News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

Forum Firewall

Started by butchs, January 15, 2011, 11:00:37 AM

Previous topic - Next topic

butchs

#160
I really do not care what you claim others say.  As far "narrow field of scope" goes...  Please give your ego a rest.  As you admitted you responded with an attitude to test me.  What do you expect, Americans like myself take offense when treated inferior by Europeans.  That is the reason why we broke from England!   :laugh:

I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

Now please, anyone with real support questions ask away.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

ljunatic

I am having trouble with a pair of Blackberry using top members being blocked. I have used the whitelist for all members, but the IP's  rendered by the Blackberry users appear  to be failing the testing.

Forgive me for I am very new to this stuff, and learning as I can, but the only log records that I see referring to the Blackberry users are similar to ones that you thought were poorly written HTTP headers ( BISB_3.5.1.71 ) back in reply #153.

Can you tell me what to look for in the log, or how to whitelist the Blackberry phones?

Edit to add SMF 1.1.12

butchs

I do not get paid to support the mod and only have an hour a day so please provide more information if you will like assistance.  Show me the information from the log.

FYI - The whiltlist is only to prevent being banned in DOS.  If you have members that use poorly written software that does not conform to internet standards and you want them to have access you will need to turn off those portions of the mod.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

All,
Please remember not to turn on blocking until you have tested the mod for at least two days.  It is a good idea to review the "?" help icons while setting up the configuration.
:)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

ljunatic

Quote from: butchs on February 01, 2011, 05:22:17 AM
I do not get paid to support the mod and only have an hour a day so please provide more information if you will like assistance.  Show me the information from the log.

These are typical log entries that I assume are the Blackberry smartphones

1503     BISB_3.5.1.71    2011-02-01 19:33:22
   
GET /forum/index.php?board=2.0;wap2 HTTP/1.0      BlackBerry8530/5.0.0.459 Profile/MIDP-2.1 Configuration/CLDC-1.1 VendorID/104 http://www.nebraskafirepower.com/forum/index.php?;wap2 [nofollow]    

Invalid ip in Proxy list!

1502         BISB_3.5.1.71    2011-02-01 19:33:14
   
GET /forum/index.php?board=50.0;wap2 HTTP/1.0 BlackBerry8530/5.0.0.459 Profile/MIDP-2.1 Configuration/CLDC-1.1 VendorID/104 http://www.nebraskafirepower.com/forum/index.php?;wap2 [nofollow]    

Invalid ip!

butchs

WOW 1503 blocks!   :-*

That is odd because the IP is showing as a UA.  Could be so many things.  Some possibilities:

  • A miss-configured proxy that they are trying to hide their identify behind as suggested with the first error.
  • Old browser.
  • Phones could have been compromised.  Many bots seem to be targeting phones now.
  • Who knows, we need to do some tests... do due diligence... and play detective before coming to conclusions

A blackberrry IP uses the same format as everyone else.  If you like them not to be blocked, you should turn off your "Enable IP Validation" option since the whitelist only prevents DOS tests.

If you can ask one of them to try the following:
1) Yo find the Ip address on the phone selects Options >> Advanced >> Host Routing Table
    Scroll down to the one that is bold, hit menu >> view, it is under the "IP/Ports"
    Note that this changes every time you reboot (dynamic IP) your phone. I think only Sprint (old Nextel) offers static (doesn't change) IP's.
2)  Have them browse http://www.whatismyip.com and report back the address.
3)  Bad program.
4)  Are they using a proxy or WebWorks  or some special internet application?
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

ljunatic

Thanks for the reply.

I will be seeing a few of these users in person in about 10 days, and I will do some live testing with their phones in hand if I can.

I know that some of the log entries are legit as the user's cookie has valid information. I thought it odd that that information was viewable, but I recognized the username

butchs

No problem.  I sure hope you are seeing member number 2. Because member one is using a proxy and that is most likely a problem..
;D
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

fireshiro

Quote from: busterone on January 18, 2011, 07:10:20 AM
nope, it just said Hack: Disallowed characters!  without listing the offending character. And nothing in the forum error log.
I just disabled injection test for the time being so they can carry own as usual. 
I will be away for most of the day, but when I return, I can re enable it and see if I can get more info.

How can i disable this mod?
I ask this cause i blocked myself from my forum... Any help?
If its something that needs to be done manualy, please do give me instructions to do so.
I appreciate it.

When i go to my forum this tells me:

QuoteHTTP Error 403 Forbidden
You don't have permission to access

/ on this server.

Your computer may be infected with a virus or a trojan. The Firewall has determined that you: Invalid ip!

anything

If you get this message in error, please contact the ADM1N and provide the date and time of this message.

fireshiro

Quote from: fireshiro on February 08, 2011, 10:18:04 PM
Quote from: busterone on January 18, 2011, 07:10:20 AM
nope, it just said Hack: Disallowed characters!  without listing the offending character. And nothing in the forum error log.
I just disabled injection test for the time being so they can carry own as usual. 
I will be away for most of the day, but when I return, I can re enable it and see if I can get more info.

How can i disable this mod?
I ask this cause i blocked myself from my forum... Any help?
If its something that needs to be done manualy, please do give me instructions to do so.
I appreciate it.

When i go to my forum this tells me:

QuoteHTTP Error 403 Forbidden
You don't have permission to access

/ on this server.

Your computer may be infected with a virus or a trojan. The Firewall has determined that you: Invalid ip!

anything

If you get this message in error, please contact the ADM1N and provide the date and time of this message.



Never mind folks, false alarm xD... I see reading does help than rather posting and waiting for an answer..  O:)
It seems just editing the forumfirewall_enabled setting its veriable to 0 works good  :P when you block yourself as a newb..

Ciao!!

MCK

#171
Great mod. Installed it on an SMF forum I recently took over and golly wiz... Its infested! Now running it on 2 live forums and 1 test forum. Donated $20 for the 2 live forums I'm running it on. Thanks for the hard work. Keep it up!

Follow-up : I very occasionally used to get the following SMF message on my server :

Connection Problems
Sorry, SMF was unable to connect to the database. This may be caused by the server being busy. Please try again later.

After turning the firewall on the occurrence of this problem increased so I stopped the Blocking but am continueing with the Logging for now. My server logs are showing average of 4% to 5% utilization so I don't think this is a chronic server load issue but occasional spike that hits. Actually it feels like a DOS attack if I know one.

Question : Is it possible for the firewall to cause excessive CPU load when Blocking is enabled and say there are numerous concurrent DOS attacks going on? I mean fighting these things must be causing some CPU load too right? Thoughts?

PS - After only couple hours in operation my log now has 998 entries... I am amazed and really concerned. Day in day out. The amount of attempted abuse is just astounding.

MCK

Ideas for further development - Message shown to blocked people could be admin editable.

Additionally the email in there is something I'd like to be able to configure. After installation by default there is an email in that Blocked User message that looks like this :

donotreply~n0spam[at]n0spam~mydomainnamehere~[d0t]~com

I did not see this in the documentation. Perhaps I missed it. Point I'm trying to make is that the users of this mod need to setup a mail account on their server to match this message now as it is. Perhaps this needs to be spelled out in the documentation.

I would also like to suggest that this email address becomes user defined in future updates.

Thanks much for your continued effort. Regards


butchs

#173
Quote from: MCK on February 09, 2011, 07:52:08 AM
Question : Is it possible for the firewall to cause excessive CPU load when Blocking is enabled and say there are numerous concurrent DOS attacks going on? I mean fighting these things must be causing some CPU load too right? Thoughts?

The "Connection Problems" problems are most likely your host.  There is the chance you have an issue with your mysql connection.  The mod writes to the database every-time it blocks someone.  Just to be safe, I would check the SMF settings by running "Repair Settings".

If the cache is enabled then the load on your server should be less once it blocks the bad bot.  If you did not do so enable DOS and ban for at least 1 hour to get rid of the fast hitting bots.  After a week or two you should see a decrease in traffic.

My load went down from 8Gb/mo to <1.5GB in the first month using this mod.

Quote from: MCK on February 09, 2011, 12:53:47 PM
donotreply~n0spam[at]n0spam~mydomainnamehere~[d0t]~com

I did not see this in the documentation. Perhaps I missed it. Point I'm trying to make is that the users of this mod need to setup a mail account on their server to match this message now as it is. Perhaps this needs to be spelled out in the documentation.

True, I never mentioned it...

That is on purpose to prevent harvesting of your email address.  It is obfuscating the webmaster address you put in SMF.  The mod replaces @, - and . with text from the language file.  You can Customize it in the ForumFirewall.english.php file.

Just edit the text set by...
$txt['forumfirewall_nospam']
$txt['forumfirewall_dot']
$txt['forumfirewall_dash']


I will advise against turning this back to normal because then the spamers will email you while mere humans will be able to work out what to edit.  But if you insist, and make it look normal, the mods still encodes the email to make it difficult to scalp.  Just not as good as it was.   8)

Quote from: MCK on February 09, 2011, 12:53:47 PM
I would also like to suggest that this email address becomes user defined in future updates.

Go to Admin/Configuration/Server Settings/General/Webmaster Email Address

To edit the address that is obfuscated (scrambled).
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

Quote from: MCK on February 09, 2011, 07:52:08 AM
Great mod. Installed it on an SMF forum I recently took over and golly wiz... Its infested! Now running it on 2 live forums and 1 test forum. Donated $20 for the 2 live forums I'm running it on. Thanks for the hard work. Keep it up!
...

PS - After only couple hours in operation my log now has 998 entries... I am amazed and really concerned. Day in day out. The amount of attempted abuse is just astounding.

Thank you for the donation.  No more need for concern.  They no longer have access and will go elsewhere.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

MCK

Hi butchs,

Thanks for your kind reply. I appreciate it. I'm working my way through SMF performance tuning guides found on this site and also working with the hosting people to tweak the server. Its a process that often reminds me of a long & painful route canal job... Anyways, will get to the bottom of it.

Appreciate your clearing my email address confusion. I don't see a need to change anything for now due to the obvious reasons you've outlined but its good to know where to go to when needed.

All the best.

MCK

#176
Small follow-up here. As you suggested the firewall hits are getting lesser & lesser. I am now upto 3000+ but rate of increase has slowed down drastically. I can also observe the positive impact of this mod through the logs of Mod httpBL on my forum. While I used to get at least 80 to 90 items in the spammer caught logs before now I get 2-4... Is big success! Thanks for making this happen.

New question : There are certain pre-populated fields on the settings page such as Injection List, XSS Events, Referrer Attacks etc. Would these need to be periodically updated to reflect and catch new attacks etc that get identified? Would you be kind enough to post here if you become aware of such need for updates?

Thanks much!

DarkBlizz

Hey I've been testing your mod for a few days and racked up 3600+ flagged violations.  However it seems to be flagging Google , calling it a DOS Attack.
Quote
3596    66.249.71.141    2011-02-11 01:10:23    GET /Forum2/profile/?area=statistics;u=3116 HTTP/1.1 Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)    DOS Attack!
3595    66.249.71.141    2011-02-11 01:09:23    GET /Forum2/profile/?area=showposts;u=5373 HTTP/1.1 Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)    DOS Attack!

Just wondering why it's getting picked up as a DOS attack when it really isn't and how to not block Google.
Also a majority of the log is filled with "Invalid IPs" called Keep-Alive. Was wondering what that is and are they actual invalid ips or keep alive packets to keep the page up on w/e those users are viewing.
Here's a few logs of those
Quote3582    Keep-Alive    2011-02-11 00:18:59    GET /Forum2/ HTTP/1.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FREE; .NET CLR 1.1.4322) http://darkblizz.org/Forum2/    Invalid ip!
3581    Keep-Alive    2011-02-11 00:18:56    GET /Forum2/not-enough-pylons/access-violation-error/ HTTP/1.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FREE; .NET CLR 1.1.4322) http://darkblizz.org/Forum2/not-enough-pylons/access-violation-error/    Invalid ip!
3580    Keep-Alive    2011-02-11 00:13:12    GET /Forum2/ HTTP/1.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.0 Beta 1; .NET CLR 1.0.3705; .NET CLR 1.1.4322) http://darkblizz.org/Forum2/    Invalid ip!
3579    Keep-Alive    2011-02-11 00:03:38    GET /Forum2/index.php HTTP/1.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts) http://darkblizz.org/Forum2/index.php    Invalid ip!
3578    Keep-Alive    2011-02-10 23:54:46    GET /Forum2/ HTTP/1.0 Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.00 http://darkblizz.org/Forum2/    Invalid ip!
3577    Keep-Alive    2011-02-10 23:54:24    GET /Forum2/index.php HTTP/1.0 Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.00 http://darkblizz.org/Forum2/index.php    Invalid ip!

butchs

Quote from: MCK on February 10, 2011, 10:21:30 PM
New question : There are certain pre-populated fields on the settings page such as Injection List, XSS Events, Referrer Attacks etc. Would these need to be periodically updated to reflect and catch new attacks etc that get identified? Would you be kind enough to post here if you become aware of such need for updates?

Yea.  This is why it is administrator editable,  I was hoping admins would share new list items as they see them.   They cab found at sites that I prefer not to mention here.  In either event, when an update is found all you need to do is type it in the list.
:P
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

#179
Quote from: DarkBlizz on February 11, 2011, 01:28:14 AM
Hey I've been testing your mod for a few days and racked up 3600+ flagged violations.  However it seems to be flagging Google , calling it a DOS Attack.

The google ip is easily spoofed.   Chances are they were not really google to begin with. Best way to be sure is to go to "http://www.google.com/support/webmasters/" site and adjust the hit rate and then compare it to your robots.txt and FF trigger.
:)

The  Optimus Brave mod can assist newbies?
:o

If you are still concerned, the mod offers a "User-Agent Whitelist" feature where you can simply enter the UA ie Google in it.  Just read the ?'s.

"Keep-Alive" is a spoofed ip.  :o
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Advertisement: