CG Secure component

1 1 1 1 1
Rating 4.88 (8 Votes)

Compat Joomla 4joomla 5CG Secure component protect your Joomla forms and admin access by checking IPs from AbuseIPDB, giving country/spammer status.

 

Version 3.1.2 (Update : 05/10/2024)

  • # Installer : replace all getDbo()
  • # com_cgsecure : replace all getDbo()
  • + htaccess : Rogue PHP file attacks protection
  • + media : add htaccess file to disable php execution from this directory
  • + admin : add htaccess file to administrator directory
Version 3.1.1 (Update : 14/03/2024)
  • # Admin : hide recreate button if activate button is clicked
  • # Admin : checktoken
  • # Admin : block multiple updates
  • # uninstall : uninstall everything in unisntall admin
Version 3.1.0 (Update : 13/03/2024)
  • # Force recreate .htaccess
Version 3.0.13 (Update : 13/03/2024)
  • # Error 500 on checking .htaccess file
Version 3.0.12 (Update : 13/03/2024)
  • # Admin : block simultaneous updates
  • # Recreate button : check activation value
Version 3.0.11 (Update : 11/03/2024)
  • # Joomla 5.x compatibility
  • # Missing SERVER_CONFIG_FILE_NONE definition
  • # Remove unused classes
  • # EOL from LF to CRLF

....
Version 1.0.6 : first version (2019 October)

  • Joomla! 4.x/5.x
  • Joomla! 3.x
Donwload CG Secure Component For Joomla 4/5

CG_DOWNLOAD_NOT_ALLOWED

(already downloaded 405 times)

Donwload CG Secure Component For Joomla 3.x

CG_DOWNLOAD_NOT_ALLOWED

(already downloaded 914 times)

 

CG Secure component uses CG Secure and CG Country plugins, centralizing their parameters.

Important : When migrating to Joomla 4.0, CG Secure plugins are being disabled and enabled again by package update.

You may authorize one or more countries to connect to your admin/website. Any connection from another country must be a hacker trying to access unauthorized parts of your website.

For your information, even if you did not define any private access, any user may access to Joomla identification form by adding /index.php?option=com_users&layout=edit&id=0 to your website address. If you did not de-activate user registration (activated as default value in older Joomla version, prior 3.7.0), welcome to our open bar.

Note : even if you have no contact menu, it's still possible to access your contact form by adding index.php?option=com_contact&view=contact&id=<no> to your website address. If you did not disable contact form display in the configuration and have no captcha, you may receive a bunch of spams, as I experienced it today (July, 21th 2023).

Once running, CG Secure protects /administrator using a password, after  checking IP's country code, spammer status in AbuseIPDB. It also hides forms to unwanted users.

IP is checked against AbuseIPDB database which returns country code and spammer status.

In case of an unauthorized country, you may report this IP to AbuseIPDB. You must register to AbuseIPDB to report an IP (it's free).

Banned Ips may be logged in cgipcheck.trace.log file in your logs directory. I use View Logs component to check my log files.

Rejected user won't even see your forms.

Banned IPs are also stored in your database (table #__cg_rejected_ip). They remain in your database depending on your "IP life time' parameter from your CG Secure configuration menu. You may see these IPs through CG Secure Logs menu.

1 component

3 plugins

1 library

Enter your plugins parameters in CG Secure component and look at blocked IP list.
  • Plugin System CG Secure (event onAfterDispatch) : check /administrator access (hacker trying to access your adlmin via /administrator address),
  • Plugin User CG Secure (event onContentPrepareForm): check IP before displaying Joomla forms(com_users, com_admin) (hacker connecting via Joomla forms)
  • Plugin Authentication CG Secure (event onUserAuthenticate) : if authenticate is done, check if IP can really do it (hacker trying to enter without using any Joomla forms, mostly php codes).
cgsecure/ipcheck.php library centralizes IP checking and reporting to AbuseIPDB.

Note : if you are using other forms components (VisForm, RSForm,...), you may easily write your own plugin to block unauthorized countries/spammers. Visforms uses onVisformsFormPrepare($context,$form,$params) event, RSform checks rsfp_f_onBeforeFormDisplay($array) event. If you need Visforms or RSFOrm plugin, just ask me, because I already prepared them.....

CG Secure version 1.1 introduces .htaccess security.

This only works with Apache 2.4.x server.

It has been created from https://docs.joomla.org/Htaccess_examples_(security)https://perishablepress.com/category/htaccess/  and AESecure. The difference from other solutions is to block found hackers (doing XSS attacks, SQL injection,...) at .htaccess level, so it stops attacks as soon as possible, keeping them away for the time defined in your IP life time parameter.

init htaccess
  • Multiaddresses : you have multiple addresses to access your website,
  • Subdir : your site is in a sub-directory.
 
param. htaccess

When activating, if you have no .htaccess file, CG Secure copies Joomla default htaccess.txt to your site root..

After saving current htaccess file, CG Secure adds its lines in .htaccess file from administrator/components/com_cgsecure/assets/cgaccess.txt file.

If you wish to use your own .htccess file, you may create a custom.txt file in the same directory than cgaccess.txt. Then, custom.txt will be used instead of CG Secure default file.

Attention: Working with .htaccess file may breaking down your site badly. Older versions of .htaccess files are saved in administrator/components/com_cgsecure/backup directory.

Note : Communication between .htaccess file and CG secure component are secured via a random number which is calculated each time htaccess security is actived. To create a new one, de-activate htaccess security, clicking No to Activate parameter, then, click on Yes, so you'll get a new security key. 

How access to your administration once CG Secure has been actived ?

Note: if you did not enter any password, administrator access is done as usual, IP checking is performed anyway.

  • HTTP Authentication: standard Apache authentication. You'll have to enter a password in "Password" field, "Username" field may remain empty as it's not checked, 
  • Compatibility: you'll have to enter http://www.yourwebsite.com/administrator?yourpassword — "yourpassword" being the password you entered in CG Secure plugin.

 

cgsecure config

Default CG Secure component behaviour protects Joomla connection forms (com_admin, com_users). If you wish to extend this to contact forms, just add com_contact to Components List parameter.

Entering * in Countries list will authorize all countries, but still check spammer status from IP address.

cgsecure config

You may define some IP addresses in your "whitelist", there won't be any check against those IP addresses.

cgsecure config

If you are a registred AbuseIPDb user, you may see your report history, in your user account, tab "Rerports.

abuseip

Comment column shows reported hackers : 2 first letters from your website name,e = error/w = warning, followed by an error number if it's coming from .htaccess security, other errors being created by CG Secure plugins (Authentication, System, User).