Configuration
Content: configuration_en.txtThe CONFIGURATION AREA allows the individual customization of security and protection features for each protected domain.
The settings directly influence the behavior of the security engine, the analysis functions as well as various protection and filtering mechanisms. Changes should therefore be made consciously and with technical understanding.
ALLOWLIST
It may happen
that certain requests must be allowed
despite active security rules,
even though they were previously blocked by PLUS23.CYBER.SECURITY.
This depends, among other things,
on which system,
content management system,
plugin
or web application is being used
and whether the respective programming
uses clean and standards-compliant requests.
Even with our security signatures,
unwanted blocking may occur in rare cases.
We are therefore grateful for reports regarding incorrect
or overly restrictive signatures
in order to continuously improve detection quality.
The ALLOWLIST
can be fully enabled or disabled at any time,
or adjusted for individual entries.
Entries are added
within the individual subcategories of:
- Bot and Spyware Defense (Host, IP, IP Range, CIDR Block, UserAgent, Referrer)
- Hacker Defense (Injection, REGEX)
If permissions are granted within the following areas:
- IP
- HOST
- IP RANGE
- CIDR BLOCK
NOTICE: Allowed IP addresses should be monitored regularly and removed again if necessary.
EXTREME CAUTION is especially required when allowing:
- CIDR Blocks
- IP Ranges
Within the text-based areas:
- Host
- UserAgent
- Referrer
Therefore, it is recommended to enter values as precisely as possible.
Example of a complete hostname:
unn-84-17-48-205.cdn77.com
Usually, an injection release (Hacker Defense) is performed ONLY if an unwanted block occurred previously. In this case, you should determine the details of the security event, read the corresponding injection ID and then release it specifically.
Example:
In the displayed example, the injection ID is: 375
This ID can then be identified via the search function and specifically released.
As already described in the section Injection (Hacker Defense), REGEX releases work according to a similar principle. However, it should be noted that requests detected by REGEX defense are generally classified as particularly severe attacks and may automatically be stored in the BLOCKLIST.
Therefore, special caution is required for REGEX releases. These should only be used if the functionality of your system or specific applications is affected.
The injection and REGEX entries can additionally be copied to the clipboard and further processed for analysis.
BLOCKLIST
The BLOCKLIST is used for the targeted blocking
of unwanted requests,
network ranges
or suspicious behavior patterns.
The structure is based on the ALLOWLIST
and supports, among other things,
IP addresses, IP ranges, CIDR blocks, hosts, user agents, referrers
and email filters.
Examples for email filters:
%plus23.org - blocks all email addresses from plus23.org
%plus23% - blocks all email addresses containing the term plus23
support@plus23.org - blocks only this specific email address
The % character acts as a wildcard for any sequence of characters.
If blocklist heuristics are active,
IP addresses can automatically be blocked.
The triggering security CODE will be documented within the notes.
GEO-BLOCKING (BLOCK COUNTRIES)
Using GEO-BLOCKING,
requests from specific countries can be restricted
or completely blocked.
This helps reduce the attack surface
if your website, shop or application
is intended only for specific target markets.
Restricting access to selected countries
can additionally help reduce
automated traffic, TOR, VPN, proxy or relay activities.
However,
international networks, CDN systems or cloud infrastructures
may cause country identifiers
or network assignments to differ.
SETTINGS
In the SETTINGS, you can individually customize the behavior of the security engine, modules, parameters and display texts.
CUSTOM DISPLAY TEXT
The custom display text is shown
when a request has been blocked
by PLUS23.CYBER.SECURITY.
The template supports HTML
and can be adapted to your design.
The file error_template_XX.txt
from the standard template
can be downloaded
and customized within the user account.
The following placeholders are available:
-
{#DOMAIN#}
Name of the protected domain, for example plus23.org -
{#TITLE#}
Title or headline of the security event -
{#DESCRIPTION#}
Description of the detected attack or security event -
{#IP#}
Detected IP address of the visitor or attacker -
{#HOST#}
Resolved hostname of the IP address -
{#ISOCODE#}
ISO country code of the detected IP address -
{#USERAGENT#}
Browser, device or bot identifier of the visitor
If you use the default suggestion,
replace yourmail
with your own contact address.
Test Request:
https://yourdomain.com?ID=plus23_engine_test
MODULES
The security engine consists of multiple protection modules.
In general, we recommend keeping all modules enabled.
Scanner Defense
Detects automated file and directory scans,
which are often used to prepare attacks.
Bruteforce Defense
Detects repeated login or access attempts.
Timeouts and attempt limits can be customized.
We recommend using the default values.
Bot and Spyware Defense
Analyzes, among other things, host, CIDR block, IP, referrer and user agent
to detect unwanted bots, crawlers or suspicious network sources.
Hacker Defense
Detects common attack patterns such as SQL injection, XSS,
remote file inclusion and other manipulation attempts.
Country Defense
Controls country-based access restrictions.
If your target audience is international,
the GEO configuration should be adjusted carefully.
DOCUMENTATION & HEURISTICS
Document Attacks
With this setting,
the logging of security events can be disabled.
Protection remains active,
but events are no longer recorded.
Disabling this feature is not recommended.
For certain security CODES, the accessing IP address can automatically be added to the BLOCKLIST. This includes, among others, CODES such as 13-2, 13-3, 15-1, 15-2, 15-4, 16-10 and 30.
A special case is CODE 15-5 for IP Fake Defense. This behavior can be configured separately within the parameters.
AUTOMATIC UPDATES
Automatic updates help keep domain data, security information and signatures up to date. This ensures that protection rules and detection mechanisms remain current.
LANGUAGE PER DOMAIN
A separate system language can be defined for each domain. PLUS23 automatically loads system messages, information texts and security details in the selected language.
EXTERNAL API
The local signatures
of the PLUS23.CYBER.SECURITY engine
already contain many entries
for detecting unwanted requests
from TOR, VPNs, PROXIES and CLOUD/RELAY servers.
However,
since such networks constantly change,
the EXTERNAL API
can additionally be enabled.
This verification is not performed directly on your domain,
but through external centralized security and analysis servers.
If delays occur
on time-critical websites,
the EXTERNAL API can be disabled.
TOR ONLY
Checks exclusively for TOR servers.
VPNs, proxies and cloud/relay servers
are not additionally checked.
All TOR, VPN, Proxies, Cloud/Relay
Checks TOR, VPNs, proxies
as well as cloud/relay infrastructures.
For this mode,
registration at
vpnapi.io
may be required.
The free version of vpnapi.io
provides a limited quota.
Speed and availability
may vary depending on API load
and provider conditions.
For more powerful API requests,
a paid API plan at
vpnapi.io
may be required.
When using external services,
their
Terms of Use
and
Privacy Policy
also apply.
More information about TOR, VPNs, proxies and cloud/relay systems can be found at:
plus23.substack.com
PARAMETERS
Special Defense Against Extreme Attacks
These parameters belong
to the Bot and Spyware Defense
as well as the Hacker Defense.
If blocklist heuristics are enabled,
accessing IP addresses
can automatically be blocked.
IP Fake Defense
Detects suspicious
or contradictory IP information within headers.
Since some providers
do not set headers cleanly or consistently,
blocklist storage can be configured separately.
URL Bypass Defense
Detects severe bypass
or manipulation attempts.
The accessing IP
can immediately be added to the blocklist.
Regular Expression Defense
Detects particularly suspicious access patterns.
REGEX matches are often considered severe attacks
and may also result in blocking.
Detection of TOR, VPN, Proxies, Cloud/Relay Providers
These parameters are part
of the Bot and Spyware Defense.
A proxy provider may simultaneously
be detected as a source of extreme attacks.
If the EXTERNAL API is enabled,
these parameters are additionally considered.
