Forum Firewall

Kindred · September 21, 2012, 09:35:48 PM

well, first of all, you can try using search.... this issue arises fairly frequently

Some other mod changed your modifications.english.php and then this mod added the text strings after the closing ?> statement.
You need to move the ?> from wherever it is to the very end of the file

PLAYBOY · October 04, 2012, 12:30:33 PM

Ok. Since i got locked out of my forum then slowwed it down so much, i think its best to ask few questions here before actually start using this mod.
1- Does it slow down the load of pages/forum at all if you dont check any of the boxes ?
2- Which security options i should check if i dont want my forum to slow down?
3- Is there any kinda UNDO button? or a quick way to reverse the most recent changes? or at least go back to default settings quickly? So when you make a mistake and block yourself or mess up your forum you can just go back easyly.
4- How much resource does this mod use? Like does it use lots of memory or cpu for each inqury of a visitor?
5- Which options i should use if i dont want it to use so much memory?
6- Does it do anything (keep you secure from anything) if i dont check any of the boxes?
7- What are the suggested settings for a forum which gets about 3000 visitors a day?
8- My forum is invitational only, so is thete anyway to detect multiple (not only one or two) register attempts?

Thank you very much. So far it looks like one of the best, most useful mods of smf. Very advanced and smart.

butchs · October 04, 2012, 09:11:11 PM

Oh gosh... So many questions....

1. If the mod is not enabled it does nothing.
2. First you MUST whitelist all your members. Second I posted minimum recommendations: "Enable Testing", "Logging", "DOS Attack" and "Enable IP Validation".
3. No undo button. Follow the instructions and test the mod for a few days before enabling blocking. See below.
4. Utter BULL! There are few DB queries. I have many years developing software and always minimize the use of memory. Unlike many php developers, I take great pains to remove all allocated memory as soon as possible!
5. Do you get anything in your hosts error log? Is your host a over-seller? You are not using Aeva by any chance?
6. Nothing.
7. I do this stuff for free so I do not have that data. For larger forums, I recommend that you you use cache.
8. This mod does not look at or care about register attempts. If that is your issue, look at your settings. Chances are a bot is hitting you hard. Properly set this mod will block fast bots that kill processor use. When used correctly, you will see 1-2 weeks of bots act desperate because they lost a source of information, get blocked and banned then they go elsewhere. I created this mod to decrease my bandwidth. This mod when used correctly will reduce bandwidth when bad bots attack. I lost 7GB in one month!

The mod has built i n help click the "?" next to the feature for more information.

Search for HELP in this thread for some of my tutorials. Read them... I have several posts in this thread with bold capitol letter HELP that explains some of the more complicated features of the mod.

Run the mod for a few days and make sure you will not ban your critical members or yourself then select "Block Violations" to block access.

PLAYBOY · October 05, 2012, 01:34:10 AM

Thank you very much for answering all.
Again, this is one of the best mods for SMF
I even think it could be added as a default "Security Tab" in admin panel in all smf installation.

Quote5. Do you get anything in your hosts error log? Is your host a over-seller? You are not using Aeva by any chance?

Where is that? Which file is it exactly?
I have VPS so they cant oversell it.
Yes i do have Aeva.

Quote1. If the mod is not enabled it does nothing.

You mean if none of the boxes are checked right?
Because i dont see any enable button.

QuoteFirst you MUST whitelist all your members.

How? I see only one whitelist option and that is for User Agent. Also what am i gonna whitelist? Their IP, hostname, membername? If IP, then it would be pretty hard because 90% of my members use dynamic IP as i do also.

I am thinking about translation this to Turkish. Is it only the modifications.english.com? or is there any more to translate? Would you give me all the text to translate?

I think i had enabled only sql injection featured but I kept getting google bot logs as hack attempt. See below.
IP Address66.249.73.54, Hack: Repeated!
for /forum/index.php?topic=5607.10

IP Address66.249.73.54, Hack: Repeated!
for /forum/index.php?action=media;sa=item;in=3340sort=2;desc

IP Address66.249.73.54, Hack: Repeated!
for /forum/index.php?action=media;sa=item;in=3desc

IP Address66.249.73.54, Hack: %3d!
for /forum/index.php?yshout&action=media&sa=item&in=826sort%3D4&id=826sort%3D4

IP Address66.249.73.54, Hack: %3d!
for /forum/index.php?yshout&action=media&sa=item&in=29818sort%3D1&asc=&id=29818sort%3D1

butchs · October 05, 2012, 07:20:39 AM

Answers in order. Sorry but I have to go to work...

Usually in Cpanel.
When hit fast, Aeva uses lots of bandwidth because it overuses SMF's action array. A bad bot can hit it hard and tack on some big numbers... DOS attack and Robots.tst are the best weapons against this type of attack. I made HELP's for both of them.

Enable Testing has a checkbox
Block Violations has a checkbox

Search for the capitol bold HELP in this thread. If yo can not find it I can for you when I get back from work.

There is a translation package in the mod section where you download the mod.

remove

Code Select

|%3d from sql injection.

Consider reading the HELP on robots.txt to clean up the fake google bots...

PLAYBOY · October 08, 2012, 06:12:16 AM

We should have an option to delete the logs anytime we want. I saw only one option to delete them and its in the scheduled tasks for the logs older than 7 days.

butchs · October 09, 2012, 07:09:16 AM

I will add it to my to do list.

kanaka · November 19, 2012, 04:30:02 PM

in the box's country, the codes XX|YY indicate countries that would exclude from forum?
or what should I set to exclude visitors who come from countries that do not want in my forum?

Quote from: PLAYBOY on October 08, 2012, 06:12:16 AM
We should have an option to delete the logs anytime we want. I saw only one option to delete them and its in the scheduled tasks for the logs older than 7 days.

I installed the 1.1.16, how can I clear the log of visitors?

butchs · November 20, 2012, 07:07:22 AM

Quote from: kanaka on November 19, 2012, 04:30:02 PM
in the box's country, the codes XX|YY indicate countries that would exclude from forum?
or what should I set to exclude visitors who come from countries that do not want in my forum?

The mod only blocks countries. Assuming you are properly configured.

Quote from: kanaka on November 19, 2012, 04:30:02 PM
Quote from: PLAYBOY on October 08, 2012, 06:12:16 AM
We should have an option to delete the logs anytime we want. I saw only one option to delete them and its in the scheduled tasks for the logs older than 7 days.

I installed the 1.1.16, how can I clear the log of visitors?

The log automatically purges every 7 days. There is no current version that totally clears the DB. But you can always do it manually.

kanaka · November 20, 2012, 09:19:06 AM

Thanks, great job!

huan · November 24, 2012, 03:50:53 AM

good work i have just installed these mod on my smf2.0

i try to work with cloudflare but the bypass protection was not working well it increase the attempt in the log for bypass attempted cant seem to be able to restore member ip ,i have tryed lot of way to get cloudflare work on my forum but still ip cant be reserve

on the log for reason invalid ip i cant see the ip or proxy used it stated as "keep alive"

butchs · November 25, 2012, 10:09:22 AM

The mod has built in help in multiple languages. I am surprised so many people do not understand that SMF has built in help... Not to be snotty but I put some effort in adding help text to the icons "?" to the mod to make it easier. If you click on the help icons it will tell you how to configure "Visitor IP call to Proxy" and "Proxy Header ID" for Cloudfllare.

As per the help icons:
Visitor IP call to Proxy HTTP_CF_CONNECTING_IP
Proxy Header ID: Cf-Connecting-Ip

Possibly your issue is with setting up the bypass protection? The tutor you seek is called "BYPASS PROTECTION HELP"

This mod requires some effort and time on your part to properly configure to protect your site. Once done you will reap the benefits! I suggest you search "This topic" for the BOLD help tutorials I created for detailed assistance.

huan · November 25, 2012, 05:37:48 PM

the bypass protection help you shown is for admin ip confirmation ,i did not set it as i understand the risk of it

Visitor IP call to Proxy HTTP_CF_CONNECTING_IP
Proxy Header ID: Cf-Connecting-Ip

the above setting is default and i used it and nope cant change cloudflare ip back ,most cloudflare is still shown as bypass attempt ,i tryed to test using a proxy to browse the site and it shown as
"keep alive " or something strange name on the visitor log instead of showing the proxy ip i used

yes i have go thru all of the ? help icon on the mod

under
proxy information>ip address
should i whitelist the cloudflare ip here in order for the bypass protection to work to help reverse the cloudflare ip to the original visitor ip ?

butchs · November 25, 2012, 06:01:05 PM

Leave "Visitor IP call to Proxy HTTP_CF_CONNECTING_IP" and "Proxy Header ID: Cf-Connecting-Ip" alone and uncheck "Enable Bypass Protection" because you are not using it. Unchecked the mod will still work with CF. Just it will not catch the random bad guy who sneaks around it.

Today I added FAQ's to the 1st post.

Slack · November 26, 2012, 10:34:36 PM

QuoteThe mod will then try to read your robots.txt file and self configure. Enable the test and say goodbye to the DDOS spoofers!

When you say the mod "self configures" - does that mean the server needs to be re-booted in order to do this?

Thanks.

stylusss · November 26, 2012, 11:18:24 PM

Anyone notice a significant change in "bad" traffic after installing?

winsoft · November 27, 2012, 06:01:29 AM

thats an awsome mod, thanks

butchs · November 27, 2012, 07:09:17 AM

Quote from: Slack on November 26, 2012, 10:34:36 PM
QuoteThe mod will then try to read your robots.txt file and self configure. Enable the test and say goodbye to the DDOS spoofers!

When you say the mod "self configures" - does that mean the server needs to be re-booted in order to do this?

Thanks.

No. Assuming you never had a robots.txt file installed when you loaded the mod you do the following:
To have the mod check you will uninstall the mod in Package Manager. Then re-install the mod. During the re-install the self configure script will look for your robots.txt file. If found and is properly formatted, the once empty "Robots.txt action's" field will be populated.

Please note that when the mod is un-installed it disables it's self. You will have to re-enable the mod for it to work.

Slack · November 27, 2012, 09:46:27 AM

Thanks butchs, appreciate the explanation.

butchs · November 27, 2012, 06:22:31 PM

you are welcome... To clarify the mod will NOT do anything if there is any text in the "Robots.txt action's" field during installation. If there is any data in the "Robots.txt action's" field, you must delete all data and save the empty field before re-installing the mod.

Any changes made to the robots.txt file after mod installation will require manually editing the "Robots.txt action's" field.

The mod does it's best to guess your configuration. I am sure there are some servers where the self configure will not work. In those cases you will have to enter all the data manually.

News:

Forum Firewall