News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Simple Machines Forums attacks

Started by Norv, February 19, 2011, 04:33:48 PM

Previous topic - Next topic

Norv

What is happening
Lately, a number of forums have reported experiencing ongoing attacks by malicious users repeatedly hitting their pages, especially the login pages. There seem to be several different types of attacks ongoing, and SMF forums are not the only sites being attacked.

How to better protect your forum
If you're on SMF 2.0 RC4 or earlier version, you might have also reports of members being logged out when they shouldn't have been. This is a result of the bots trying a large number of random passwords for member accounts. If you have this problem, please install the SMF 2.0 RC4 Security Patch or upgrade to SMF 2.0 RC5 to fix this behavior. On a number of forums, bots attack the login pages, trying random passwords for your member accounts. If you see many more than the usual number of "invalid password" errors in your forum error log than usual, then it seems your forum may be experiencing one of these attacks. On other forums, you may see more requests to to action=login2 in your webserver error log, than you see "invalid passwords" in the SMF error log. If you see this, please let us know here, or feel free to contact me at [email protected].

Set the password strength to high in your Admin panel:
Security and Moderation > Required strength for user passwords.
Use strong passwords for your accounts, do not reuse your password at multiple sites. Advise your members to follow these rules, too.  A strong password has 8 or more characters, is not a dictionary word or common, easily-guessed combination of characters.

Additional protection for your members accounts
We have verified that several forums have gotten very good protection from these attacks by using httpBL or a forum spam stop mod combined with a Tor blocker.
1. Switch to email login instead of username
cb|Emailogin
Because it requires members to use a secret value (their email address) to login, it helps protect your member accounts from being attacked by bots. This option may not be appropriate for all forums. It can be inconvenient on big boards. You know best if it is suitable for your forum or not.

2. Add verification to the login page
Login verification
This mod enhances the login page, by adding security verification, just as can be done during registration. We strongly recommend to use custom questions, rather than Captcha. Questions that a human would answer easily, but a bot could not guess work well.  Once you install it, the settings in your forum admin panel
Security and Moderation > Anti-Spam:
> Require verification on registration and login pages
> Visual verification image to display
> Number of verification questions user must answer
> Verification Questions
will be applied to both registration and login pages.
In addition, the mod enhances logging in your SMF error log.

3. Blacklist IPs with a configurable number of attempts failures
Login Security
Please see the mod's readme for the added features that it provides. This may cause problems for members who receive dynamic IPs from their ISPs, but it may help. You decide if this is a good choice for your forum.

Protect your forum from the attacking IPs
4. Install anti-spam mods
For example, httpBL is an implementation of the Project Honeypot API. The project gathers reports about suspicious activities of IPs and the mod uses their online database to block the blacklisted IPs before doing anything on your forum. Since the project Honeypot seems to verify the reports from more sources before blacklisting IPs, their database has a good chance to be accurate.
There are many other mods fighting spammers, please see the Customize site.

5. Temporarily block access to your forum through Tor
These mods have been tested and should work. The first has been more thouroughly tested.
Tor Blocker
Tor access
The Tor service simply provides a proxy to users all over the world, and there is nothing wrong with that. Unfortunately, these days it has been heavily used by malicious users. Evidence of this use has shown up on quite a number of forums we have checked.

Other enhancements

Targeted at login bots:
Login detector mod. It works perfectly fine on many forums preventing successfully the invalid bot login attempts.

Helpful mods on these and related problems:
Bad Behavior mod, targeting spam and other malicious attempts against your site.
Forum Firewall, targeting a wide range of possible attempts to the security of your site.

We are monitoring a number of forums and working on enhancing the options presented above and more options. Please try what you think is appropriate for your forum.  Search this forum for problems similar to yours, to find out how other forum owners have solved them. Please let us know what works for you.

For support on any the mods listed above, please use the appropriate mod support thread.
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

NanoSector

Nice guide, Norv! I'm sure to use it.
My Mods / Mod Builder - A tool to easily create mods / Blog
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

Arantor

Interesting choice of mods to offer up, more importantly in the order. Yes, you can force email login, but personally I'd rather stop them at the door from trying to make the fake login in the first place ;)
Holder of controversial views, all of which my own.


Kindred

I will note that, on a very large forum which I run, that was being hit constantly, items 4 and 5 were the only actions I took...   Which resulted in cutting the track hits almost entirely (I believe that the current log entries are normal users who forgot their passwords)

I encourage everyone to use the honeypot mod as well as either the tor blocker or arantor's mini-mod. Although steps 1, 2 and 3 will successfully mitigate the situation, they are not valid actions on established forums of any major size.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

kat

I liked the mod that shot 25KV A/C up the Spammers arm, myself...

Cal O'Shaw

Perhaps a silly question... we have password strength at mid.  If we go to High, does that do anything about existing passwords?  I'm assuming new members and members changing their passwords would be held to new level.

Any way to see which users are below specified password strength so we can PM them to change?
Is there a maximum password length (some of my users want to go to the max)?

Grazie,

Cal

b4pjoe

I've cleared my .htaccess list of IP's and uninstalled the cb|Emailogin. As soon as I did that the attempted logins started immediately. Then I installed Arantor's mod, login_detector.zip and so far I have had no entries in the SMF error log. It's been about 2 hours now and that mod is the only thing I am using to combat the attacks at present.

Arantor

Quote from: Cal O'Shaw on February 19, 2011, 05:04:26 PM
Perhaps a silly question... we have password strength at mid.  If we go to High, does that do anything about existing passwords?  I'm assuming new members and members changing their passwords would be held to new level.

Correct.

QuoteAny way to see which users are below specified password strength so we can PM them to change?

No. The passwords are hashed and there is no way to determine whether any given password is weak or not, unless you care to brute force their accounts, one by one.

QuoteIs there a maximum password length (some of my users want to go to the max)?

I don't believe there is. If there IS, it'll be something like 50 characters.
Holder of controversial views, all of which my own.


Kindred

Changing the password strength requirement will not affect existing users...  And n, there is no w to anaphase the strength of existing users' passwords or force them to change passwords.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Norv

Quote from: Arantor on February 19, 2011, 04:45:05 PM
Yes, you can force email login, but personally I'd rather stop them at the door from trying to make the fake login in the first place ;)

I completely agree actually. The particularity that your last mod targets and your report are under investigation and should definitely be addressed one way or another.
Thank you very much! :)
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

robbie93

Thanks Norv - I have used option number two Add verification to the login  and set it to medium as high was to hard to read - seems the best way to stop this, hopefully.

Antechinus

Cool. That will make it easier for the bots to read. ;D

(this is why I think captcha is not the best option)

Arantor

Quote from: robbie93 on February 19, 2011, 06:35:31 PM
Thanks Norv - I have used option number two Add verification to the login  and set it to medium as high was to hard to read - seems the best way to stop this, hopefully.

I'm now hours and hours without a single bot hit... with 2 lines of code and my users noticed nothing ;) And no, the login CAPTCHA is not the answer. Mind you, I have a custom CAPTCHA anyway ;)
Holder of controversial views, all of which my own.


robbie93

Hmm well there is still errors in the logs now and they are still hitting the site but dont seem to be able to read the verification letters as i'm now getting these errors

Guest
83.142.228.14   
http://robbie93andhotchildxox.net/index.php?action=login2
This forum requires verification.

What code have you used Arantor and is it avaliable to test?

Arantor

QuoteWhat code have you used Arantor and is it avaliable to test?

See 'Login detector' mod under 'Other enhancements' in this thread.
Holder of controversial views, all of which my own.


robbie93

Quote from: Arantor on February 19, 2011, 06:51:23 PM
QuoteWhat code have you used Arantor and is it avaliable to test?

See 'Login detector' mod under 'Other enhancements' in this thread.

Ok thank you I'll upload it to the site and let you know how its going.

Norv

Quote from: robbie93 on February 19, 2011, 06:50:19 PM
Hmm well there is still errors in the logs now and they are still hitting the site but dont seem to be able to read the verification letters as i'm now getting these errors

Guest
83.142.228.14   
http://robbie93andhotchildxox.net/index.php?action=login2
This forum requires verification.

Nothing in SMF (or mods) will stop bots from hitting the site. Bots hit the site. To stop them to get to SMF at all, you need to block the IPs in .htaccess or at server level.

That log event means that someone tried to login without passing verification. Currently, that can happen to innocent users as well, as they will leave this trace in the log when they try to login from quick login or other means.

Arantor's mod is posted here: Login detector. (linked in the first post as well). Please feel free to let us know how it goes.

ETA: ninja-ed. :)
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

DoctorMalboro

If it's a need of a captcha, it should be something like moving numbers to order it or something like that... something were a human is needed.

catfished

Login detector mod did the job for me. Now I can go into my forum error log without having to see all those login password errors. Thanks Arantor.
You use and like this forum software? Then show your appreciation and support by becoming a Charter Member.



CatfishEd.com

robbie93

Quote from: catfished on February 19, 2011, 07:28:19 PM
Login detector mod did the job for me. Now I can go into my forum error log without having to see all those login password errors. Thanks Arantor.

Same here, thank you Arantor, I am error free :D it's been nearly an hour now since I used your mod and my error log is FREE for the first time in nearly three months!!  thanks again.

Advertisement: