Ninja Firewall: Free Protection for your Osclass classifieds script
(Updated – SEP 2022)
Osclass script hasn’t been updated for more that a year now. No bug fixes, no security updates. Maybe it is bug-free (not) or extremely secure (could be). Also in September of 2019, Osclass Market was shut down. Apparently Osclass script is becoming abandon-ware, if not a dead project.
So it is even more important now to use a third party security protection. With a little work from your part and a little knowledge, it is easy to do it. Works with Apache, Nginx and Litespeed web servers.
Please do not hold me responsible if something goes wrong and you damage your hosting account. If you do not fully understand what you read here, then please do NOT proceed. Find someone to help you out or ask your hosting company for support. Ninja Firewall Pro / Osclass combo is well tested and works in several Osclass installations for 2+ years now.
I will describe how to make the firewall work with Osclass but I won’t go into deep technical details. Because there are a lot of different hosting setups and it is impossible to cover them all. If you need any kind of support, please create an account and use our Osclass Forums, so everyone can benefit from the posted topics. We will try to help.
NinjaFirewall (Pro & Pro+ Edition) is a powerful Web Application Firewall designed to protect all PHP softwares, from custom scripts to popular shopping cart softwares and CMS applications.
Start by downloading Ninja Firewall Pro edition (free) and installing it in your web hosting space. Somewhere that can be fully accessed by your website. You can install the application inside your website folder or outside your website path (in your hosting space but you must know what you are doing). As usual the permissions MUST be 644 for files and 755 for the folders.
https://nintechnet.com/ninjafirewall/pro-edition/
After the installation, the firewall script needs to be loaded by PHP via a directive added to your .htaccess top or .ini file. Preferably in your .htaccess located IN your website’s folder (for easier setup). The directive is set by “php_value_auto_prepend”, see the example below:
php_value auto_prepend_file /path/to/.../lib/firewall.php
That will load the firewall script BEFORE (in front) your Osclass script. All incoming traffic will be checked BEFORE reaching your Osclass website, and blocked if an attack is recognized. Be warned that some (a few) web hosting companies do not allow or support “php prepend” directive. If this is your case, there is still a workaround to load the script but more on this at the end of this post. The only tricky part of the installation is to set the paths correctly, so be careful about it. So here is an example using .htaccess.
An example. If your website is installed in “public_html” and If Ninja Firewall is installed inside your website to “ouklwjs87_ninja_fw” then your .htaccess should be like this:
# BEGIN NinjaFirewall
php_value auto_prepend_file /home/hostingplan_name/public_html/ouklwjs87_ninja-fw/firewall.php
# END NinjaFirewall
(Why “ouklwjs87_ninja-fw” as folder name in the example? For security reasons use a non-standard “whatever” folder name for your installation. Do not use for example “ninjafirewall” or “firewall” because it can be easily guessed. Of cource even if the folder name is found, the login page is id/password protected, still better be safe than sorry.)
While Ninja Firewall Pro was not designed for Osclass script in mind, they both work together very well. You might get a few wrong warnings or alerts but this can be easily be fixed within the options and security rules. Still it is better to be fully protected and have a couple of false warnings, than be totally naked out there it the wild Internet.
Problems you may encounter:
1. If for some reason you can’t use the php_auto_prepend, here is a workaround. Edit Osclass “oc-load.php” (located in the root of your website, along with the 3 “oc-” folders) like that:
require('/path-to-ninja-firewall/firewall.php');
define('OSCLASS_VERSION', '3.8.0');
There is some documentation in the developer’s site that you may read:
https://nintechnet.com/ninjafirewall/pro-edition/help/
2. You may get a 403 error (denied) when saving some settings from some 3rd party plugins. Also you may get a 403 error when trying to save code that includes any js script.
In that case disable for a while the firewall (withing its dashboard) and finish your work. Do not forget to re-enable it when you are done.
3. You can test if it works by using some examples from here:
https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)
4. You can check your level of protection (before the firewall and after) by using this online tool:
https://webscanner.nintechnet.com/
I tried to understand the logic and also install the firewall script. 2 times.
And i failed. Not sure how to install it and configure it.
Just make an account and post some details about the problem(s) in the related forum.
https://www.valueweb.gr/forums/osclass/
Impossible to help via comments.