News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

Forum Firewall

Started by butchs, January 15, 2011, 11:00:37 AM

Previous topic - Next topic

butchs

New version added "Review Proxy List" check box.
O:)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

Quote from: DarkBlizz on February 18, 2011, 06:20:50 PM
Suggestion: The Visitor Log definitely needs a way to remove logs. i.e
  Apply filter of type: All Logs (192) | IP (6) | DOS (7) | SQL (179)
  [Remove Selection] [Remove All]

Well the log deletes it's self every 7 days.  Sorting and etc will follow in a future version.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

busterone

The bad guys must take notice of who blocks them. The first couple of weeks I ran this, there were 50 or more logged events per day. For the last 5 days, absolutely zero.   ;D

Blade_Runner

I got the following error message. It shows that an animated gif file is infected with XSS. Is it a bug or the file has been infected with xss?

HEADER
modcarclub.com/forums/avatars//!ModCarClub/poison_by_modcarclub-f.gif contains the following exploit: xml
---------------------------
REASON
FORUM INFECTED with XSS!

butchs

Quote from: Blade_Runner on February 19, 2011, 01:25:28 PM
HEADER
modcarclub.com/forums/avatars//!ModCarClub/poison_by_modcarclub-f.gif contains the following exploit: xml
---------------------------
REASON
FORUM INFECTED with XSS!


It is suspected of being infected.  The mod checks all common avatars/ smilies for code injection keywords and lists them once a week.  It is only a warning message.

The only way to determine if it is infected it to look at the code on a computer (where if there is a program embedded in it will not get infected).  Not that I know anything about that...  Or delete the file.

If it is infected it could contain:
1)  Code that will try to write cookies in all those who look at it on your site in order to get some sort of information.
2)  Download an application to a specific computer OS.
3)  Send email messages...
4)  Oh the possibilities...
;)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Blade_Runner

Quote from: butchs on February 19, 2011, 01:32:39 PM
Quote from: Blade_Runner on February 19, 2011, 01:25:28 PM
HEADER
modcarclub.com/forums/avatars//!ModCarClub/poison_by_modcarclub-f.gif contains the following exploit: xml
---------------------------
REASON
FORUM INFECTED with XSS!


It is suspected of being infected.  The mod checks all common avatars/ smilies for code injection keywords and lists them once a week.  It is only a warning message.

The only way to determine if it is infected it to look at the code on a computer (where if there is a program embedded in it will not get infected).  Not that I know anything about that...  Or delete the file.

If it is infected it could contain:
1)  Code that will try to write cookies in all those who look at it on your site in order to get some sort of information.
2)  Download an application to a specific computer OS.
3)  Send email messages...
4)  Oh the possibilities...
;)

Does an animated GIF file have embedded program? File size is the same as the one on my computer.

butchs

#226
Quote from: Blade_Runner on February 19, 2011, 01:37:25 PM
Does an animated GIF file have embedded program? File size is the same as the one on my computer.

GIF's have scripts that allow them to be animated.  But that has nothing to do with what the mod is looking for.  It is safe to say code can be added to any file that is loaded on the internet, including GIF's.  A little is all most need.  No explanation will be provided on how.  Not that i know anything about that...  You can get more information on how at u tube.

Quote from: busterone on February 19, 2011, 11:08:16 AM
The bad guys must take notice of who blocks them. The first couple of weeks I ran this, there were 50 or more logged events per day. For the last 5 days, absolutely zero.   ;D

Congratulations the bots do not want to play with you anymore.  You will see a few stragglers testing for vulnerabilities.

There are lists out there published by the bad guys of so called "easy targets".  Not that I know anything about it...  So when they are blocked,  they take note and go elsewhere to fish for more profitable opportunities.

This is why I believe the passive approach of "SANITIZATION" does not work.  Only by being blocked will the bad bots stop visiting and remove you from the list!

:o
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

owg

Quote from: butchs on February 19, 2011, 08:33:38 AM
...  You did not give me enough information to answer the question.
Perhaps because I am a novice and do not know what information to supply.  I realize now that I can determine who he is by some of the information I see in the header column in the visitor log, but I did not know that until I had closely examined several pages of the log.  I guess I was trying to ask if it was possible to whitelist IPs in the IP check area - if not, all you needed say is that it is not possible.

On an aside, I highly respect the ability of you and other mod authors who have skills that I do not possess, but sometimes the replies that one receives on public forums does not exactly encourage people to post.

butchs

That is ok.  Please be patient with us.   :-X

I hope the new option will fix your issue?
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

owg

I believe it will.  I installed v1.06 after uninstalling v1.04, and it went perfectly.  I noticed the proxy check box was disabled by default - good move.  As you recommended, I'll watch the logs carefully for a couple of days before I turn on blocking, but if they are like the ones I've been logging for the past few days, all should proceed well.

Many thanks for all the effort you put into the mod.

lethal-danger

butchs,

When FF is running can I have enable testing, logs and block violations checked at the same time?

When I check the SQL Injection option, I get this error in my logs,

2: strpos() [<a href='function.strpos'>function.strpos</a>]: Empty delimiter

Is that FF stopping the login attempts?

Also with that Proxy Blocker mod installed I had no incorrect login attempts and didn't notice any problems with members.

As soon as I uninstalled  Proxy Blocker I installed the Login Detector patch, and have already started getting incorrect login attempts again.

I just started using mods and looking at forum protection the last couple days, since I've installed the following mods.  Let me know if you see any redundancies or conflicts...  I havn't seen any problems in the logs atm.

Proxy Blocker
Forum Firewall
Login Security
Hide Info from other guests
Stop Spammer
Hide SMF version
Stop Forum Spam
Anti bot: Unrecognizable form
Add Honey Pot to track IP
httpbl

Thanks for all the hard work guys!

butchs

Quote from: lethal-danger on February 20, 2011, 10:33:40 AM
When FF is running can I have enable testing, logs and block violations checked at the same time?

Yes.  Please note:

  • When blocking is checked the selected tests will block the user the duration of the cache.
  • If logging is also checked the event will be logged.
  • Cache is required for the DOS test.
  • If you are not using the dos test you can turn off cache (set to 0) and the user will get blocked one (1) time and then can get back on the site.


Quote from: lethal-danger on February 20, 2011, 10:33:40 AM
When I check the SQL Injection option, I get this error in my logs,

2: strpos() [<a href='function.strpos'>function.strpos</a>]: Empty delimiter

If you have the latest version, I have seen it several times after turning on the option.  it usually occurs when a visitor is half way through being tested and the initial data is not populated.  The mod will work fine so do not worry.

If you see it several times it could be a bot testing.  Still, the mod will work.

Quote from: lethal-danger on February 20, 2011, 10:33:40 AM
Is that FF stopping the login attempts?

Also with that Proxy Blocker mod installed I had no incorrect login attempts and didn't notice any problems with members.

As soon as I uninstalled  Proxy Blocker I installed the Login Detector patch, and have already started getting incorrect login attempts again.

If a visitor is on the log (blocking enabled) FF has blocked the attempt.

Proxy blocker blocks a bunch of proxys but not everything.  If you use "Enable IP Validation" & "Review Proxy List" you will block proxies that are either miss-configured or loaded to attack your site.  It will also block some supposedly good proxies that are incorrectly configured.  I will be concerned wit the latter because that means to me that the proxy could be compromised.  Some people have gotten all upset about it so I made it an option.

Properly set DOS protection will stop the high speed bots attempting to get passwords.  "SQL Injection", "Cross-Site Scripting" & "HTTP Header Attacks" will stop many other attacks.

Quote from: lethal-danger on February 20, 2011, 10:33:40 AM
I just started using mods and looking at forum protection the last couple days, since I've installed the following mods.  Let me know if you see any redundancies or conflicts...  I havn't seen any problems in the logs atm.

Proxy Blocker
Forum Firewall
Login Security
Hide Info from other guests
Stop Spammer
Hide SMF version
Stop Forum Spam
Anti bot: Unrecognizable form
Add Honey Pot to track IP
httpbl

I just completed a re-write of the Bad Behavior mod.  It is an extremely fast mod that has been around for a log time.  It is the #1 means of spam prevention for many content management systems like worldpress.  It will be a nice addition to the list.  None of it's tests are duplicated in FF.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Kindred

i will note... hide forum version is not actually any sort of protection and serves no actual purpose
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

MCK

butchs. thanks for your continued effort in keeping this mod up to date and meeting your user needs. In moving through few versions I observed an ongoing need to uninstall, reinstall, re-apply small fix for credits which gets a little tedious after a while.


  • Could you kindly make the mod update-friendly so one could install new version over old without uninstalling?

  • If possible could you include perhaps a check box to control whether or not the credits are shown? It would be up to the person to honor your licensing of course but this is not so much different than how it is now if only a little more manual & tedious.

Thanks once again for being so responsive. All the best.

MCK

Quote from: Arantor on February 20, 2011, 09:28:09 PM
QuoteCould you kindly make the mod update-friendly so one could install new version over old without uninstalling?

The only downside is that it makes maintaining the package so much more work, it might be convenient for the end user but in practice it can easily near double the development work.

Thanks for the insight. Didn't know that. Is that a one time impact or ongoing?

MCK

Quote from: Arantor on February 20, 2011, 09:33:30 PM
QuoteThanks for the insight. Didn't know that. Is that a one time impact or ongoing?

Oh, ongoing. You have to prepare a list of the changes between versions as well as the changes from SMF base, then you get into the realms of having to have upgrades between upgrades, e.g. mod 1.0.1 to mod 1.0.2 to mod 1.0.3 - all in one package. It gets messy, and can easily break - it's just cleaner to push for an uninstall between versions in all honesty.

Thanks. I understand this better now.


Blade_Runner

Under Admin, Packages-Browse Packages, it shows that I have version 1.0.5. However, the zip file on my system is 1.0.6. I cannot uninstall it now. Each time I uninstall, I get more than 10,000 error messages like the following. How can I uninstall it?

----------------------------------------------------------------------------------------------
http://modcarclub.com/forums/index.php?action=admin;area=packages;sa=uninstall2;package=ForumFirewall_1.0.6.zip;pid=157
2: feof(): supplied argument is not a valid stream resource
File: /home/newton18/public_html/modcarclub.com/forums/Sources/Subs-Package.php
Line: 2781
----------------------------------------------------------------------------------------------

http://modcarclub.com/forums/index.php?action=admin;area=packages;sa=uninstall2;package=ForumFirewall_1.0.6.zip;pid=157
2: fread(): supplied argument is not a valid stream resource
File: /home/newton18/public_html/modcarclub.com/forums/Sources/Subs-Package.php
Line: 2782

butchs

Not sure what is going on there but try turning off the mod before you uninstall.  As far as I understand none of the errors you list have something to do with the mod.  Maybe there is another mod that was installed afterwards that needs to be removed first?

If you still have issues you and replace the "Subs-ForumFirewall.php" and "ForumFirewall.english.php" (or -utf8 if you use them) files to get the upgrade.
;)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

Quote from: MCK on February 20, 2011, 09:36:03 PM
Thanks. I understand this better now.

The last changed was made just as I was getting ready to go to bed last night.   So I had no time to make a revision list , not that anyone else does anyway.  :o  Lou let me have access to his forum, I performed some tests and I think I finally found the problem with all those messed up ip's.  So I rushed out a revision...  Thank you Lou!
:)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Advertisement: