News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

Being logged out by bots trying to log in

Started by ACAMS, January 11, 2011, 11:11:02 PM

Previous topic - Next topic

Rik©

* Rik© wonders if Arantor knows a quick fix for the 'always-unread bug' in the Hide Post Authors From Guests mod  :P

Arantor

Quote from: Rik© on February 14, 2011, 04:17:57 AM
* Rik© wonders if Arantor knows a quick fix for the 'always-unread bug' in the Hide Post Authors From Guests mod  :P

Nope, sorry. Haven't looked at it for a very long time.


Going back to the topic (:P) yes, that raises some interesting thoughts. Firstly, the convenience factor of username vs 'security' of email address, secondly it does actually make a case for removing the copyright since from what I can tell, the sites being attacked were found in Google based on searching for the footer. The sites of mine that haven't been attacked have a slightly modified wording in the footer (though, before anyone jumps on me, please note that it's done in accordance with the licence as the team have enforced it thus far: it only modifies the version number)

RVD

Quote from: Arantor on February 14, 2011, 04:22:53 AM
Quote from: Rik© on February 14, 2011, 04:17:57 AM
* Rik© wonders if Arantor knows a quick fix for the 'always-unread bug' in the Hide Post Authors From Guests mod  :P

Nope, sorry. Haven't looked at it for a very long time.


Going back to the topic (:P) yes, that raises some interesting thoughts. Firstly, the convenience factor of username vs 'security' of email address, secondly it does actually make a case for removing the copyright since from what I can tell, the sites being attacked were found in Google based on searching for the footer. The sites of mine that haven't been attacked have a slightly modified wording in the footer (though, before anyone jumps on me, please note that it's done in accordance with the licence as the team have enforced it thus far: it only modifies the version number)

Could you share your footer mod?

Thank you.

Arantor



live627


krick

Here's some more IP addresses to add to the .htaccess ban list.  Incidentally, does anyone happen to know if it makes any difference performance-wise if the "deny from" entries are at the beginning or the end of your .htaccess file?

66.90.101.7
66.230.230.230
77.109.139.87
82.64.83.83
83.142.228.14
87.118.104.203
91.121.152.114
94.75.253.73
95.143.193.145
109.123.119.163
137.56.163.46
137.56.163.64
145.97.195.40
173.13.165.123
173.164.128.121
173.193.221.28
192.251.226.205
192.251.226.206
208.66.135.190
208.110.65.123

青山 素子

It shouldn't make a difference. Adding directly to the Apache config and disabling htaccess would have more improvement on performance.

If you have root access, adding the IPs as an iptables (or pf for BSD) deny would be the best choice.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


_Ziggy_

Quote from: laetabi on February 14, 2011, 02:23:37 AM
I posted previously in this topic having been an early target of the bot in question.

Denying IP addresses and installing anti-spam mods like httpBL are all good things to do but a simple secure fix for this attack is to hide all email addresses by default and force members to log-in using their email address.

Part of the vulnerability of forums to this type of attack is that one part of the log-in info is public domain (eg. Usernames can be seen all over the forum and can be harvested easily).

By logging in using email address the bots have to find out and hit an active email address to log-out a user.

There is a simple mod for this 'force email log-in' and this will stop all error log entries and make your forum much more secure to any future variants these script kiddies develop.

http://custom.simplemachines.org/mods/index.php?mod=1665


I agree.
The email login should be standard for SMF.
Bluesforum.com   2.0                     Bluesforum.nl   2.0
Rockabilly-forum.com   2.0              Bluesharp.nl   2.0
Bungalowpark-forum.nl   2.0        Eee pad forum   2.01
Cristiano Ronaldo   2.02              Lockout Tagout   2.02


Looking to buy existing forums, send pm.

Arantor

There is a simpler way to deal with it whilst keeping the convenience of a short login name: just use a different display name to username. I don't remember the last time I had to actually use a full email address anywhere.

_Ziggy_

Yes, but how do you force members to choose a different display name to username?
Bluesforum.com   2.0                     Bluesforum.nl   2.0
Rockabilly-forum.com   2.0              Bluesharp.nl   2.0
Bungalowpark-forum.nl   2.0        Eee pad forum   2.01
Cristiano Ronaldo   2.02              Lockout Tagout   2.02


Looking to buy existing forums, send pm.

Arantor

Prompt them to do so, then reset their name after a period of time if they haven't complied.

fiver

I'm receiving the same attack on a few forums. Now trying Proxy Blocker mod since someone mentioned that the bots are going through tor - lets hope it works.


Will feedback here after an hour or 2 with the result.


Note: Stand by to modify your index.php. If you get blocked by this mod, you need to hide one of the lines of the installed code that blocked you out of your forum.

Arantor

Note that using that mod will also very likely screw up any mobile users trying to get to your site.

Digharatta

Hello,

Since only few accounts were attacked, I specified the IP addresses for each of these accounts, with the help of Login Security mod, and it helped:

http://custom.simplemachines.org/mods/index.php?mod=2181

P.S. Let me also recommend Forum Firewall mod http://custom.simplemachines.org/mods/index.php?mod=2815 - it's incredible how often the forum gets attacked in small ways.

Elysia

I've updated the htaccess file with a raft of new IPs trying the logins against our large forum. The htaccess list has reduced the attempts to a trickle now rather than the flood of a fe days ago. But looking at the IPs I've added it looks like whatever is happening is spreading through more and more servers...  only one of the latest batch seems to be a tor servers connection.

Something else I've picked up is that the attempts are using usernames not displayed names, so whatever is doing this is able to read the usernames somewhere - and given that the Memberlist is not, and has never been, readable by guests, and the only other place these usernames are stored is in the database, how is this access being effected?

Arantor


szinski

A simple solution would be to create a mod that obfuscates (or simply hides) display names when a guest views the forum. Like the way eBay does it... instead of displaying "EagleMan" it'd display "E***n".

Arantor

You think it's simple to do that? If only it were, because it really isn't. You have to pretty much modify every file where usernames are loaded from the database.

szinski

I meant "simple" as in easily thwarting the bots... not "simple" in design/coding. Sorry.

Advertisement: