Firewall feature

Administrators to connect on a different port

Note: This feature may not work well on a multi-site1 installation.

When setting up your website you could have an Apache setting that let your administrators access the site via port 8888 instead of 80 or 443. Then setup the firewall to block all users except those administrators from connecting on port 8888.

Accepting a log in from the administrator(s) only from a given set of IP addresses

It should be possible to block out all users except administrators from logging in as one of the administrator users.

This is particularly easy to do as you can put users in a group called Administrators and if part of that group, then check the IP address of the user against a list of system allowed IPs or user specific IPs (i.e. so user A can log in from work and from home.)

Spammer Blocking

Whenever a user with a given IP address tries to access one of the websites in a way that is guaranteed that said user is a spammer, we want to be able to automatically block his IP address in the firewall. A plugin must allow the main system to add said IP address in the lowest level firewall to stop wasting time and bandwidth.

Implementation: This is started and IPs do get blocked here and there from the snap.cgi and antihammering.

Development status

We have:

  • the tool (iplock) to add or remove firewall rules;
  • snapfirewall to send signal to and run iplock to add/remove;
  • snap.cgi blocks various hits we immediately view as hacker's hit (i.e. no User Agent, hit with an IP address instead of a host name, trying to access a script in /cgi-bin/, the protocol is not HTTP or HTTPS, etc.);
  • antihammering blocks users who hit our website too quickly.

See: Anti-hammering feature

See: Anti-Spam feature

  • 1. Multi-site in the sense multiple websites on the same computer, and also multiple computers that may reply to the requests. In other words, the problem applies to both cases!

Snap! Websites
An Open Source CMS System in C++

Contact Us Directly