Forum Firewall

Started by butchs, January 15, 2011, 11:00:37 AM

Previous topic - Next topic

lethal-danger

The firewall mod seemed to download and install, but the admin tabs aren't displaying, and the option screen seems to be incomplete.  I am using smf 1.1.13

Thank you for any help

Bigguy

Quote from: ljunatic on February 13, 2011, 08:32:26 PM
I see the update for 1.1.13 is out. THANKS!


Should I uninstall and reinstall to get the upgrade?

Yes I think it would be a good idea. :)

butchs

#202
Quote from: MCK on February 14, 2011, 12:55:31 AM
Seeing some new type of attacks in my logs that I didn't see before.  In case this is of interest.

Request Entity Attack: base64_decode!

Oh, that was a nasty one.  It is meant to exploit e107 contact.
???
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

Quote from: lethal-danger on February 14, 2011, 10:52:47 AM
The firewall mod seemed to download and install, but the admin tabs aren't displaying, and the option screen seems to be incomplete.  I am using smf 1.1.13

It works in the default theme.  Possibly you need to reinstall the mod or fix SMF.  I can not help much with the latter.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

ljunatic

Quote from: Bigguy on February 14, 2011, 03:33:38 PM
Quote from: ljunatic on February 13, 2011, 08:32:26 PM
I see the update for 1.1.13 is out. THANKS!


Should I uninstall and reinstall to get the upgrade?

Yes I think it would be a good idea. :)
Thanks

The update did ask for the old version to be uninstalled first.

lethal-danger

Well I installed a new SMF 1.1.13 and the latest Forum Firewall.  It downloads and installs fine, but when I'm redirected to the settings page, I only see some options but no tabs...  It's almost like I don't have permissions set correctly for it to install, but the others mods worked ok...

Im stumped!

lethal-danger


butchs

Sounds like your browser configuration is off.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

All.  There is no "ForumFirewall.english-utf8.php" file in this version of the mod.  if you require it please copy and rename the "ForumFirewall.english.php" file.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

DarkBlizz

#209
Anyone verify if 66.249.71.141 is an authentic google bot IP and not some spoof.  It does trace back to Google's HQ though.  Also if it is authentic, would the correct user-agent for it be:
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
This IP comes through my site a lot and is gets picked up as a DOS attack and is auto-banned.  Although through Google Webmaster Tools, there are no crawl errors that would seem it gets blocked.
Wanted to make sure it was real before adding it to the whitelist.

Also a suggestion for the EMail notification; if it could also include in the email msg the ID/IP, so one could go back to the Visitor Log and easily look it up. 

~cheers

(edit: Yep looks like its the correct user-agent, currently that IP is browsing forum without being banned ;) )

ExWizzard

Can you please explain "Proxy bypass protection" a bit more? i got over 35000 log entrys in a few hours after enabling this :/

butchs

Quote from: ExWizzard on February 17, 2011, 12:00:00 PM
Can you please explain "Proxy bypass protection" a bit more? i got over 35000 log entrys in a few hours after enabling this :/

Uncheck "Enable Bypass Protection", I bet it is set incorrectly.  make sure "Block Violations" is not checked until you work out the bugs in your settings.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

Quote from: DarkBlizz on February 17, 2011, 07:31:33 AM
Anyone verify if 66.249.71.141 is an authentic google bot IP and not some spoof...

(edit: Yep looks like its the correct user-agent, currently that IP is browsing forum without being banned ;) )

It is easy to spoof ip addresses and domain names.  Some bots are good at it,

There are two ways to try to protect against io spoofing that I use:
1.  Bad Behavior reverse ip check.  This only work if both the ip and the domain are not spoofed.
2.  DOS attack - if you set Google Webmaster Tools, robots.txt and the others to require a hit rate that is less than FF, then the mod will catch the bad guys who spoof google accounts.  So if you have everything set correctly it is rest assured you blocked a spoofed bot.

Quote from: DarkBlizz on February 17, 2011, 07:31:33 AM
Also a suggestion for the EMail notification; if it could also include in the email msg the ID/IP, so one could go back to the Visitor Log and easily look it up.  )

I will add it to the list.
:P
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

ExWizzard

#213
Quote from: butchs on February 17, 2011, 07:11:30 PM
Quote from: ExWizzard on February 17, 2011, 12:00:00 PM
Can you please explain "Proxy bypass protection" a bit more? i got over 35000 log entrys in a few hours after enabling this :/

Uncheck "Enable Bypass Protection", I bet it is set incorrectly.  make sure "Block Violations" is not checked until you work out the bugs in your settings.
Yeah it was in logging mode only, i disabled it because it was causing the whole server to crawl lol. So how do you set it up correctly? The only thing i did was tick the checkbox

Also i got about 7 pages for the same user of this error

action=register2
2: htmlspecialchars() expects parameter 1 to be string, array given
File: /Sources/Subs-ForumFirewall.php
Line: 1044



owg

#214
Hi butchs, great mod!
I've been running FF for a few days in log mode, and just now turned it to block mode.  The log was full of mostly invalid IPs, and a few DOS reports (that were actually members).  Almost immediately one of my global moderators reported that he received the 403 error page - I asked his IP and it was not in the log, but there were lots of IPs in the 10.*.*.* ranges.  I assume that one of his is one of those, but if he is using a proxy, it is a legitimate corporate proxy.  I know very little about security, most of this is new to me.  Is there a way I can find the identity of the proxy, or is there a way to pass certain invalid IPs through?

One other thing - I see an invalid IP 127.0.0.1 in the log - sorry for my ignorance - do I need to worry about the localhost IP?
Thanks!

Maxtor

i cant install it, it just returns to packages page...

DarkBlizz

Suggestion: The Visitor Log definitely needs a way to remove logs. i.e
  Apply filter of type: All Logs (192) | IP (6) | DOS (7) | SQL (179)
  [Remove Selection] [Remove All]

butchs

Quote from: owg on February 18, 2011, 12:58:01 AM
Hi butchs, great mod!
I've been running FF for a few days in log mode, and just now turned it to block mode.  The log was full of mostly invalid IPs, and a few DOS reports (that were actually members).  Almost immediately one of my global moderators reported that he received the 403 error page - I asked his IP and it was not in the log, but there were lots of IPs in the 10.*.*.* ranges.  I assume that one of his is one of those, but if he is using a proxy, it is a legitimate corporate proxy.  I know very little about security, most of this is new to me.  Is there a way I can find the identity of the proxy, or is there a way to pass certain invalid IPs through?

One other thing - I see an invalid IP 127.0.0.1 in the log - sorry for my ignorance - do I need to worry about the localhost IP?
Thanks!

If you do not know his ip or when he was there how could I help you?  As I stated in earlier posts proxys can be compromised.

Well...  The mod only inspects traffic to your site so localhost should never be seen unless you have your server in your bed room.  Traffic between SMF and the DB is not watched with this mod.

If you want invalid ips to pass then turn off the ip check.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

owg

Quote from: butchs on February 18, 2011, 08:20:10 PM
If you do not know his ip or when he was there how could I help you?  As I stated in earlier posts proxys can be compromised.

Well...  The mod only inspects traffic to your site so localhost should never be seen unless you have your server in your bed room.  Traffic between SMF and the DB is not watched with this mod.

If you want invalid ips to pass then turn off the ip check.
I apologize if you think my post is unwarranted - I was just asking an honest question.  It was not necessary to be sarcastic about the localhost part - the IP was in the log.  I did not see a solution in any post in thorough searches through the forum, and this was my last resort before uninstalling, because as you also mentioned in another post, the minimum a user should have turned on is the IP check and DOS check.

butchs

Why are you putting words in my mouth?  I never said your posts were "unwarranted ".  I am trying to provide free support and I have little spare time so work with me.

I really do not know what to tell you about your moderator since you can not identify him in your visitor log.  You did not give me enough information to answer the question.

Now, since many people as getting sucked into proxys that are bad I will be adding a check box that will prevent searching the proxy list.  However, I will note that any proxy that fails the test may or may not be compromised.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Advertisement: