News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

Under some kind of bot attack...what do I do?

Started by neilbombd, February 08, 2011, 02:50:17 PM

Previous topic - Next topic

neilbombd

I'm on 2.0 RC4.

Some of my users have been getting logged out, so I had a look at the error log.  I noticed a lot of failed password entries, and many accounts are being tried from single IP's.  This makes it clear that there is some kind of distributed bot attack going on currently. 

There are a bunch of IP's, trying all these different accounts.  I'm going to block them, but what else can I do?

Matthew K.

I would personally try out the mod "Forum Firewall" by Butchs, and see if that works for you.

kat

It might pay you to search Google for "robots.txt" and ".htaccess", too. ;)

ACAMS

#3
I had that problem!

http://www.simplemachines.org/community/index.php?topic=416928.0


The MAIN fix is to install the mod for your users to log in using their email instead of username

then install

httpBL mod
Stop Spammer mod
Bad Behavior mod

Then to stop human spammers

make them answer atleast 4 questions to register, and in admin/Configuration/Profile fields make SURE you uncheck everything in Show on Registration.

I then make the first group they join be post count based and not let them edit their profile until they make 2 posts, then they move to the next group

You will have to rename the first post count group (think it is newbie) because it is coded different or something......anyway I named mine "New Member" and then I adjusted the rest of the post count groups to the number of posts they move up by, but the "New Member" group is 0 posts, then the next one is 2 posts, and I let them edit their profile after they move out of "New Member" group.



You will have to go to Admin/Members/Permission/Settings and check "Enable permissions for post count based groups" for that to work.

They still try to log in ALL DAY, but they don't get anywhere now......I don't even notice it now, and human spammers are gone too......no more web sites in signatures, unless they are on topic for my forum and a REAL member.

willerby

The first of those (eMail Log-in mod) will fix this issue, the second (httpbl mod) is awesome for bots / spammers in general and an excellent Mod.

Going the whole hog as ACAMS has is definitely worthwhile though.

This particular attack has been hitting my forum every 8 minutes for the last month. 
What type of washing machine is September?

An autumnatic. :)

neilbombd

Quote from: K@ on February 08, 2011, 04:06:06 PM
It might pay you to search Google for "robots.txt" and ".htaccess", too. ;)

So I can block them using "deny from", you mean, or were you hinting at something less obvious?

neilbombd

Thank you very much, ACAMS and laetabi .  I've tried the forum firewall that Labradoodle suggested (thanks), but the email login looks exactly what I needed.  And if I can knock out some of those profile spammers, without blocking all of the Philippines while I'm at it, then so much the better.

I'm a bit shocked this isn't covered in SMF as default.  Of course, different users can have the same IP, but I would have expected one IP trying to access more than one account, and failing, repeatedly, to be something that would be flagged up to the users and/or admin. 

neilbombd

Quote from: laetabi on February 09, 2011, 04:25:03 AM
The first of those (eMail Log-in mod) will fix this issue, the second (httpbl mod) is awesome for bots / This particular attack has been hitting my forum every 8 minutes for the last month. 

Yikes.  Well, my next question is:  How do we know if any accounts have actually been compromised?  I want to know, so I can warn my users that their web-mail or e-commerce logins on other sites might have been broken into. 

What does a successful log-in look like, in the logs?  Then I can filter those using the list of bot IP's, and see if anyone's password was forced.

neilbombd

Quote from: ACAMS on February 08, 2011, 06:11:30 PM

The MAIN fix is to install the mod for your users to log in using their email instead of username

This one?  If so, it's not available for rc4 :-(

ACAMS

I am not positive since I have RC3, but I think there is a way to enumerate (whatev) to RC3 and make it work.....maybe somebody else can tell you.

Maybe you can ask for an update in the topic.......THAT is one of the main reasons I have not updated to RC4 yet, my mods wont work!

willerby

It works fine on RC4 even though not yet updated from RC3.

Either use the parse and make the code edits manually or (much easier) download/upload the package to your site, click the advanced link under the list of mods on your forum and change the 'Emulation' version to SMF2.0 RC3.

When you then click to install the mod from the list it will load fine. Change back to RC4 after upload.

Sweet
What type of washing machine is September?

An autumnatic. :)

Astra_200

Quote from: laetabi on February 09, 2011, 12:38:55 PM
It works fine on RC4 even though not yet updated from RC3.

(much easier) download/upload the package to your site, click the advanced link under the list of mods on your forum and change the 'Emulation' version to SMF2.0 RC3.

When you then click to install the mod from the list it will load fine. Change back to RC4 after upload.

Sweet

Tried it, didn't work for me :( Install option was blank after Emulation. Shame as I am being hammered by a bot attack that is trying to brute force passwords of existing members.

Asked about RC4 version on mod thread but no reply yet.

willerby

I think it has been updated to RC5 since I posted. If running RC4 with the security patch, try emulating RC5 - I've not done that before but can't see why it won't work as all emulation appears to do is allow the installer to run for a version not specified in the mod file.

?
What type of washing machine is September?

An autumnatic. :)

Advertisement: