serverwide POST captcha validation

D

Driesp

Verified User
Joined
Mar 12, 2007
Messages
180
Location
Belgium
Hi

I have programmed a system wide captcha that redirects all POST requests via this captcha validation page.
It is not based on recaptcha, I have fixed something easy myself: the sum of two numbers. (example: What is the sum of 'two' and 'fourteen') and a dropdown to chose from. I suspect no bot expects this question with a dropdown, so I think it will be easy for a human and difficult for a bot.
I have found code on this forum, and changed it to my liking.

It works for all POST requests on wordpress (contactpage, loginpage, comments page,...), joomla, drupal.
Except for json based POST requests (=> prestashop, or a shop based on joomla). I don't know yet if I can somehow fix this.

The client can disable this captcha if it does not work for them.

You can find the code on github:
github.com

GitHub - dri3sp/serverwide-POST-captcha-validation

Contribute to dri3sp/serverwide-POST-captcha-validation development by creating an account on GitHub.
github.com github.com

Please let me know if there is a solution for the json based POST requests.

Kr
Dries
 
It does not work with ajax.
If anyone can point me in the right direction on how to fix this, very welcome. Thanks.
 
I have made some updates.

For ajax POST requests it is of course not possible to return a captcha,
so I have written own logic to detect if it is a bot in that particular case, this code is not included.
If you want to share your code or ideas, please do.

All other POST requests will present the browser with a captcha.

The script is still running in test for a subset of my clients, I will deploy it for other clients soon.
 
Hi, thank you!

I am running it on almost all servers, shared webservers and managed servers since the beginning of 2022.

You need however have great whitelisting.
In our case, I have all IP ranges of clients ISPs (downstream ISPs) on the whitelist. This means clients won't get bothered with captcha's.

You should also research what services your clients use that require POST requests to their applications.
I am thinking about payment providers, wordpress jetpack, wordpress wordfence, parcel services,...
These services usually trigger a POST request to the applications of your clients.
These services should also be whitelisted.

In case of security, running this firewall means bots cannot scan for passwords.
They also cannot send spam via contact forms. This in turn greatly improves the quality of outgoing e-mails on the network.
Also, if you think about security, websites are getting hacked less.
They are scanning for security issues and exploit issues on a bigger scale.
Unless your client is specifically targeted, these attacks are more difficult to succeed.
Also don't forget about the serverload decrease.

Kr
Dries
 
Would like to add:

You need to work with your clients and communicate that this firewall will be installed.

It are webshops that sometimes require POST requests from external services (parcel services, or payment providers)
But some clients have developped their own app, and this app is doing POST request to their webapplication.
You can ask them to move these scripts that only take on POST request to a different subdomain that is whitelisted with a .disable_captcha file.

99% of the time, if we are talking about normal websites, normal wordpress websites, this firewall works fine.

Kr
Dries
 
Driesp said:
Would like to add:

You need to work with your clients and communicate that this firewall will be installed.

It are webshops that sometimes require POST requests from external services (parcel services, or payment providers)
But some clients have developped their own app, and this app is doing POST request to their webapplication.
You can ask them to move these scripts that only take on POST request to a different subdomain that is whitelisted with a .disable_captcha file.

99% of the time, if we are talking about normal websites, normal wordpress websites, this firewall works fine.

Kr
Dries
Click to expand...
Yes, all sites are Wordpress, those are simple sites. If an user makes the captcha right is it whitelisted it so it does not appear again? Thanks for your reply
 
It stays whitelisted until the cleanup cronjob/script is run.
This cronjob is recommended to be configured.

Kr
Dries
 
I don't know if it works with openlitespeed, I have never used it, I don't have experience with it.

If apache runs behind openlitespeed, it will work I think.
It can be used with apache.

Update: I have configured this firewall on almost all our servers, all shared servers, all reseller servers and managed servers.

Kr
Dries
 
Sorry to be a pain in the ass but I have been trying to make this work. Uninstalled OLS and installed Apache+Nginx and did this:

1. Placed the files inside /var/www/html and change the ownership to webapps:webapps
2. Replace Salt in index.php
3. Created captcha.conf in /usr/local/directadmin/data/templates/custom/ and added:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^POST$
RewriteCond %{DOCUMENT_ROOT}/.disable_captcha !-f
RewriteCond /var/www/html/__captcha_validation/ip/%{REMOTE_ADDR}.dat !-f
RewriteCond %{REQUEST_URI} !^/__captcha_validation/
RewriteRule ^ %{REQUEST_SCHEME}://%{SERVER_NAME}/__captcha_validation/?ref=%{REQUEST_SCHEME}://%{SERVER_NAME}&uri=%{REQUEST_URI}&c=%{REMOTE_ADDR}&qs=%{QUERY_STRING} [R=307,L]
</IfModule>
Click to expand...
4. Added in /etc/httpd/conf/extra/httpd-includes.conf
Alias /__captcha_validation /var/www/html/__captcha_validation
Click to expand...

Ran ./build rewrite_configs

Still did not work
 
Hi

The modrewrite rules need to be active in each virtualhost.

You need to make a copy of virtual_host2.conf virtual_host2_sub.conf virtual_host2_secure.conf virtual_host2_secure_sub.conf to custom/
And change each file so it contains the modrewrite rules inside the virtual host.
A good placement would be after the CustomLog rules and before the Directory rule.
Afterwards run rewrite_configs and restart apache.

Kind regards
Dries
 
Driesp said:
Hi

The modrewrite rules need to be active in each virtualhost.

You need to make a copy of virtual_host2.conf virtual_host2_sub.conf virtual_host2_secure.conf virtual_host2_secure_sub.conf to custom/
And change each file so it contains the modrewrite rules inside the virtual host.
A good placement would be after the CustomLog rules and before the Directory rule.
Afterwards run rewrite_configs and restart apache.

Kind regards
Dries
Click to expand...
So only copy those files into custom and modify them adding the mod rules? No need to add the rules to the original virtual hosts right?
 
Hi

You need to place your changes into custom.
If you don't do this, DirectAdmin might undo your changes when there is an update.

Kr
Dries
 
You must log in or register to reply here.
Back
Top