• Welcome to Simple Machines Community Forum. Please login or sign up.
October 27, 2021, 01:45:44 PM

News:

Want to get involved in developing SMF, then why not lend a hand on our github!


Forum Firewall

Started by butchs, January 15, 2011, 11:00:37 AM

Previous topic - Next topic

Joazo

Ok thanks butchs, because of you I fixed it :). What caused the problem was the "Enable Bypass Protection".

I got some questions if you got time to answer please:
1. Where can I see the logs of the forum firewall?
2. How can I test the forum firewall is really working (please a easy & fast way)
3. I have written : "SECURITY RISK: MAGIC_QUOTES ARE ON!". what should I do?

butchs

Here you go:

1.  Admin/Forum Firewall/Visitors -  This shows the log.  Use it before turning on block.
2.  If you have data in the visitor log it is working.
3.  As your host if they can turn off magic quotes.  Do not tell them why because they can get weird.  But SMF does not require it.  Ir if you have access edit your php.ini.
8)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Joazo

I asked my host to turn off MAGIC_QUOTES. Let's see their answer.

Btw How can I clean the visitors logs?

Also do you have any more suggestions on how to protect my forum?


butchs

The log cleans it's self every week.  If you are using RC4 you can go to Scheduled Tasks/ Auto Delete Old Firewall Visitor Log Entries to adjust it.

Give it time.  You should see less visits as time progresses and you are removed from lists.
;)

Check out the 1st post for more info about protection.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Joazo

Ok thanks a lot butchs.

Btw I looked my visitors logs and found this: http://img600.imageshack.us/img600/7482/dosattack.jpg

What should I do?
Is it blocked automatic?
Is it a real dos attack?

butchs

January 25, 2011, 06:34:14 AM #105 Last Edit: January 25, 2011, 06:38:50 AM by butchs
Yes but it is more like a caputa brute force access attempt.  They are banned the duration you set in the "Longterm Ban".  Since their ip changes all the time it is a waste of time to ban them more than a day. 1 hr is good for most.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

qtime

What is the advantage above using a system firewall like Security & Firewall - csf v5.15

I am using Security & Firewall - csf v5.15
mod security
ossim
snort

butchs

This does not replace any other firewall software and should only be used in conjunction with other measures.  Not sure what the advantages or disadvantages are; honestly, I do not plan to research either.

This mod is designed for SMF and hopefully will catch the issues that will otherwise cause SMF not to work if tested outside of SMF.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

qtime

ok thanks for fast reply, I like to advice the use of Security & Firewall - csf v5.15, it's easy to configure using webmin for example, and it's blocking a lot of bad guys or maybe the girls as well.

butchs

Excellent!  I forgot, my host uses CSF Firewall as a front end to the ForumFirewall mod.  it does do a great job. and reduces the work required by FF.  They swear by it.
:)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

THE BRA1N

January 25, 2011, 02:54:47 PM #110 Last Edit: January 25, 2011, 02:58:40 PM by THE BRA1N
A couple of members have gotten autobanned by the DOS protection (they weren't trying to DOS). How can I adjust the settings to make it less sensitive than the default? In other words, how do i make it so that a higher threshold must be met before the DOS attack ban kicks in?

Edit - btw, both members had the Forum Firewall Whitelist Group permission enabled and they still were banned.

butchs

What version of SMF?  Were they banned when not logged in?

You can whitelist the members group. In RC4 got to:  "Admin/Members/Manage Permissions: Forum Firewall Whitelist Group" to do so.

Or
Adjust the "Trigger" by increasing it.  Less likely, the "Cache Duration" made some tuning.  Click on the help icons "?" in the mod for instructions.

Or
Shorten or set the "Longterm Ban"to "Never" until you figure out what is going on.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

JoeB

Great mod
Installed fine on SMF 2.0 RC4

How to fix this?
SECURITY RISK: MAGIC_QUOTES ARE ON!

butchs

Quote from: JoeB on January 25, 2011, 06:41:19 PM
How to fix this?
SECURITY RISK: MAGIC_QUOTES ARE ON!

See post # 112 in this thread. ;)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

busterone

I just discovered that the firewall logs will not delete. I went to scheduled tasks and attempted it twice. Both times, the message was task completed, but when I looked at the log, all entries were still there.  I thought it might be something on my site since it was upgraded several times, so I tried it on my test forum, and got same result. Both are RC4. The test forum is a clean install with just Firewall mod, Stop Spammer and httpBL installed., no members, just me.  :)

No biggie, I just truncated the table in database for my main site to get same result.  I just posted it in the event anyone else has same issue. I am still unsure if it is just my forums or the mod. 

Joazo

Btw,
You wrote that there are 6 things you need:
1. Proxy Firewall.
2. Htaccess protection such as blocking nasty ip addresses, CrawlProtect and GeoIP.
3. Forum Firewall (this mod).
4. Bad Behavior mod.
5. Project Honeypot.
6. Stop Spammer.

How do I get Proxy Firewall, is this a mod?
How do I get Htaccess protection such as blocking nasty ip addresses, CrawlProtect and GeoIP?
How do I get Project Honeypot?

butchs

January 26, 2011, 06:55:44 AM #116 Last Edit: January 26, 2011, 07:08:48 AM by butchs
Quote from: busterone on January 25, 2011, 09:03:25 PM
I just discovered that the firewall logs will not delete. I went to scheduled tasks and attempted it twice. Both times, the message was task completed, but when I looked at the log, all entries were still there.  I thought it might be something on my site since it was upgraded several times, so I tried it on my test forum, and got same result. Both are RC4. The test forum is a clean install with just Firewall mod, Stop Spammer and httpBL installed., no members, just me.  :)

Yes the auto purge deletes log entries greater than 7 days old.  Maybe I will add a purge button in a future version.


EDIT:  You can always uninstall the mod and check the database items then reinstall for a complete purge?
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

January 26, 2011, 07:01:34 AM #117 Last Edit: January 26, 2011, 07:11:31 AM by butchs
Quote from: Joazo on January 26, 2011, 02:49:08 AM
1) How do I get Proxy Firewall, is this a mod?
2) How do I get Htaccess protection such as blocking nasty ip addresses, CrawlProtect and GeoIP?
3) How do I get Project Honeypot?

1)  See reply 129 in this thread.  Your host may have it installed already.
2)  Search this site I posted a how to a while back on CrawlProtect.  GeoIP may be installed by your host.
3)  That is a mod called httpbl in the mod section.  As are the others.
:D
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

JoeB

January 26, 2011, 07:53:53 AM #118 Last Edit: January 26, 2011, 08:12:14 AM by JoeB
As an admin, Now I can not log in the forum :

HTTP Error 403 Forbidden You don't have permission to access
/forums/index.php?action=login on this server.
Your computer may be infected with a virus or a trojan. The Firewall has determined that you: Invalid ip!
If you get this message in error, please contact the ADM1N and provide the date and time of this message.


Please advice. Only can use FTP to change any file

I stopped two commands by downloding index.php by ftp

//      'forumfirewall' => array('ForumFirewall.php', 'forumfirewall'),

   // start ForumFirewall
//   if (isset($modSettings['forumfirewall_enable']) && !empty($modSettings['forumfirewall_enable']) && $modSettings['forumfirewall_enable']) {
//      require_once($sourcedir . '/ForumFirewall.php'); }
   // end ForumFirewall

butchs

You should not turn on banned until you are sure that you are not going to ban yourself.

I will send you a pm.

I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Advertisement: