Forum Firewall

Started by butchs, January 15, 2011, 11:00:37 AM

Previous topic - Next topic

butchs

Quote from: Arantor on January 20, 2011, 03:51:55 AM
The actual log excerpt that kicked this debate off showed the link where it was created. It's not common at all, though. More importantly, I have no doubt there are mods that use [] in links which could also be adversely affected here.

I know [] are RFC 3986 Reserved Characters but they are "gen-delims" that as I see may not be used by the default SMF package.  Too add them will just add one more character that can be used as a vulnerability.   ie if you look in "PersonalMessage.php" you will see that the second half of the original post is part of an array and as I see it is not part of the action script.  More or less anyone can change the second number in an attempt to remotely cause issues.  This is a potential problem so unless someone can not prove it is part of default SMF it will not make my default list.

This mod is strictly a SMF security mod made for the default module that was created with default SMF.

Quote from: Arantor on January 20, 2011, 03:51:55 AM... but one backed by plenty of years of experience. An 'extra security' package is fantastic, but if on its default settings, impairs the existing functionality adversely...

I dunno but I am a self taught programmer who has been writing code since the 70's.

My opinion is that you run this mod for a few days in logging mode and if you have an issue either ask or search the thread.  Then you have a mod that is getting flagged and it is possible then by all means change the settings.  But to make it watered down and generic because of some perceived mod is not what I want to do.

As with all new mods there will be a period of time where new things will pop up and cause changes.  I am sure there will be something I will have to change.  This thread is for a mod that is user configurable and if people find solutions or new attacks please post them up.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

Quote from: henrik1782 on January 20, 2011, 04:37:04 PM
The user has been banned from the board, do you have any suggestions on how to avoid this in the future...?


Another option would be to whitelist the members group.  I have one who has some weird security stuff that caused him to get banned all the time.  So I created this feature.  You can create a group and then assign it to the member.

In RC4 got to:  "Admin/Members/Manage Permissions: Forum Firewall Whitelist Group" to do so.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

henrik1782

Hi Butchs

Thanks for pointing this out I have totally overseen this posibility.

For the moment I have set the Enotify refresh rate from 10000 to 30000 (30sek) and this seems to work for now.
My favorite mods: Forum Firewall, httBL, MessagePreviewOnHover, BoardHover Mod, VB Style Board Index, Separate Replies and Views Column, Realtime clock by Joker, ENotify, Topic Solved.

butchs

Quote from: henrik1782 on January 20, 2011, 04:45:11 PM
Ok.. thanks.

I could se in the log that Enotify and Forum Firewall is not a perfect match. Do you know any alternatives to Enotify.

Best regards
Henrik

Not sure what the issue is but there are some mods that heavily use the "actionArray", use up loads of bandwidth and get flagged by FF.  I have a workaround for one but honestly if they were coded differently they would be faster.

If there is not a replacement I will add it to my things to look at list.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

#64
Quote from: henrik1782 on January 20, 2011, 07:18:21 PM
For the moment I have set the Enotify refresh rate from 10000 to 30000 (30sek) and this seems to work for now.

Interesting, sounds like that may do the trick since it should slow down the "actionArray" calls.  if that is the issue.

I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

Quote from: RenegadesForum on January 20, 2011, 05:42:17 PM
First, thank you for your hard work, its really appreciated  :D

I installed it and looks like it works perfectly. I have a question about, what to turn on. I am technically challenge in stuff like that  :-X 
In the pic you can see what I did so far. Can you tell me what else I can turn on or what else I can set it up?


FYI - Your admin domain will not work you need to delete the numbers in the front of it.

Please change your salt and delete the images in the post since others have seen it.
Thank you

If you do not have much traffic then I suggest you run DOS protection and the ip check.  But before you turn on banning run it for a day or so and make sure you are not banning the wrong people.

Please delete the images from your post and change your salt.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

busterone

I have another question.  :) It is more of a curiosity than an issue. The firewall log has 6 pages of invalid ip's just today. I included a screenie so you can see an example. I haven't had any users complain, so I doubt these are regular members, but I am curious how there can be so many in just one day. The ip column has none listed as you can see in the screenie.  How are they even able to attempt to access the site with some kind of IP, even if it is spoofed?

butchs

Who checks ip addresses?  The internet is the wild west and anything goes.  There are few systems or software that actually check the ip address so these script kiddies have been doing what they want for several years.

An ip can be easily spoofed and can be used to access many sites.  That is not a bad one but there are a few that are worse like the ones who pretend to be google but really try to scalp email addresses.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

busterone

True, I guess I had no idea that I had so many visit my site in one day.  ;D Like I said, just curious, no issue here. They were blocked and all is good.  :)

butchs

Oh that is ok please ask away...  People should understand that the bad bots are like natz and they will shut you down if you are not careful.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Bagheera

Thank you very much :) I did what you suggested and now I'll just hope the spammers will go away :D

THE BRA1N

Couple of questions - when it logs an "invalid IP in proxy list" and "invalid IP" - where is this 'proxy list' located and how does it determine whether an IP is valid or not? Also, how do you clear the Firewall log?


snoopy_virtual

Hi butchs

Congratulations. I see this mod got approved at last.

I have noticed anyway that you have written my name as a tester, so I suppose that means I should at least test it.  ;D

As soon as I test the mod I will add more comments if I find anything.

El verdadero sabio es aquel que lo ve todo, lo estudia todo, lo analiza todo y molesta poco.
A true wise man is he who sees everything, studies everything, analyses everything and hardly ever annoys.

impreza

Cool addition, I tested and it looks very good
Portal ToTemat.pl - treści w postaci artykułów i filmów tematycznych.

busterone

Sorry Butchs, I have another one.  ;D Not a biggie, just another observation.
Since I turned on the IP check, I get the same two errors repeatedly for guests only, no regular members.

http://www.thedemonsden.com/index.php?action=register
Undefined variable: result
File: /homepages/xx/xxxxxxxx/xxxxxx/forum/Sources/Subs-ForumFirewall.php
Line: 69

http://www.thedemonsden.com/index.php?action=register
Undefined variable: forumfirewall_data
File: /homepages/xx/xxxxxxxx/xxxxxx/forum/Sources/Subs-ForumFirewall.php
Line: 70

These same two undefined variables repeat for any action made by guests.


butchs

Quote from: THE BRA1N on January 21, 2011, 10:30:13 AM
Couple of questions - when it logs an "invalid IP in proxy list" and "invalid IP" - where is this 'proxy list' located and how does it determine whether an IP is valid or not? Also, how do you clear the Firewall log?

The first is an ip that was found within a proxy ip pool generally used by spam bots.  The second was a direct connection by a bot or a user who spoofed their ip.  Both of them failed the same test with non-conforming ip addresses.
8)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

Quote from: snoopy_virtual on January 21, 2011, 12:10:18 PM
As soon as I test the mod I will add more comments if I find anything.

Oh no...  no second passes allowed.    :P
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

Quote from: busterone on January 21, 2011, 07:17:01 PM
Sorry Butchs, I have another one.  ;D Not a biggie, just another observation.
Since I turned on the IP check, I get the same two errors repeatedly for guests only, no regular members.

Thanks, I will work on it this weekend.
:)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

busterone


snoopy_virtual

Quote from: butchs on January 21, 2011, 07:44:17 PM
Quote from: snoopy_virtual on January 21, 2011, 12:10:18 PM
As soon as I test the mod I will add more comments if I find anything.

Oh no...  no second passes allowed.    :P

What do you mean with "second passes"? I haven't done my first pass yet.  ;D

El verdadero sabio es aquel que lo ve todo, lo estudia todo, lo analiza todo y molesta poco.
A true wise man is he who sees everything, studies everything, analyses everything and hardly ever annoys.

Advertisement: