Spam Guests creating huge error logs

[Mr Edd]

Hi Guys

A couple of weeks ago I had a spam attack and received much welcome help from here in stopping it. Thank You

However, these so called Guests still have an enormous impact on my error logs.

They still appear in the On-line list. about 18 to 20 of these so called Guests are clogging up the on-line list and I don't know how to get rid of them.  I have deleted all those (over 800) who managed to log on and post but I am unable to stop the guests from appearing. They all have the same IP number starting with 91.etc.etc.ect. Now my error logs are growing enormously and I have to go in and delete the entries every day.

Can someone describe to me, how to stop this.

Thank You

Edd

[Sir Osis of Liver]

You can use .htaccess file in your forum root to block all IPs beginning with 91. -

Code Select Expand



Order Deny,Allow
Deny from 91.*.*.*
Allow from all



If you already have an .htaccess, add the code to the existing file.  If you have legit users with IPs beginning 91., they will be screwed.

[Kindred]

What are they adding to your error log?

A properly running forum should not generate any errors from people just loading pages of the forum. If your site is generating errors because guests are viewing pages, then you should fix the mods that are creating the errors.

[Sir Osis of Liver]

I'll bet it's guest login attempts.  Saw at least one forum that was getting hosed with login errors.

Can set log pruning to one or two days until it's straightened out -  Admin -> Logs -> Log Pruning.

[aegersz]

I had a similar problem but I started banning them and they eventually got culled.

I know too many bans are a bottleneck but I only created about 15 or so ban rules. Is that OK?

[Illori]

I know too many bans are a bottleneck but I only created about 15 or so ban rules. Is that OK?

really depends on what they are. ideally if they are in SMF they should not exist.

[Mr Edd]

I'll bet it's guest login attempts.  Saw at least one forum that was getting hosed with login errors.

Can set log pruning to one or two days until it's straightened out -  Admin -> Logs -> Log Pruning.

This is it...  Now I am getting 4 to 5 pages of login errors from this IP address 91.*.*.* every few seconds.  I have tried pruning and adding the above IP address as a banned address but they still keep coming. I assume it is a spambot doing it.  I set the login strength to high with three questions to answer.  That seemed to stop the spambots logging in but now new legit members are unable to join.

Any help please.
Thanks
Edd

[Mr Edd]

What are they adding to your error log?

A properly running forum should not generate any errors from people just loading pages of the forum. If your site is generating errors because guests are viewing pages, then you should fix the mods that are creating the errors.

This is a print screen of the error log...  These are filling up the log by 5 to 7 pages every few minutes.  I am having trouble keeping up with deleting them now.  They seem to have stepped up their efforts to get in.

Perhaps you can tell me how to run a forum that does not attract this sort of attack?

Any help would be appreciated.

Edd

[Kindred]

ah... it's not even logging in errors, it's the ban notifications... yet another reason not to bother banning spammers, just DELETE the account and - if you must ban them by IP (sometimes a dangerous action, since it can affect real users) then use the htaccess DENY option rather than the SMF ban system

[Sir Osis of Liver]

That IP is from Ukraine, you probably don't have too many legit members there.  Use the .htaccess block, it will prevent the IPs from touching the forum, so there won't be any errors.

[Mr Edd]

ah... it's not even logging in errors, it's the ban notifications... yet another reason not to bother banning spammers, just DELETE the account and - if you must ban them by IP (sometimes a dangerous action, since it can affect real users) then use the htaccess DENY option rather than the SMF ban system

The problem is they created over 800 accounts so banning each one would be a nightmare. I have since deleted all the accounts by bulk including their posts, but still left with these guest attempts to login. I need to stop them.

I have added the IP address (91.*.*.*) to the Htaccess file which is in the Packages folder.  I edited the file on my PC then copied and pasted it to the server. Like so...

Order Deny,Allow
Deny from 91.*.*.*
Allow from all
Is this correct?

It's still accumulating log entries by the dozens in minutes.  I had to go out for 1.5 hours today and when I got back there was over 100 pages of these entries. I deleted them all but still they accumulate.

I did get a server message that the email server was locked because of overload of emails last week. My email is still working okay but I guess this message came when the attack was at its peak.

I have no idea what to do next???

Edd

PS just added prints creen of my Pruning Page

[Sir Osis of Liver]

No, it won't work in /Packages, it must be in the forum root.  It will protect the directory it's in, and all subs below that.

If you can pm admin and FTP access (server/username/password), will have a look.

[Mr Edd]

Thanks just moved htaccess to root.

I will pm details to you soon

Edd

[Sir Osis of Liver]

No, you don't want /Packages/.htaccess in your forum root.  It contains this -

Code Select Expand



<Files *>
Order Deny,Allow
Deny from all
Allow from localhost
</Files>



It will block all access to your forum except from localhost.  Remove that code from root .htaccess, just leave the IP blocking code.

[Sir Osis of Liver]

Hmm, maybe not.  The errors have stopped, but I was able to login.  I would clean up .htaccess anyway, just leave the 91.*.*.* block in root, and restore /Packages/.htaccess to what it was.

[Mr Edd]

I think it's stopped.  I deleted the entries a short while ago and it ran up to 35 entries and seems to have stopped. at  that.

Thanks.

I am not sure what you mean by the above post but copy and pasting htaccess from /packages to the root seems to have fixed it.

Fingers or hoofs crossed.   

Edd

[Sir Osis of Liver]

Your root .htaccess must look something like this -

Code Select Expand



<Files *>
Order Deny,Allow
Deny from all
Allow from localhost
</Files>

Order Deny,Allow
Deny from 91.*.*.*
Allow from all



Should just have this -

Code Select Expand



Order Deny,Allow
Deny from 91.*.*.*
Allow from all



Doesn't seem that the code from the Packages file is causing a problem, but I would remove it.

[a10]

You may not need to stop the complete 91. range as it may include legit ip's.
Check the offending bot ip's and add only the two (or three) needed number blocks, for example 91.200.
the * are not needed
Example:

order deny,allow
deny from 91.200.
deny from 91.222.
allow from all

Keep the htaccess active for a while, then after a period remove\disable entries to check if the ip's are still needed, bots usually die away after while. To temporarily disable an entry, add # in front of the line, example #deny from 46.118.

[Mr Edd]

Yeepee!  It's stopped.   Thanks Guys

My htaccess file looks like this...

<Files *>
    Order Deny,Allow
    Deny from 91.*.*.*
    Allow from all
</Files>

I will keep it like this for a week and then see what happens.
I still have the 18 or 20 guests in the online list.  I am hoping they will drop off soon.

Thanks again guys.

Edd

PS  Just checked again and now the Guest queue has gone too...  Phew thanks

[Kindred]

Mr Edd...   interesting that it works... but that is wrong. That should not be the .htaccess used in the root of your forum.

As alreayd stated, your .htaccess should read

order deny,allow
deny from 91.200.
deny from 91.222.
allow from all

it should not include the files definition lines and doe snot need the *