Block a remote IP

What kind of files are you scanning? NinjaFirewall is a PHP firewall, so if you scan PHP and HTML files, it will block you. If you scan .txt or .gif files for instance, it won’t block you.

Hi,

This is an example of what WPscan does and what NinjaFW logs:

03/Sep/19 23:08:43 #2647995 HIGH – 104.237.147.13 GET /index.php – User enumeration scan (author archives) – [author=1] – wpninja.sicurezza-wordpress.it
03/Sep/19 23:08:43 #7373199 HIGH – 104.237.147.13 GET /index.php – User enumeration scan (author archives) – [author=2] – wpninja.sicurezza-wordpress.it

With the rule included in .htninja file, this IP should be blocked by this rule, right?

Why this rule is not triggered by NinjaFW?

Regards

Here are some other attempts logged by NinjaFW live log:
[04/Sep/19:22:27:15 +0200] – 104.211.30.57 “GET /” “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36” “-” “wpninja.sicurezza-wordpress.it”
[04/Sep/19:22:27:18 +0200] – 104.237.147.13 “GET /readme.html” “-” “Mozilla/5.0 (X11; U; Linux i686) Gecko/20071127 Firefox/2.0.0.11” “-” “wpninja.sicurezza-wordpress.it”
[04/Sep/19:22:27:18 +0200] – 104.237.147.13 “GET /wp-content/uploads/” “-” “Mozilla/5.0 (X11; U; Linux i686) Gecko/20071127 Firefox/2.0.0.11” “-” “wpninja.sicurezza-wordpress.it”
[04/Sep/19:22:27:18 +0200] – 104.237.147.13 “GET /wp-content/plugins/” “-” “Mozilla/5.0 (X11; U; Linux i686) Gecko/20071127 Firefox/2.0.0.11” “-” “wpninja.sicurezza-wordpress.it”

The GET /index.php should be blocked indeed.
Maybe there’s a syntax error in your .htninja? Make sure it starts with the <?php tag.

This is the code to add to the .htninja:

<?php
$ip_array = array( '104.237.147.13', '104.237.147.13', '104.211.30.57', '34.230.71.33' );
if ( in_array( $_SERVER['REMOTE_ADDR'], $ip_array ) ) {
   return 'BLOCK'; // blacklist
}

Hi,
I’m using the .htninja-sample file.
The code you sent me is the same I sent you.

NinjaFW log still shows the remote WPscan attempt:
05/Sep/19 18:49:40 #4302844 HIGH – 104.237.147.13 GET /index.php – User enumeration scan (author archives) – [author=1] – wpninja.sicurezza-wordpress.it
05/Sep/19 18:49:40 #4259313 HIGH – 104.237.147.13 GET /index.php – User enumeration scan (author archives) – [author=2] – wpninja.sicurezza-wordpress.it

These lines mean that NinjaFW is *not* blocking these scannings?

Please note that in my case the configuration file path is: /home/user/public_html/.htninja

The setting you recommend (/home/user/.htninja ) didn’t work in my case (Overview’s configuration file line empty).

This maybe has something to do with the problem I have with blocking code?

These lines mean that NinjaFW is *not* blocking these scannings?

It is blocking them. But they should be blocked earlier by the .htninja.
I looks like your .htninja is not loaded.
Try the following:
1. Add this line of code to your .htninja (before any other line of code):

define( 'NFW_ALLOWED_ADMIN', '**you**' );

Replace **you** with your admin login name.
2. Log in to WordPress, click on the “Overview” page. Do you see this line: Restrictions: Access to NinjaFirewall is restricted to specific users.

If you see it, the .htninja is loaded. If you don’t see it, the .htninja is not loaded.