Part 2 of my research involves test results for the custom firewall rule I made to solve issues I explained in Part 1.
If you haven't read Part 1, read it first here: https://www.jasongo.net/blog/increased-404-page-views-in-kajabi-analytics-part-1
The firewall rules I made is available in GitHub: https://github.com/jasongodev/kajabi-cloudflare-firewall-rules
Understanding the firewall rules
Line 1: The custom domain. You should replace that with your custom domain.
Line 3: Solves the issue where bots append the domain name as the URL path.
Lines 4-8, 11-15, 23-24: Blocks file extensions that are impossible to be present in Kajabi.
Lines 9,10,16: Blocks bots from accessing server files that usually contain passwords and server configurations. All these are not even present in Kajabi.
Line 17: Blocks bots that attack Fortinet vulnerability.
Line 18-21: Rules to prevent WordPress attacks.
Did it work?
Yes, it worked! It verified our analyses in Part 1 of the blog and blocked numerous attacks involving WordPress and PHP vulnerabilities.
Take note that Kajabi websites are safe even without these Cloudflare Firewall Rules. The only issue is the inaccurate 404 stats showing in Kajabi Analytics.
Let's see some of the catches.
Here's an example of a blocked request involving the sellers.json file. It came from different countries like the US, Hong Kong, even India.
This one is from Sweden trying to check the presence of WordPress. This came in a lot of different countries, IP addresses, and combinations of URL patterns.
This one from India is trying to check if the login page of WordPress is present. Of course, Kajabi does not have it but in WordPress servers, this will result in further brute force attacks with different password combinations.
This one in France is trying to access a different CMS software. Our generic PHP block rule can easily block these kinds of attacks.
Another WordPress attack, this time from Singapore. Note how they try different years in the URL, in this case, 2018. Some WordPress servers back up a whole website in folders named on the year it was last accessed. Given that these old WordPress installations are outdated, they are a landmine of vulnerabilities. If the webmaster didn't place the right .htaccess rule to prevent accessing these backup folders, the WordPress installation will still be executable and therefore prone to attacks.
Also, see how brave it is to use a Digital Ocean server. If we report it, it's possible to trace who is doing this.
The .env file usually contains passwords in the server. A bot from the Czech Republic is doing some guesswork.
More sophisticated attacks?
We also blocked a lot of TOR-based attacks, bots that use the TOR network to hide its real location. These are sophisticated, hard to track, and virtually difficult to block using IP-based filters. Our firewall rules were able to block them because it's using URL filters.
In some of the attacks, it tried a path traversal technique where it accessed a publicly accessible endpoint, supply it with a path to a secure file, and tries to output its content. Take a look at how it tried to use known vulnerabilities in WordPress themes.
So it seems my research ends here. We know why it's happening and we have working firewall rules to prevent it.
If you have some observations related to increased 404 stats or see some weird URLs being accessed in your Kajabi website (from Google Analytics or other tracking software), I would love to know and investigate so we can improve the firewall rules.
Lastly, at the time of this writing, Kajabi made their own firewall rules and they seem to block WordPress and PHP vulnerability attacks. I have yet to evaluate its effectiveness and that is another blog post to watch out for!