha)
    Rule:
    (http.request.uri.path contains "/administrator")

TROUBLESHOOTING

If you see strange behavior with your web site after enabling any firewall rules, here are some steps to try to track down the problem.

  • Check the Events tab on the Firewall page. If you see your current IP address listed in the events, then one of your firewall rules is being triggered by your actions on your web site. Viewing the details of a firewall event does not give you a human readable indicator of which rule was triggered; it gives you a Filter ID number instead. However, you might be able to figure out exactly which part of which rule caused the trigger by examining the URL and User Agent in the events details. If you still aren’t sure, try the following steps.
  • Disable all your firewall rules (toggle the switch next to each rule) and see if the problems you are observing are fixed. Your IP address should not be showing up in any new firewall events listed in the Events tab.
  • Next, re-enable each firewall rule one at a time, testing your web site after each one is re-enabled. When the problem on your web site returns, you know you have found the rule causing the problem.
  • Next, use the Expression Editor to copy-and-paste the entire rule that is causing the problem to a temporary document. Then, use the Expression Builder to delete individual lines from the rule, and save the rule after each line you delete. Check your web site to see if the problem went away. If it did, you found the line causing the problem. If not, continue deleting lines, saving, and testing your web site until you find the line causing the problem.
  • Once you have isolated the problem, use the Expression Editor to restore the original rule from your temporary copy. Then delete the one line that was causing the problem. Save the edited rule and verify the problem has gone away. If not, more than one line may be causing a problem, most likely a line after the one you deleted. Repeat the previous procedure until you find the new line causing the problem.
  • Rather than just eliminating the line, or lines, that caused the problem, see if you can determine a way to make a more specific filter that will protect your web site without causing problems for normal web server traffic.

FURTHER READING

Check out the CloudFlare Firewall Rules documentation for more information and ideas on how to put this powerful feature to work.

MORE PROTECTION

These firewall rules will stop a lot of attacks on your web site. Just return to your CloudFlare account in a 24 hours and look at the Firewall Events log at the bottom of the Firewall page. You will see at least a dozen attacks blocked by these rules. Don’t take it personally, these attackers most likely do not know you.

However, this is not 100% protection for your Joomla! web site. Some additional things you can do to protect your site are:

  • Keep Joomla!, your templates and extensions up-to-date.
  • Review and follow the advice given in the Joomla! Security documentation.
  • Keep abreast of new Joomla! security concerns by following the Joomla! Security Centre web site.
  • Install and configure server level protection, such as mod_security, Fail2Ban, and bad bot blockers. Note: If you aren’t running your own web server, your web hosting company should be taking care of server level protection for you.
  • Cloudflare offers a paid Web Application Firewall service which is a like having the firewall rules outlined in this article, plus many more, all kept up-to-date by their engineers.