Simple Machines Community Forum

Link to Mod (https://custom.simplemachines.org/mods/index.php?mod=4091)

---

---

Introduction
One day, I released yet another mod to my website and noticed that once I published the link to the new thread, I started getting views on the thread.  In just over 15 minutes, 1,100+ views were logged for JUST THAT ONE THREAD!  It took deleting that thread for the attack to pretty much stop.  So I wrote this mod to try to play interference in attempts to bring a forum down....

This mod records all non-action visits (aka board index, individual boards and topics) from an IP address for all members EXCEPT for admin and moderators within the session data.  If the visitor is recorded as having more hits than a specified number of times per minutes, this mod will automatically place a ban in the .htaccess file.  The default (and minimum) is set to 30 (one hit every 2 seconds), which I feel is more than reasonable for most users.

This mod attempts to detect whether CloudFlare servers are being used, and writes the .htaccess accordingly.

Additional Requirements
Because we really don't want to ban our "wonderful" spiders, this mod turns on Search Engine Tracking Level to Standard setting in order to properly detect spiders.  For SMF 2.0.x, the Search Engine core feature is enabled in order to properly detect spiders.

Recommended Mods To Install
o More Spiders (http://custom.simplemachines.org/mods/index.php?mod=1157) - Adds 83 more spiders/crawlers to your Spiders section in SMF!

Admin Settings
There is a new setting under Admin => Configuration => Security and Moderation called:
o Maximum number of visits allowed before automatic ban

Related Discussions
o [TIP/TRICK] How to ban users properly from .htaccess (http://www.simplemachines.org/community/index.php?topic=524146.msg3710891#msg3710891)

Compatibility Notes
This mod was tested on SMF 2.0.11 and SMF 2.1 RC2, but should work on SMF 2.0 and up.  SMF 1.x is not and will not be supported. 

Changelog
The changelog can be viewed at XPtsp.com (http://www.xptsp.com/board/free-modifications/forum-hit-hard-preventer/?tab=1).

License
Copyright (c) 2016 - 2019, Douglas Orend
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Uploaded v1.1 - March 4th, 2016
o Added support for SMF 2.1 Beta 2.  No changes for SMF 2.0.x branch.

I was sort of curious of how the mod worked so looked at the code.

By blocking all ips that hit the forum more than x many times you run the chance of blocking valid users and indexing spiders.

I myself use prefetch on mobile and RSS so I would be on that permanent ban list. Also you have attachments, avatars and Ajax calls that should be ignored but instead each tick is logged.

Just a FYI,

Quote from: nend on March 05, 2016, 08:01:11 AM
By blocking all ips that hit the forum more than x many times you run the chance of blocking valid users and indexing spiders.

I myself use prefetch on mobile and RSS so I would be on that permanent ban list. Also you have attachments, avatars and Ajax calls that should be ignored but instead each tick is logged.

First, I had forgotten about spiders.  I'll try to fix that so that our "wonderful" spiders (sarcasm intended) don't get blocked.....

Second, you obviously overlooked line 23 in the Subs-HardHit.php file.  It reads:
if ($user_info['is_admin'] || $user_info['is_mod'] || isset($_GET['action']))
This means it won't log admin or moderator requests AND any action specified.  So this URL:

Quoteindex.php?action=dlattach;attach=21;type=avatar

won't get logged.

Third, having noted the second point, (with the possible exception of prefetching), valid users won't hit the forum more than 30 times in a minute.  I obviously have to fix the prefetching situation, though....

Thank you for raising these concerns!

I did a search for the word "prefetch" in the SMF source files and found several instances of the SMF aborting a prefetch request.  I've altered the mod so that it removes the current URL from the session data upon finding a prefetch request.  This should keep the mod from banning valid users....

I also found where the forum attempts to detect whether or not the "user" is a spider/robot.  Evidentally, when the Search Engine core feature isn't enabled, SMF "guesses" at whether the "user" is a robot or spider.  Obviously, we don't want to ban spiders from the forum, as they are the ones who give us traffic!  So, I figured out how to enable the Search Engine core feature, and turn on Search Engine Tracking Level to Standard setting in order to properly detect spiders.  This step is particularly important because SMF will guess at whether a user is a robot/spider and probably won't return valid results.  Searching for known spiders will help with keeping our "wondering" spiders from getting banned, while keeping other robots out of the forum....

I am also adding a recommended mod to install:
o More Spiders (http://custom.simplemachines.org/mods/index.php?mod=1157) - Adds 83 more spiders/crawlers to your Spiders section in SMF!

Uploaded v1.2 - March 5th, 2016
o Added code to remove URL log from prefetch requests, since they are aborted anyways...
o Added code to allow Subs-HardHit.php to allow spiders to not log URLs...
o Modified installer to turn on Search Engines core feature during install.
o Modified installer to set Search Engine Tracking Level to Standard (or better).

---

@Everybody: Usually I post what changes happened when I upgrade a mod.  That didn't happen and I apologize for any confusion this may have caused....

Quick thanks for linking my old thread. :)

Quote from: Ninja ZX-10RR on March 21, 2016, 10:24:35 PM
Quick thanks for linking my old thread. :)

Sorry about the late reply!  You're welcome!  It was very helpful in building this mod.  I only hope that I got everything right with the mod.....

Uploaded v1.3 - October 30th, 2016
o Fixed multiple undefined index errors in this mod.

Uploaded v1.4 - October 16th, 2018
o No functionality change.
o Updated documentation to point to new website.

I already commented on github but left it attached here also in case someone downloads it :)


Regards!

Hello again!  8) one translate more....
See the code... i only translate...no modify anything

Uploaded v1.5 - October 17th, 2018
o Added Spanish Latin translation, courtsey of Rock Lee (https://www.simplemachines.org/community/index.php?action=profile;u=322597).
o Added Brazilian Portuguese translation, courtsey of ORIONzitos (https://www.simplemachines.org/community/index.php?action=profile;u=598068).

Uploaded v1.6 - May 22nd, 2019
o Added support for SMF 2.1 RC2.
o Removed support for SMF 2.1 Beta 2.

I cannot install with emulating 2.1RC2
Is there any way this mod to be updated for 2.1RC3?

Mod is not installed on SMF 2.1.4.
Fatal error: Uncaught Error: [] operator not supported for strings

Quote from: Marina3 on October 03, 2023, 06:29:34 AMMod is not installed on SMF 2.1.4.
Fatal error: Uncaught Error: [] operator not supported for strings

Are you on php 8.x?

Quote from: Doug Heffernan on October 03, 2023, 06:44:26 AM

Quote from: Marina3 on October 03, 2023, 06:29:34 AMMod is not installed on SMF 2.1.4.
Fatal error: Uncaught Error: [] operator not supported for strings

Are you on php 8.x?

Yes, php 8.2.

Quote from: Marina3 on October 03, 2023, 07:26:36 AMYes, php 8.2.

The mod doesn't seem to be compatible with that version.

Error causes settings_install.php file:

<?php
$SSI_INSTALL = false;
if (file_exists(dirname(__FILE__) . '/SSI.php') && !defined('SMF'))
{
   $SSI_INSTALL = true;
   require_once(dirname(__FILE__) . '/SSI.php');
}
elseif (!defined('SMF')) // If we are outside SMF and can't find SSI.php, then throw an error
   die('<b>Error:</b> Cannot install - please verify you put this file in the same place as SMF\'s SSI.php.');
require_once($sourcedir.'/Subs-Admin.php');

// In order to detect spiders correctly, we NEED the Search Engine support turned ON!!!
$arr = array(
   'admin_features' => '',
);
if (empty($modSettings['spider_mode']))
   $arr['spider_mode'] = 1;
if (!empty($modSettings['admin_features']))
{
   $arr['admin_features'] = explode(',', $modSettings['admin_features']);
   $arr['admin_features'] = array_diff($arr['admin_features'], array('sp'));
}
$arr['admin_features'][] = 'sp';
$arr['admin_features'] = implode(',', $arr['admin_features']);

// Set the maximum visits if it hasn't been set already:
if (!isset($modSettings['HHP_max_visits']))
   $arr['HHP_max_visits'] = 30;
updateSettings($arr);

// Echo that we are done if necessary:
if ($SSI_INSTALL)
   echo 'DB Changes should be made now...';
?>

Please use code tags when posting code. ~ Steve

Error causes this line:
$arr['admin_features'][] = 'sp';