News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

Being logged out by bots trying to log in

Started by ACAMS, January 11, 2011, 11:11:02 PM

Previous topic - Next topic

RustyBarnacle

Don't forget to uncheck view profile!

By default this is left on for guests in permissions and so a bot can just go:

forum/index.php?action=profile;u=1
forum/index.php?action=profile;u=2
forum/index.php?action=profile;u=3
etc...

Arantor

Yup, that's true - but there's no evidence that's happening either. The list of accounts the bots are hitting is consistent, and it's not based on the order of users on the memberlist. I still bet it's fed the same way I'd feed it were I writing such a bot: the threads, all of which contain nice juicy links to the profile in a consistent format, just ripe for regex-ing out of a page. Crude bot, fed a forum, all it needs to do is start hitting up a board, munching its way through the links and looking for profile links.

Elysia

That's been locked down forever too. Reg Members can see other members profiles, guests can't see anything other than posts.

RustyBarnacle

I just installed a new out of the box SMF2 RC4 forum, made a couple profiles and guests could view profiles until I unchecked that.

Arantor

Yup, that's the default, but all the evidence points to not doing that.

b4pjoe

I have seen them try user names of members that have never posted also. And my member list is not visible to guests but it is to members so it would be easy enough for a human spammer to capture the lists.

busterone

It is remotely possible that a human spammer made it past registration and then harvested the names. I did notice a huge increase in attempted spammer regs for about 2 weeks, and then it went quiet. About a week after that, these attacks started getting reported.  I guess I am still lucky. My error log is still clean. They haven't hit me at all.

nend

Quote from: b4pjoe on February 16, 2011, 12:35:36 PM
There is a mod for it that I use. cb|Emailogin 0.5. Compatible With: 1.1.13, 2.0 RC5

I can't use it, I still have to design my own. It isn't the mods fault, it is just because the forum code is so heavily modified that I can no longer use packages from SMF. Even upgrades, I have to figure out what has changed and work them into my SMF installation. No big deal, like I said just got to find the time to do it.

Quote from: Kindred on February 16, 2011, 02:53:14 PM
And personally, I would lose track if I had a different display from login.   I have used Kindred since the early 90s.

Debate going on in my head about using email addresses. It seems to be the fad though with other websites.

But I am like you, I rather use my old login, but in this case I would choose security over personal preference. I doubt too many users will be too upset about using their email address that they linked to the forum, unless it is one they hardly use. :D

nend

Will I was just thinking, I can probably satisfy both ends. If they want to use their email address to login they can or if they want to use their username they can do that too, also they can use both if they wanted too. Maybe make it optional in the user profile which login method they prefer and explanations on why one is better than the other, etc.

This will give the user options instead of saying you have to use this method.

Cal O'Shaw

And if we could hide member names from guests then they could go either way.  The reason you can use the email addresses is because they are never displayed to guests.  If membernames were the same way you could use those safely as well.

Which is why I keep pushing to have that option, why it's great Arantor wrote his (even if it's 2.0 only), and now wish we could get the same feature for 1.1.x sites.

Cal 

Arantor

To be honest, though, to a point it's now locking the door after the horse has bolted.

Methods to block the attack entirely are being investigated as we speak.

nend

We must consider who's responsibility it is to secure their account. Right now we are trying to play the role of the user but it is their responsibility to secure their account with a strong password. All that we can do is give options IMHO.

Email addresses on the other hand are displayed to members if the user wants to display them to members. Bots don't only have to be guest but can actually be registered members and view these email addresses.

Methods to block the attack entirely do not exist, you and I both know that. Best we can do IMO is to educate our users to make sure they don't leave their accounts vulnerable to these type of attacks.

I am not however saying that we can not help. We can run temp bans to reduce the impact and like I said just give the user options to protect their account.

Login by email address is a great idea, but I am not going to penalize my members who have a strong password. I just finished coding up a optional system for my site. Members can pick if they want to use their email and username, email only or username only to login.

Arantor

QuoteMethods to block the attack entirely do not exist, you and I both know that.

This attack, I happen to disagree, because I've been doing some research into the mechanics of this specific attack. There is one notable feature that is rather consistent in the attack pattern. I won't disclose it publicly, naturally, but I'm currently working on a way to neutralise it.

Sure, we can and should be educating users. But we can't make them do anything, and nor should we.

b4pjoe

Quote from: nend on February 16, 2011, 07:57:10 PM
We must consider who's responsibility it is to secure their account. Right now we are trying to play the role of the user but it is their responsibility to secure their account with a strong password. All that we can do is give options IMHO.

Email addresses on the other hand are displayed to members if the user wants to display them to members. Bots don't only have to be guest but can actually be registered members and view these email addresses.

Methods to block the attack entirely do not exist, you and I both know that. Best we can do IMO is to educate our users to make sure they don't leave their accounts vulnerable to these type of attacks.

I am not however saying that we can not help. We can run temp bans to reduce the impact and like I said just give the user options to protect their account.

Login by email address is a great idea, but I am not going to penalize my members who have a strong password. I just finished coding up a optional system for my site. Members can pick if they want to use their email and username, email only or username only to login.

In SMF 2.0 if you set it in the Admin panel to not allow viewable email addresses then the users cannot see the email address of other members. If a member has the option checked to "Allow users to email me" they still can't see other users email address as the email goes through the forum software. Of course if they reply you will then see their email address.

Also if they can log in with either their email address or their user name the bot can still continue to use the user name to try and guess the password so that really doesn't help.

nend

Quote from: b4pjoe on February 16, 2011, 08:23:32 PM
In SMF 2.0 if you set it in the Admin panel to not allow viewable email addresses then the users cannot see the email address of other members. If a member has the option checked to "Allow users to email me" they still can't see other users email address as the email goes through the forum software. Of course if they reply you will then see their email address.

A user still can show their email address to registered members, check it out it is in your account settings.

Quote from: b4pjoe on February 16, 2011, 08:23:32 PM
Also if they can log in with either their email address or their user name the bot can still continue to use the user name to try and guess the password so that really doesn't help.

I think you didn't get me on this one. I made it optional, the user has three options in their control panel. Will a picture says a thousand words. Screen shot attached.

Also I would like to note, SMF default is both email and username. ;)

butchs

Humm...  I have not seen it either.  May be stopping it unknowingly.  Still, I hope it comes my way.
O:)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

Quote from: Norv on February 12, 2011, 02:45:35 AM
Mods like those listed here might help with preventing or alleviating the attempts made by particular IPs, as these mods typically use online databases of spammers IPs. I should note there is a certain possibility that those databases are not always accurate, since they contain IPs accumulated by anonymous reports (and those reports could be wrong).

Bad Behavior is all php baby!  No lookups.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Arantor

I take it you're not counting the variety of hostname queries it makes to validate that if a spider identifies itself as Google or Bing, that it comes from that hostname, as lookups (I guess they're to external DBs but not ones that are anonymous reports etc.)

And the behaviour with DNS lookups is also questionable anyway, which is why it was disabled in recent BB versions...

b4pjoe

Quote from: nend on February 16, 2011, 08:35:21 PM
Quote from: b4pjoe on February 16, 2011, 08:23:32 PM
In SMF 2.0 if you set it in the Admin panel to not allow viewable email addresses then the users cannot see the email address of other members. If a member has the option checked to "Allow users to email me" they still can't see other users email address as the email goes through the forum software. Of course if they reply you will then see their email address.

A user still can show their email address to registered members, check it out it is in your account settings.

Quote from: b4pjoe on February 16, 2011, 08:23:32 PM
Also if they can log in with either their email address or their user name the bot can still continue to use the user name to try and guess the password so that really doesn't help.

I think you didn't get me on this one. I made it optional, the user has three options in their control panel. Will a picture says a thousand words. Screen shot attached.

Also I would like to note, SMF default is both email and username. ;)

Are you on 2.0 because I don't see those settings anywhere in SMF 2.0 unless I'm overlooking them.

Also if email addresses being viewable is disabled in the admin panel and a user checks the option to "Allow users to email me " the other users can still not see that email address. They can email them through the forum software and that will expose that persons email address but not the persons email address they are emailing. At least that is how it is on my 2.0 forum.

butchs

#259
Quote from: Arantor on February 16, 2011, 08:53:14 PM
I take it you're not counting the variety of hostname queries it makes to validate that if a spider identifies itself as Google or Bing, that it comes from that hostname, as lookups (I guess they're to external DBs but not ones that are anonymous reports etc.)

Not the same as searching a database such as project honeypot and etc.  Only one "gethostbynamel" per cache run for only the Big 3 bots which if set 20+ seconds covers most bot runs.

Quote from: Arantor on February 16, 2011, 08:53:14 PM
And the behaviour with DNS lookups is also questionable anyway, which is why it was disabled in recent BB versions...

That is only an issue with Ubuntu 10+ servers using the BB code which is not the same as the mod.  The mod's latest code, in testing now at SMF helper, has been proven reliable as long as you use the mods built in disk cache.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Advertisement: