605 lines
16 KiB
PHP
605 lines
16 KiB
PHP
<?php
|
|
|
|
class wfFirewall
|
|
{
|
|
const FIREWALL_MODE_DISABLED = 'disabled';
|
|
const FIREWALL_MODE_LEARNING = 'learning-mode';
|
|
const FIREWALL_MODE_ENABLED = 'enabled';
|
|
|
|
const PROTECTION_MODE_EXTENDED = 'extended';
|
|
const PROTECTION_MODE_BASIC = 'basic';
|
|
|
|
const RULE_MODE_COMMUNITY = 'community';
|
|
const RULE_MODE_PREMIUM = 'premium';
|
|
|
|
const BLACKLIST_MODE_DISABLED = 'disabled';
|
|
const BLACKLIST_MODE_ENABLED = 'enabled';
|
|
|
|
const UPDATE_FAILURE_RATELIMIT = 'ratelimit';
|
|
const UPDATE_FAILURE_UNREACHABLE = 'unreachable';
|
|
const UPDATE_FAILURE_FILESYSTEM = 'filesystem';
|
|
|
|
/**
|
|
* Returns a string suitable for display of the firewall status.
|
|
*
|
|
* @param null|string $status
|
|
* @param null|string $protection
|
|
* @return string
|
|
*/
|
|
public function displayText($status = null, $protection = null) {
|
|
if ($status === null) { $status = $this->firewallMode(); }
|
|
if ($protection === null) { $protection = $this->protectionMode(); }
|
|
|
|
switch ($status) {
|
|
case self::FIREWALL_MODE_ENABLED:
|
|
$statusText = __('Enabled', 'wordfence');
|
|
break;
|
|
case self::FIREWALL_MODE_LEARNING:
|
|
$statusText = __('Learning Mode', 'wordfence');
|
|
break;
|
|
default:
|
|
return __('Disabled', 'wordfence');
|
|
}
|
|
|
|
switch ($protection) {
|
|
case self::PROTECTION_MODE_EXTENDED:
|
|
$protectionText = __('Extended Protection', 'wordfence');
|
|
break;
|
|
default:
|
|
$protectionText = __('Basic Protection', 'wordfence');
|
|
break;
|
|
}
|
|
|
|
return sprintf('%s (%s)', $statusText, $protectionText);
|
|
}
|
|
|
|
/**
|
|
* Syncs the status from WAF to the wfConfig table if $toDatabase is true, the reverse if false.
|
|
*
|
|
* @param bool $toDatabase
|
|
*/
|
|
public function syncStatus($toDatabase = true) {
|
|
if ($toDatabase) {
|
|
try {
|
|
$status = wfWAF::getInstance()->getStorageEngine()->getConfig('wafStatus');
|
|
if (in_array($status, array(self::FIREWALL_MODE_DISABLED, self::FIREWALL_MODE_LEARNING, self::FIREWALL_MODE_ENABLED))) {
|
|
wfConfig::set('waf_status', $status);
|
|
}
|
|
}
|
|
catch (Exception $e) {
|
|
//Ignore
|
|
}
|
|
}
|
|
else {
|
|
try {
|
|
$status = wfConfig::get('waf_status');
|
|
if (in_array($status, array(self::FIREWALL_MODE_DISABLED, self::FIREWALL_MODE_LEARNING, self::FIREWALL_MODE_ENABLED))) {
|
|
wfWAF::getInstance()->getStorageEngine()->setConfig('wafStatus', $status);
|
|
}
|
|
}
|
|
catch (Exception $e) {
|
|
//Ignore
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Tests the WAF configuration and returns true if successful.
|
|
*
|
|
* @return bool
|
|
*/
|
|
public function testConfig() {
|
|
try {
|
|
wfWAF::getInstance()->getStorageEngine()->isDisabled();
|
|
}
|
|
catch (Exception $e) {
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* Returns a normalized percentage (i.e., in the range [0, 1]) to the corresponding display percentage
|
|
* based on license type.
|
|
*
|
|
* @param float $percentage
|
|
* @param bool $adjust Whether or not to adjust the range to [0, 0.7]
|
|
* @return float
|
|
*/
|
|
protected function _normalizedPercentageToDisplay($percentage, $adjust = true) {
|
|
if (wfConfig::get('isPaid') || !$adjust) {
|
|
return round($percentage, 2);
|
|
}
|
|
|
|
return round($percentage * 0.70, 2);
|
|
}
|
|
|
|
/**
|
|
* Returns the percentage calculation of the overall firewall status, which is displayed under "Firewall"
|
|
* on the Dashboard page.
|
|
*
|
|
* @return float
|
|
*/
|
|
public function overallStatus() {
|
|
try {
|
|
$wafStatus = $this->wafStatus();
|
|
$bruteForceStatus = $this->bruteForceStatus();
|
|
|
|
$percentage = 0.0;
|
|
$percentage += $wafStatus * 0.80;
|
|
$percentage += $bruteForceStatus * 0.20;
|
|
return $this->_normalizedPercentageToDisplay($percentage, false);
|
|
}
|
|
catch (Exception $e) {
|
|
//Ignore, return 0%
|
|
}
|
|
|
|
return 0.0;
|
|
}
|
|
|
|
public function statusList($section = null) {
|
|
$statusList = array();
|
|
$wafStatusList = $this->wafStatusList($section);
|
|
$bruteForceStatusList = $this->bruteForceStatusList();
|
|
|
|
foreach ($wafStatusList as $entry) {
|
|
$entry['percentage'] *= 0.8;
|
|
$statusList[] = $entry;
|
|
}
|
|
|
|
foreach ($bruteForceStatusList as $entry) {
|
|
$entry['percentage'] *= 0.2;
|
|
$statusList[] = $entry;
|
|
}
|
|
|
|
return array_filter($statusList);
|
|
}
|
|
|
|
/**
|
|
* Returns the percentage calculation of the WAF status, which is displayed under "Web Application
|
|
* Firewall" on the Firewall page.
|
|
*
|
|
* @return float
|
|
*/
|
|
public function wafStatus() {
|
|
try {
|
|
$ruleStatus = $this->ruleStatus(true);
|
|
$blacklistStatus = $this->blacklistStatus();
|
|
$wafEnabled = !(!WFWAF_ENABLED || wfWAF::getInstance()->getStorageEngine()->isDisabled());
|
|
$extendedProtection = $wafEnabled && WFWAF_AUTO_PREPEND && !WFWAF_SUBDIRECTORY_INSTALL;
|
|
$rateLimitingAdvancedBlockingEnabled = wfConfig::get('firewallEnabled', 1);
|
|
|
|
if (!$wafEnabled) {
|
|
return 0.0;
|
|
}
|
|
|
|
$percentage = 0.0;
|
|
$percentage += $this->_normalizedPercentageToDisplay($ruleStatus * 0.35, true);
|
|
$percentage += $blacklistStatus * 0.35;
|
|
$percentage += ($extendedProtection ? 0.20 : 0.0);
|
|
$percentage += ($rateLimitingAdvancedBlockingEnabled ? 0.10 : 0.0);
|
|
return $this->_normalizedPercentageToDisplay($percentage, false);
|
|
}
|
|
catch (Exception $e) {
|
|
//Ignore, return 0%
|
|
}
|
|
|
|
return 0.0;
|
|
}
|
|
|
|
public function wafStatusList($section = null) {
|
|
$statusList = array();
|
|
try {
|
|
$wafEnabled = !(!WFWAF_ENABLED || wfWAF::getInstance()->getStorageEngine()->isDisabled());
|
|
if (!$wafEnabled) {
|
|
return array(
|
|
array(
|
|
'percentage' => 1.0,
|
|
'title' => __('Enable firewall.', 'wordfence'),
|
|
),
|
|
);
|
|
}
|
|
|
|
// Get percent of rules enabled.
|
|
$ruleStatus = $this->ruleStatusDescription(true);
|
|
$premiumStatus = array();
|
|
if (!wfConfig::get('isPaid')) {
|
|
$premiumStatus = array(
|
|
'percentage' => 0.30,
|
|
'title' => __('Enable Premium Rules.', 'wordfence'),
|
|
);
|
|
}
|
|
|
|
if ($section === 'rules') {
|
|
if ($ruleStatus) {
|
|
$ruleStatus['percentage'] = $this->_normalizedPercentageToDisplay($ruleStatus['percentage']);
|
|
}
|
|
return array_filter(array($ruleStatus, $premiumStatus));
|
|
}
|
|
if ($premiumStatus) {
|
|
$premiumStatus['percentage'] *= 0.35;
|
|
$premiumStatus['percentage'] = $this->_normalizedPercentageToDisplay($premiumStatus['percentage'], false);
|
|
}
|
|
if ($ruleStatus) {
|
|
$ruleStatus['percentage'] *= 0.35;
|
|
$ruleStatus['percentage'] = $this->_normalizedPercentageToDisplay($ruleStatus['percentage']);
|
|
}
|
|
$statusList = array_merge($statusList, array($ruleStatus), array($premiumStatus));
|
|
|
|
$blacklistStatus = $this->blacklistStatusDescription();
|
|
if ($section === 'blacklist') {
|
|
return array_filter(array($blacklistStatus));
|
|
}
|
|
if ($blacklistStatus) {
|
|
$blacklistStatus['percentage'] *= 0.35;
|
|
$blacklistStatus['percentage'] = $this->_normalizedPercentageToDisplay($blacklistStatus['percentage'], false);
|
|
}
|
|
$statusList = array_merge($statusList, array($blacklistStatus));
|
|
|
|
$extendedProtection = $wafEnabled && WFWAF_AUTO_PREPEND && !WFWAF_SUBDIRECTORY_INSTALL;
|
|
if (!$extendedProtection) {
|
|
$statusList[] = array(
|
|
'percentage' => $this->_normalizedPercentageToDisplay(0.20, false),
|
|
'title' => __('Optimize the Wordfence Firewall.', 'wordfence'),
|
|
);
|
|
}
|
|
|
|
$rateLimitingAdvancedBlockingEnabled = wfConfig::get('firewallEnabled', 1);
|
|
if (!$rateLimitingAdvancedBlockingEnabled) {
|
|
$statusList[] = array(
|
|
'percentage' => $this->_normalizedPercentageToDisplay(0.10, false),
|
|
'title' => __('Enable Rate Limiting and Advanced Blocking.', 'wordfence'),
|
|
);
|
|
}
|
|
|
|
return array_filter($statusList);
|
|
}
|
|
catch (Exception $e) {
|
|
//Ignore, return 0%
|
|
}
|
|
|
|
if (!WFWAF_OPERATIONAL) {
|
|
return array(array('percentage' => 1.0, 'title' => __('Repair the Wordfence Firewall configuration.', 'wordfence')));
|
|
}
|
|
|
|
return array();
|
|
}
|
|
|
|
/**
|
|
* Returns the status of the WAF.
|
|
*
|
|
* @return string
|
|
*/
|
|
public function firewallMode() {
|
|
try {
|
|
return (!WFWAF_ENABLED ? 'disabled' : wfWAF::getInstance()->getStorageEngine()->getConfig('wafStatus'));
|
|
}
|
|
catch (Exception $e) {
|
|
//Ignore
|
|
}
|
|
|
|
return self::FIREWALL_MODE_DISABLED;
|
|
}
|
|
|
|
/**
|
|
* Returns the current protection mode configured for the WAF.
|
|
*
|
|
* @return string
|
|
*/
|
|
public function protectionMode() {
|
|
if (defined('WFWAF_AUTO_PREPEND') && WFWAF_AUTO_PREPEND) {
|
|
return self::PROTECTION_MODE_EXTENDED;
|
|
}
|
|
return self::PROTECTION_MODE_BASIC;
|
|
}
|
|
|
|
/**
|
|
* Returns whether or not this installation is in a subdirectory of another WordPress site with the WAF already optimized.
|
|
*
|
|
* @return bool
|
|
*/
|
|
public function isSubDirectoryInstallation() {
|
|
if (defined('WFWAF_SUBDIRECTORY_INSTALL') && WFWAF_SUBDIRECTORY_INSTALL) {
|
|
return true;
|
|
}
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* Returns the percentage calculation of the firewall rule status, which is displayed under "Firewall Rules" on the
|
|
* Firewall page.
|
|
*
|
|
* The calculation is the number of rules enabled divided by the total number of rules. If the WAF is in learning
|
|
* mode, no rules are enforced, so it's clamped to 0%.
|
|
*
|
|
* @param bool $round Round the percentage (in the range [0, 1]) to be only whole percentages.
|
|
* @return float
|
|
*/
|
|
public function ruleStatus($round = false) {
|
|
try {
|
|
$wafEnabled = !(!WFWAF_ENABLED || wfWAF::getInstance()->getStorageEngine()->isDisabled());
|
|
if (!$wafEnabled) {
|
|
return 0.0;
|
|
}
|
|
|
|
/*$learningMode = !!wfWAF::getInstance()->isInLearningMode();
|
|
if ($learningMode) {
|
|
return 0.0;
|
|
}*/
|
|
|
|
$rules = wfWAF::getInstance()->getRules();
|
|
$disabledRules = (array) wfWAF::getInstance()->getStorageEngine()->getConfig('disabledRules');
|
|
/** @var wfWAFRule $rule */
|
|
$enabledCount = 0;
|
|
foreach ($rules as $ruleID => $rule) {
|
|
if (isset($disabledRules[$ruleID]) && $disabledRules[$ruleID]) {
|
|
continue;
|
|
}
|
|
|
|
$enabledCount++;
|
|
}
|
|
|
|
$percentEnabled = (count($rules) == 0 ? 0 : $enabledCount / count($rules));
|
|
if ($round) {
|
|
return round($percentEnabled, 2);
|
|
}
|
|
|
|
return $this->_normalizedPercentageToDisplay($percentEnabled);
|
|
}
|
|
catch (Exception $e) {
|
|
//Ignore, return 0%
|
|
}
|
|
|
|
return 0.0;
|
|
}
|
|
|
|
/**
|
|
* @param bool $round
|
|
* @return array
|
|
*/
|
|
public function ruleStatusDescription($round = false) {
|
|
try {
|
|
$wafEnabled = !(!WFWAF_ENABLED || wfWAF::getInstance()->getStorageEngine()->isDisabled());
|
|
if (!$wafEnabled) {
|
|
return array(
|
|
'percentage' => 1.0,
|
|
'title' => __('Enable firewall.', 'wordfence'),
|
|
);
|
|
}
|
|
|
|
/*$learningMode = !!wfWAF::getInstance()->isInLearningMode();
|
|
if ($learningMode) {
|
|
return 0.0;
|
|
}*/
|
|
|
|
$rules = wfWAF::getInstance()->getRules();
|
|
$disabledRules = (array) wfWAF::getInstance()->getStorageEngine()->getConfig('disabledRules');
|
|
/** @var wfWAFRule $rule */
|
|
$enabledCount = 0;
|
|
foreach ($rules as $ruleID => $rule) {
|
|
if (isset($disabledRules[$ruleID]) && $disabledRules[$ruleID]) {
|
|
continue;
|
|
}
|
|
|
|
$enabledCount++;
|
|
}
|
|
|
|
$percentEnabled = 1.0 - ((float) (count($rules) == 0 ? 0 : $enabledCount / count($rules)));
|
|
if ($percentEnabled === 0.0) {
|
|
return array();
|
|
}
|
|
$reenbleCount = count($rules) - $enabledCount;
|
|
return array(
|
|
'percentage' => ($round ? round($percentEnabled, 2) : $percentEnabled),
|
|
'title' => sprintf(_n('Re-enable %d firewall rule.', 'Re-enable %d firewall rules.', $reenbleCount, 'wordfence'), number_format_i18n($reenbleCount)),
|
|
);
|
|
}
|
|
catch (Exception $e) {
|
|
//Ignore, return 0%
|
|
}
|
|
|
|
return array(
|
|
'percentage' => 1.0,
|
|
'title' => __('Enable firewall.', 'wordfence'),
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Returns the rule feed that is in use.
|
|
*
|
|
* @return string
|
|
*/
|
|
public function ruleMode() {
|
|
if (wfConfig::get('isPaid')) {
|
|
return self::RULE_MODE_PREMIUM;
|
|
}
|
|
return self::RULE_MODE_COMMUNITY;
|
|
}
|
|
|
|
/**
|
|
* Returns 100% if the blacklist is enabled, 0% if not.
|
|
*
|
|
* @return float
|
|
*/
|
|
public function blacklistStatus() {
|
|
try {
|
|
$wafEnabled = !(!WFWAF_ENABLED || wfWAF::getInstance()->getStorageEngine()->isDisabled());
|
|
if (!$wafEnabled) {
|
|
return 0.0;
|
|
}
|
|
|
|
return $this->blacklistMode() == self::BLACKLIST_MODE_ENABLED ? 1.0 : 0.0;
|
|
}
|
|
catch (Exception $e) {
|
|
//Ignore, return 0%
|
|
}
|
|
|
|
return 0.0;
|
|
}
|
|
|
|
/**
|
|
* Returns 100% if the blacklist is enabled, 0% if not.
|
|
*
|
|
* @return array
|
|
*/
|
|
public function blacklistStatusDescription() {
|
|
try {
|
|
$wafEnabled = !(!WFWAF_ENABLED || wfWAF::getInstance()->getStorageEngine()->isDisabled());
|
|
if (!$wafEnabled) {
|
|
return array(
|
|
'percentage' => 1.0,
|
|
'title' => __('Enable Firewall.', 'wordfence'),
|
|
);
|
|
}
|
|
|
|
if ($this->blacklistMode() == self::BLACKLIST_MODE_ENABLED) {
|
|
return array();
|
|
}
|
|
return array(
|
|
'percentage' => 1.0,
|
|
'title' => __('Enable Real-Time IP Blocklist.', 'wordfence'),
|
|
);
|
|
}
|
|
catch (Exception $e) {
|
|
//Ignore, return 0%
|
|
}
|
|
|
|
return array(
|
|
'percentage' => 1.0,
|
|
'title' => __('Enable Real-Time IP Blocklist.', 'wordfence'),
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Returns the blacklist mode.
|
|
*
|
|
* @return string
|
|
*/
|
|
public function blacklistMode() {
|
|
$blacklistEnabled = false;
|
|
try {
|
|
$wafEnabled = !(!WFWAF_ENABLED || wfWAF::getInstance()->getStorageEngine()->isDisabled());
|
|
$blacklistEnabled = $wafEnabled && !wfWAF::getInstance()->getStorageEngine()->getConfig('disableWAFBlacklistBlocking');
|
|
}
|
|
catch (Exception $e) {
|
|
//Do nothing
|
|
}
|
|
|
|
if (wfConfig::get('isPaid') && $blacklistEnabled) {
|
|
return self::BLACKLIST_MODE_ENABLED;
|
|
}
|
|
return self::BLACKLIST_MODE_DISABLED;
|
|
}
|
|
|
|
/**
|
|
* Returns a percentage rating for the brute force protection status. This includes both the WFSN enabled status
|
|
* and the status of individual login security options. These options are available to all, so they are always
|
|
* in the range [0,1].
|
|
*
|
|
* @return float
|
|
*/
|
|
public function bruteForceStatus() {
|
|
$networkBruteForceEnabled = !!wfConfig::get('other_WFNet');
|
|
$localBruteForceEnabled = !!wfConfig::get('loginSecurityEnabled');
|
|
|
|
$percentage = 0.0;
|
|
|
|
if ($localBruteForceEnabled) {
|
|
$percentage += 0.1;
|
|
|
|
if ($networkBruteForceEnabled) {
|
|
$percentage += 0.5;
|
|
}
|
|
if (wfConfig::get('loginSec_strongPasswds_enabled') && (wfConfig::get('loginSec_strongPasswds') == 'pubs' || wfConfig::get('loginSec_strongPasswds') == 'all')) {
|
|
$percentage += 0.1;
|
|
}
|
|
if (wfConfig::get('loginSec_maskLoginErrors')) {
|
|
$percentage += 0.1;
|
|
}
|
|
if (wfConfig::get('loginSec_blockAdminReg')) {
|
|
$percentage += 0.1;
|
|
}
|
|
if (wfConfig::get('loginSec_disableAuthorScan')) {
|
|
$percentage += 0.1;
|
|
}
|
|
}
|
|
|
|
return round($percentage, 2);
|
|
}
|
|
|
|
/**
|
|
* Returns the status of the WAF's learning mode.
|
|
*
|
|
* @return bool|int Returns true if enabled without an automatic switchover, a timestamp if enabled with one, and false if not in learning mode.
|
|
*/
|
|
public function learningModeStatus() {
|
|
if ($this->firewallMode() != self::FIREWALL_MODE_LEARNING) {
|
|
return false;
|
|
}
|
|
|
|
try {
|
|
$config = wfWAF::getInstance()->getStorageEngine();
|
|
if ($config->getConfig('learningModeGracePeriodEnabled')) {
|
|
return (int) $config->getConfig('learningModeGracePeriod');
|
|
}
|
|
|
|
return true;
|
|
}
|
|
catch (Exception $e) {
|
|
//Ignore, return false
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* @return array
|
|
*/
|
|
public function bruteForceStatusList() {
|
|
$networkBruteForceEnabled = !!wfConfig::get('other_WFNet');
|
|
$localBruteForceEnabled = !!wfConfig::get('loginSecurityEnabled');
|
|
|
|
$status = array();
|
|
|
|
if ($localBruteForceEnabled) {
|
|
if (!$networkBruteForceEnabled) {
|
|
$status[] = array(
|
|
'percentage' => 0.5,
|
|
'title' => __('Enable Real-Time Wordfence Security Network.', 'wordfence'),
|
|
);
|
|
}
|
|
if (!wfConfig::get('loginSec_strongPasswds_enabled')) {
|
|
$status[] = array(
|
|
'percentage' => 0.1,
|
|
'title' => __('Enforce Strong Passwords.', 'wordfence'),
|
|
);
|
|
}
|
|
if (!wfConfig::get('loginSec_maskLoginErrors')) {
|
|
$status[] = array(
|
|
'percentage' => 0.1,
|
|
'title' => __('Enable Mask Login Errors.', 'wordfence'),
|
|
);
|
|
}
|
|
if (!wfConfig::get('loginSec_blockAdminReg')) {
|
|
$status[] = array(
|
|
'percentage' => 0.1,
|
|
'title' => __('Enable Block Admin Registration.', 'wordfence'),
|
|
);
|
|
}
|
|
if (!wfConfig::get('loginSec_disableAuthorScan')) {
|
|
$status[] = array(
|
|
'percentage' => 0.1,
|
|
'title' => __('Disable Author Scanning.', 'wordfence'),
|
|
);
|
|
}
|
|
} else {
|
|
$status[] = array(
|
|
'percentage' => 1.0,
|
|
'title' => __('Enable Brute Force Protection.', 'wordfence'),
|
|
);
|
|
}
|
|
|
|
return array_filter($status);
|
|
}
|
|
}
|