SPIP WAF: Web Application Firewall for SPIP

Dev
21

Hello All!

It has been a great week as I’ve been able to back and forth on the forge with @pierretux adding great features and fixes to the plugin.

  • detect failed login attempts and block such IPs
  • added IPv6 support, added IPv6 blocklist
  • automatically delete request data after 90 days, blocked IPs are kept for 180 days and deleted after
  • Other smaller features, fixes and adjustments
  • …And improved performance for IP lookups! About this:

Analyzing 203497 requests:
p50 = 5.34ms (8.49 ms before) → half of all WAF checks complete in under 6 ms)
p95 = 9.83ms (18.64 ms before) → 95% of all checks complete in under 10 ms !!)
p99 = 39.64 (37.13 ms before ) → 99% of all checks complete in under 40 ms

There is more to optimize but less than 10ms overhead for 95% of requests is good! And for 50% of requests it’s only max 6ms overhead added…

Bon weekend,
Urs

1 « J'aime »
22

Dashboard allows to analyze each day by attack types, as well as understand how many requests are blocked based on the WAF’s rules and the IP blocklists:

Screenshot 2026-04-24 at 18-11-11
Screenshot 2026-04-24 at 18-11-11652×798 54.6 KB

On the config form, we can enable the login failure detection:

Screenshot 2026-04-24 at 18-14-01
Screenshot 2026-04-24 at 18-14-01808×198 13.6 KB

2 « J'aime »
23

Interesting, I’m testing it right now on a site with a big traffic.

Why do you log in error.log (Apache) and not in SPIP logs (/tmp/log/), which is the more standrad way ?

24

It could be interesting to use also /tmp/nospam_ip_list.txt, which is filled by the Nospam plugin.

25

Does this kind of logging work on a shared hosting where the Apache log is not writable by userspace applications?

26

Yes the plugin works well on shared hostings.

There are no logfiles during normal use. The logfiles are only written if you want to study the performance stats for debugging. But that’s not enabled by default. I’ll change it over to spip_log, just a bad habit to use error_log. :wink: The actual data like offenses, blocks are written to the db.

/tmp/nospam_ip_list.txt looks like a great idea, I’ll look into it more! We can just add these IPs as a dynamic blocklist.

27

You have to be careful with database writting on events, because this is giving a malicious attaquant a very good way to operate a DDOS.

SPIP is designed to serve most of the hits (ie hits in cache) without connecting to the database in able to lower the server load.

By activating a plugin that use the database on each hit you are weakening this, and if you even are writing in the databse on each offending/abusive hit, I fear that on real large scale abuse of the website the result is going to be worse than the initial situation, leading to a serveur overload faster than letting SPIP serve the hits.

That said, this is just a reaction to your last comment, I did not audit the plugin.