VELODATA

FIND US

Address
Level 19,  50 Cavill Ave
Surfers Paradise,  Qld. Aus

Hours
Monday-Friday:  9AM – 5:30PM
Saturday:  11AM – 3PM

Cyber Security

HOW TO GET THE MOST OUT OF THE VELODATA BLACKHOLE SOFTWARE

Velodata’s Blackhole Cyber Security Software –  Fine Tuning Guide

Velodata’s Blackhole software is both blazingly fast and super light.  It lives halfway between your web server and your WordPress PHP software.  It can perform the following tasks in real time.

  • Substantially reduces webserver CPU consumption.
  • Identifies and deflects/bans hacking attempts.
  • Identifies and deflects/bans Bad Scraping Robots.
  • Identifies and deflects/bans unathorised WordPress and PHPMyAdmin login attempts.
  • Identifies and deflects/bans Hot Linking by unauthorised users.
  • Uses a "self learning" algorithm to identify phishing attempts in real time.
  • Instantly responds to Denial of Service attacks in real time.

FINE TUNING THE VELODATA CYBER SECURITY SYSTEM

Here’s how Velodata works by default…

Please Note:  The Blackhole  software can protect your WordPress website in multiple ways  –  but it does take a little bit of fine tuning.  Be patient and enjoy the process.  If you’d like to see some examples of what the configuration file looks like you can do so by clicking here.  

Unauthorised POST requests.

Nobody should be sending POST requests to your WordPress engine unless (a) it’s an official WordPress generated request or (b) unless they’re a legitimate visitor to your website using a web browser.  The Blackhole software has the ability to distinguish genuine POST requests from hacking attempts.  Malicious POST requests are killed off by default with a 403 http response.

If you’d like to activate dynamic Firewall banning for unauthorised POST requests edit the following line in your blackhole.ini file.

				
					PARD_BAN_UNAUTHORISED_POST_REQUESTS = "YES"

To de-activate dynamic Firewall banning,  edit the following line in your blackhole.ini file.

				
					PARD_BAN_UNAUTHORISED_POST_REQUESTS = "NO"

Unauthorised Spiderbots

We hates the bad spiderbots,  we really do.  They chew up loads of CPU and data,  and worse yet,  YOU have to foot the bill!  By default bad spiderbot requests are met with a 403 http response and then the inbound request is killed off with zero return data.  But if you want,  you can also ban their IP address at the Firewall and it feels so good!  Here’s the code which shows which Spiderbots get zapped.

				
					    if (preg_match("/(adreview|BPImageWalker|CensysInspect|coccocbot|CrowdTanglebot)/i", $ua) == 1 ||
        preg_match("/(Dataprovider|Dispatch|DotBo|Go-http-client|ia_archiver|hypefactors|krzana-rss-bot)/i", $ua) == 1 ||
        preg_match("/(linkfluence|MJ12bot|NetSystemsResearch|Nimbostratus|petalbot|python-requests|QIHU 360SE|Ruby)/i", $ua) == 1 ||
        preg_match("/(SemrushBot|Typhoeus|ubermetrics|yandex|zgrab|ZoominfoBot)/i", $ua) == 1) {
        //              
        //  Dear User:- Spiderbots are a pain in the ass,  especially the ultra hungry Facebook version called cortex.  
        //              But we don't want to necessarily ban the IP addresses they belong to  -  but you can if you want!
        //              So what we do is we reply with http 403 and then we kill the process so that no further data gets sent.
        //              
        //              Please note, a lot of unwanted Spiderbot problems go away if you're using a DNS Content Delivery service like Cloudflare
        //              
        $GLOBALS['REASON_FOR_BAN'] = "UNAUTHORISED_SPIDERBOT_REQUEST";
        return 0;  //  0 equals deflect them and/or ban them!
    }

If you’d like to activate dynamic Firewall banning for bad SpiderBot requests  (doing this will cut out a LOT of your network traffic ) edit the following line in your blackhole.ini file.

				
					PARD_BAN_UNAUTHORISED_SPIDERBOTS = "YES"

To de-activate automatic Firewall banning,  edit the following line in your blackhole.ini file.

				
					PARD_BAN_UNAUTHORISED_SPIDERBOTS = "NO"

Unathorised PHP Requests

By default,  the following PHP requests are automatically killed off without proceeding to your WordPress engine.  Yes,  it’s true a lot of people perform this role using mod_rewrite in an .htaccess file,  but it costs nothing to include this bit of protection in the Blackhole Cyber Security software.  By default this particular category receives a 403 HTTP response and they get nothing back in the form of data.

As always,  fine tuning your backhole.ini file gives you the ability to dynamically ban all of these PHP triggers at both your IPTABLES level,  and at your Cloudflare API level.  We recommend activating this option because it’s a reasonable assumption anybody who’s trying to access these PHP links is also a malicious actor  –  hence they don’t deserve access to your website.

  • xmlprc.php
  • xmlrpc.php
  • wp-config.php
  • wp-config-sample.php
  • install.php
  • setup-config.php

In addition,  the following conditional PHP request is also blocked by default,  and automatically banned at the Firewall level if you configure your blackhole.ini file to do so.

  • IF the URI contains "/wp-content"
  • AND the URI contains "/uploads"
  • AND the URI contains ".php"

The following lines should exist in your blackhole.ini file to escalate automatic FIrewall banning.

If you’d like to activate dynamic Firewall banning for unathorised PHP requests  (which we highly recommend) edit the following line in your blackhole.ini file.

				
					PARD_BAN_UNAUTHORISED_PHP_REQUESTS = "YES"

To de-activate automatic Firewall banning,  edit the following line in your blackhole.ini file.

				
					PARD_BAN_UNAUTHORISED_PHP_REQUESTS = "NO"

Unathorised URI Requests

If any of the following text strings occur in an inbound URI request,  they are killed off without proceeding to your WordPress engine.  The remote user receives a 403 HTTP response by default.  

You can also fine tune your backhole.ini file to automatically ban all of these triggers at both your IPTABLES level,  and at your Cloudflare API level.  However,  it’s not strictly necessary to ban these sorts of URI requests.  Some of them,  like /autodiscover for example get generated by noisy Microsoft machines.  They’re not truly malicious,  just noisy on the internet.

  • /.htaccess
  • /readme.html
  • /license.txt
  • /readme.txt
  • /installer-log.txt
  • /cpanel
  • /whm
  • /.env
  • /autodiscover
  • /debug.log

To activate automatic Firewall banning,  edit the following line in your blackhole.ini file.

				
					
PARD_BAN_UNAUTHORISED_URI_REQUESTS = "YES"

To de-activate automatic Firewall banning,  edit the following line in your blackhole.ini file.

				
					
PARD_BAN_UNAUTHORISED_URI_REQUESTS = "NO"

The Blackhole “Self Learning” System

This is a really powerful part of the Blackhole Cyber Security Software.  In the event of a Distributed Denial of Service attack or a Brute Force attack,  the Blackhole software will protect your website instantly.

File Not Found requests (aka 404 HTTP responses) are a common tool used by Distributed Denial of Service attacks.  DDOS attacks specifically make requests for resources which DON’T exist on your file system because 404 responses usually generate loads of outbound html data and they also chew up webserver CPU.    But not when the Blackhole “Self Learning” system comes to the rescue!  

Thankfully,  there’s a way to tell the difference between a legitimate 404 request and a cyber attack.  The Velodata Blackhole software kills DDOS attacks dead in their tracks by banning malicious DDOS attacks at your Firewall level.  And it bans IP addresses at the 0/24 net mask level too!

However,  to use the Blackhole “self learning” function you also need a highly regarded WordPress plugin called Redirection by John Godley.  As always,  consider donating a few dollars to John for providing the plugin.  Donations help all of us to keep refining our software systems.   You can read more about the Redirection plugin by clicking here.

The following steps are all you have to do.  (1) Install the Redirection plugin and activate it.  That’s it.  You don’t have to tune it or adjust it in any way.  And then (2) Edit the following line in your blackhole.ini file to activate the Self Learning logic.  The Blackhole software can distinguish between accidental 404 requests and malicious DDOS attacks.

				
					PARD_ARE_WE_USING_SELF_LEARNING = "YES"

If you’d like to activate automatic Firewall banning for DDOS requests  (which we highly recommend) include the following line in your blackhole.ini file as well.

				
					PARD_BAN_UNAUTHORISED_404_REQUESTS = "YES"

The Trusted Ring of IP Addresses.

At Velodata our policy is nobody should be trying to acess your WordPress or PHPMyAdmin administration functions unless they are an authorised user (or employee) of your system.  By default,  when you first install the Velodata Blackhole software,  the login screens for both of these Admin functions are still open to the world.

However,  there are two options you can use which will make remote access to your WordPress and PHPMyAdmin login screens almost impossible for malicious actors to reach.  They are…

  • The Trusted Ring of IP Addresses
  • The VIP Access System

So,  the first thing to know is even if you DON’T activate the VIP Access System  –  if all you do is create a “Trusted Ring of IP Addresses”  –  you’re easily going to kill off 99% of all the malicious actors in the world who might be trying to hack into your system via your front door login screens.  You can also kill off Brute Force login attacks in one fell swoop too.

When you create a “Trusted Ring of IP Addresses” essentially everyone on on the planet is henceforth locked out of your WordPress or PHPMyAdmin administration functions UNLESS their IP Address comes from within the “Trusted Ring”.  Malicious actors who are trying to reach your WordPress or PHPMyAdmin screens are redirected to their own 127.0.0.1 IP address. 

And it gets even better.  If you combine “The Trusted Ring” system with the “VIP Access System” you get the best of both worlds.  You can (a) log in to your website from anywhere in the world (even if your IP address is NOT a trusted IP address) and (b) you can also implement automatic Firewall Banning for malicious actors.  You can read more about the Velodata VIP System in the next section. 

Please Note:  Always create a  “Trusted Ring of IP Addresses” before you move on to creating the VIP Access System.  This will ensure you never get locked out at the Firewall level!

To create a “Trusted Ring of IP Addresses” all you have to do is edit your associated blackhole.ini file.  You can enter five IP network ‘blocks’ which will cover all your needs moving forward.  After you create a “Trusted Ring”,  malicious actors who try to access your WordPress or PHPMyAdmin screens will be redirected to their own 127.0.0.1 IP address. 

Here’s an example of a blackhole.ini file which shows three IP address blocks,  followed by two ’empty’ lines for later use.  Please Note:  The addresses used in this example are NOT real.

				
					PARD_TRUSTED_RANGE_01 = "128.10.0.0/11"
PARD_TRUSTED_RANGE_02 = "201.172.0.0/13"
PARD_TRUSTED_RANGE_03 = "163.116.192.0/24"
PARD_TRUSTED_RANGE_04 = ""
PARD_TRUSTED_RANGE_05 = ""

Please Note:  We recommend using ‘network level’ address blocks instead of unique specific IP addresses.  This is so you have some breathing room to move around your given network.  This is especially true if you’re using mobile phone telephony access.  Many people are unaware their mobile phone IP address constantly changes.

The VIP Access System

This is also a really powerful part of the Blackhole system.  If you activate the VIP Access function nobody can reach your WordPress or PHPMyAdmin login screens unless they have the correct VIP Bypass Code.  Perhaps more importantly,  nobody can reach your login screens unless they ALSO know how to deploy the VIP Bypass Code correctly in a URL address line.

So why is the Velodata VIP Access System such a highly useful function?  Well,  if you activate the VIP Access system,  the Blackhole software bans malicious IP addresses which are trying to reach your login screens.  And that means the end of brute force attacks,  gone forever.

By default this function is not operational,  however it’s quite easy to activate.  Essentially,  you specfiy a Bypass Code which is known ONLY to you and your trusted staff.  You store that as a private key in your blackole.ini file.  We refer to that private key as “the Velodata Bypass Code”.  

If a malicious user tries to access your WordPress or PHPMyAdmin login screens AND if they fail to provide a valid Bypass Code they don’t get a second chance.  Why?  Well,  they’ve shown they’re a bad actor  –  they’re trying to reach your Admin functions but they don’t have the VIP Bypass Code.  So their IP address gets banned at the Firewall level  –  unless the remote IP address is in your trusted ring of known IP address ranges.  Under those conditions the user will be prompted to enter a Bypass Code.  

The following URI is an example of how you would log in to your WordPress engine using the Velodata VIP System.  If you bookmark it in your browser you will be able log in from anywhere in the world.

				
					https://<your website here>/wp-admin?bypass=your_bypass_code

The following lines should exist in your blackhole.ini file to escalate automatic FIrewall banning.

				
					PARD_ARE_WE_USING_VIP_ACCESS = "YES"

PARD_BYPASS_XWORD = "your_bypass_code"

Please Note:  You can de-activate the VIP Access System at any time making the following change to  the relevant flag in your blackhole.ini file.   You do NOT have to delete your PARD_BYPASS_XWORD value.

				
					PARD_ARE_WE_USING_VIP_ACCESS = "NO"

PARD_BYPASS_XWORD = "your_bypass_code"

Miscellaneous Flags 

There are several miscellaneous operators in the blackhole.ini file.  This list might grow in the future as the needs of our users also grow.

  • PARD_ARE_WE_PROVIDING_FEEDBACK
  • PARD_ARE_WE_SENDING_NOTIFICATIONS
  • PARD_ARE_WE_USING_CLOUDFLARE

The following sections provide greater detail regarding the role that each of the miscellabeous flags.

PARD_ARE_WE_PROVIDING_FEEDBACK

If the Blackhole System bans a malicious request at the Firewall level  (which is usually a very good thing) you can choose if the user receives feedback which explains why they were banned.  Our personal preference is for malicious hacking attempts to get ZERO feedback,  but the option is there.

If you want ‘banned IP addresses’ to receive HTML feedback which explains WHY they were banned,  edit the following line in your blackhole.ini file.

				
					PARD_ARE_WE_PROVIDING_FEEDBACK = "YES"

To de-activate automatic Feedback when a banning happens,  edit the following line in your blackhole.ini file.

				
					PARD_ARE_WE_PROVIDING_FEEDBACK = "NO"

PARD_ARE_WE_SENDING_NOTIFICATIONS

If the Blackhole System bans a malicious request at the Firewall level, do you want to receive email notifications that this has occurred?  In our view,  this is definitely a good option in the first few months after you install the Velodata Cyber Security System for WordPress.  You can quickly get a feel for what sort of bannings are happening the most,  and how often they’re happening.  Also,  the emails provide a logging system too,  in case the wrong IP address gets banned you can analyse why.

By default,  you will receive email notifications regarding ‘banned IP addresses’ on the ‘notification’ email address specified in your blackhole.ini file.

				
					PARD_NOTIFICATION_ADDRESS = "webmaster@velodata.org"
PARD_EMAIL_ADDRESS = "webmaster@velodata.org"
PARD_ARE_WE_SENDING_NOTIFICATIONS  =  'YES'
Installation Guide
Configuration Examples

HOW CAN WE HELP?

At Velodata your privacy is paramount.  We never share customer data with ANYONE.  Our goal is to help make your website and your webservers as secure as possible.

PHONE ENQUIRIES

0408 572 055

EMAIL ENQUIRIES

[email protected]

VELODATA

Specialists in Wordpress Cyber Security

IVAN JULIAN  –  VELODATA

GOLD COAST,  QUEENSLAND,  4216

P.O. BOX 359 RUNAWAY BAY,  QLD,  4216

VELODATA

Specialists in Wordpress Cyber Security

DOWNLOAD THE SOFTWARE

The Blackhole Cyber Security system is free to download and use,  however we do require a valid email address to prevent unlimited hotlinking to our website.

Step 1:  Please enter your name and a valid email address.  Phone Number is optional.
Step 2:  Confirm you’re a human and then click the download button!

Thanks for contacting us. We'll be in touch shortly!

Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat volutpat. Ut wisi enim ad minim veniam, quis nostrud exerci tation ullamcorper suscipit lobortis nisl ut aliquip ex.

Got it!

How Can We Help?

At Velodata your privacy is paramount.  We never share customer data with ANYONE.

Feel free to answer any or all of the fields in this contact form as best as you can.  You don’t have to fill them all in, but if you do, we can be efficient right from the word go.

Step 1:  Enter some contact details so we can get back to you
Step 2:  Give us some info about your IT systems to help us help you.
Step 3:  Confirm you’re a human and then submit!