Extension "firewall"

by Sascha Egerer

What is your idea about?

Times are tough. Websites are increasingly becoming the target of attackers. Be it via automated tools or individuals.
There are often already ways of blocking attacks like SQL injections or XSS. However, these usually require complex or expensive infrastructures to implement. An existing example is fail2ban, which is a tool that must be installed and configured on the Server or there are also some CDN providers that already provide similar solutions. In any case, it is necessary to have access to the infrastructure, which unfortunately is often not possible or not possible with an acceptable level of effort or money.
This is where EXT:firewall comes into play. It should bring a “firewall” into the application. The extension should offer a possibility to decide very early in the request whether it is a valid or a “bad” request. This is decided via rules, which can be registered as required. Each rule increases an attack score or places a request on a “whitelist”, for example. If a defined score is exceeded, the request is handled accordingly - this can be a blocking of the request or, for example, a logging of how many requests have already come from this IP in order to block the IP after, for example, 10 malicious requests. The possibilities are endless thanks to a modular structure.

What do you want to achieve by the end of Q2 2024?

Release a first basic version of EXT:firewall that provides the required Framework to be able to register custom validation rules and handlers. Add first rules and handlers to add basic functionality.

What is the potential impact of your idea for the overall goal?

The impact will be that TYPO3 websites using EXT:firewall are less vulnerable to evil requests as they are already blocked before ending up in TYPO3. This will be a must have extension for most TYPO3 websites especially for websites that are hosted on managed platforms.

Which budget do you need for your idea?
10.000 Euro

7 Likes

This sounds like a WAF (=Web Application Firewall) integrated into TYPO3 due to mentioned issues with hosting.

Are there plans to build upon existing libraries? I had a look into that myself some months ago and there are already some libraries out there, e.g. check: Packagist

That might reduce the amount of money or speed things up. I also don’t think this is tightly coupled to TYPO3 in specific. So it might make sense to split this up into a proper general purpose composer package for WAF and integrate via PSR-15.

A TYPO3 extension could be built in addition to provide a better integration, e.g. for specifics like fe_user, be_user, TYPO3 backend module, configuration via Sites Configuration, etc.

Also, this might allow attracting contributions from other projects and join efforts.

Furthermore, I think the TYPO3 Security Team should be involved into this topic.

3 Likes

I understand the increased concern on cybersecurity, but I know that solutions like Cloudflare offer these services. Why should we build a solution inside TYPO3?

1 Like

Not everyone has the budget to implement Cloudflare or similar solutions. So this would rather increase the basic security level of TYPO3 also for small and medium sized projects.

I understand that, however, with a free Cloudflare account you can setup multiple security layers.

However, if this extension would be something like the equivalent of Wordpress Wordfence, it would be a real addition.

1 Like

Hello,
the big plan is to split this up into a generic PHP package based on PSR middleware and a TYPO3 specific implementation directly connected to e.g. form framework and a management interface for the backend.
I would not really call it a WAF as IMO a WAF should be implemented in the infrastructure before it ends up in TYPO3 at all.

2 Likes

Having public available rules for e.g. cloudflare for TYPO3 would be also very helpful. I think this is also one of the pitfalls someone has to investigate before activating a WAF except for generel WAF-rules.