News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

Forum Firewall

Started by butchs, January 15, 2011, 11:00:37 AM

Previous topic - Next topic

butchs

Quote from: awolexpat on January 11, 2015, 11:16:20 PM
Logging was already enabled but I also noticed that both the Enable Testing and Block Violations boxes were ticked, so I have now unticked the latter,

Not recommended... Both should be checked for the mod to work.

Not sure about your errors after the fix, could be bots probing for weaknesses.  Could be hitting issues with other parts of SMF or whatever...  I find it hard to believe you are getting the 1 error since we removed your code.  Sounds like cache to me...  Maybe I need more info...  Maybe email or pm me logs...

You need to enable cookies, java and lower your security for the challenge to work.  Otherwise how else can I tell you are human.  Some bots turn off cookies and java!  There are just so many behind the scenes tests going on behind the challenge to confirm you have good intent...

Quote from: awolexpat on January 11, 2015, 11:16:20 PMborder: solid .1em #white;
background: #white;

Oh gosh...  Maybe removing # before the color will work for you?  Delete it, do not add a space.

Quote from: awolexpat on January 11, 2015, 11:16:20 PM
As a related issue, when I log out of the forum I am taken to the challenge page as well - is this correct behavior? I would rather the members were taken to the home page when they log out.

Sounds right when SMF is not logging your IP as Admin.[/quote]

Quote from: awolexpat on January 11, 2015, 11:16:20 PM
I cleared my browser cache as well just in case

No no no...  SMF Forum cache (do a search).  If you use Cloudflare you have to reset that cache too.  Possibly your sites cache...  That is why the errors are not going away and the challenge images are not displaying...

I have limited time so if I did not answer everything at least I tried.
::)


I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

awolexpat

butchs,

You are right, the errors have stopped now, so it must have been the cache, which I have cleared anyway now.

I already tried changing #white to #ffffff which I thought should have worked but nothing changed - however at that point I hadn't cleared the cache so I tried again after clearing the cache and it was still the same. I doubt it will make any difference but I will change that to just 'white', just in case.

I have just reactivated Block Violations so we will see what happens now. Visitor logs are still filling up and I don't know if this is significant but every single one of them (2540 in 24 hours - is that a lot?) has an IP address of 0.0.0.0 and I know at least some of them were me. Still nothing in Challenges logs. Incidentally, if wanted to clear the logs how would I do it?

One other query i have is that on a failed challenge the system takes me to the Honeypot link I have filled in on the Bad Behaviour mod - is that the correct behaviour?

One final issue has cropped up, that isn't a problem for me as such, but I think will be for you, is that all the credits for your mod and others I use, as well as the SMF one have gone from my footer, but I don't know when this happened - I don't think it has anything to do with your mod but i thought I ought to mention it in case it does. I have just looked with the default theme and they do appear there so I will have to look at my theme files; when I installed your mod there was an error relating to the footer credit which required me to manually edit but I am pretty certain I made the edit correctly, but clearly this is the first place for me to check. I just wanted to assure you that I am not deliberately trying to not credit you and others for your work!

Thank you for your help.

butchs

Quote from: awolexpat on January 12, 2015, 10:30:57 PM
I have just reactivated Block Violations so we will see what happens now. Visitor logs are still filling up and I don't know if this is significant but every single one of them (2540 in 24 hours - is that a lot?) has an IP address of 0.0.0.0 and I know at least some of them were me. Still nothing in Challenges logs. Incidentally, if wanted to clear the logs how would I do it?

0.0.0.0 is default for a blank IP, possibly a sloppy proxy.  What happens when you un-check "Review Proxy List"?

Another reason would be running cloudflare without the cloudflare mod for SMF.

Quote from: awolexpat on January 12, 2015, 10:30:57 PM
One other query i have is that on a failed challenge the system takes me to the Honeypot link I have filled in on the Bad Behaviour mod - is that the correct behaviour?

Yes.

Quote from: awolexpat on January 12, 2015, 10:30:57 PM
One final issue has cropped up, that isn't a problem for me as such, but I think will be for you, is that all the credits for your mod and others I use, as well as the SMF one have gone from my footer, but I don't know when this happened

Most likely another mod.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

awolexpat

OK thanks for those answers; I have cleared up the footer issue, which while I don't know exactly why, it had something to do with me wanting to have the header remaining visible at all times on the Blackhead theme and have the rest of the page scroll beneath it, which I did with CSS; I have now had to fix the footer to the bottom of the screen and also make it bigger because I have so many mods that require a footer credit. Not your issue I know but just wanted to clear it up.

Review Proxy List was already unchecked. I will look into the Cloudflare issue - I was running it at one point but then I changed hosts, and while it is available with my new host I don't think I have set it up with them, but it may have been done automatically when my site was transferred. If it is on I will go to the mod you mention.

However I spoke too soon on the errors - the line 135 error has started again (about 80 in the last 24 hours) - any suggestions? And the challenge page is still not displaying correctly, in that the 'Enter Forum' and 'Cancel' text is not displaying and the box containing that text is invisible, while all the possible box choices become visible on hover. I made the changes in CSS discussed but no change in behaviour. This is the same with the default theme and my theme. I also tried highlighting the elements of that page to see if the text became visible but nothing is showing. I have attached a screenshot to illustrate with the default theme.

butchs

How could you possibly get errors for code that is not there?  Either the change did not take or there is a cache that you do not know about.  I have lost count for the number of people complaining that something did not work because of unknown site/ proxy settings.  I can not help you until you get my fix working.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Mastering

Hi butchs

A fanatic mod and thank you for creating it, getting it approved, and sharing it.

I am unable to find the answer via search and I am sure that this would have been answered before: 

I do not want to lock myself out before I switch on Block Violations but I am receiving: Invalid Admin IP: Repeated! and Hack: Repeated! in my visitors logs.  These are from my internet and phone connection and hence are trustworthy. 

I should not be concerned as these appear to be normal logs and I will be ok when I switch on Block Violations?


 

awolexpat

Quote from: butchs on January 14, 2015, 05:36:14 PM
How could you possibly get errors for code that is not there?  Either the change did not take or there is a cache that you do not know about.  I have lost count for the number of people complaining that something did not work because of unknown site/ proxy settings.  I can not help you until you get my fix working.

You're definitely asking the wrong person as regards how errors can appear for code that shouldn't be there! However I have now discovered something that could be the cause; when I changed hosts I (wrongly) assumed that everything would get transferred over, but I have now found out that Cloudflare was still being operated under my old host, so i have now remedied that. Following that I have cleared the cache at Cloudflare. I will report back once I see the result of doing that.

awolexpat

butchs,
Thanks for your attempts to help me but I have given up; the challenge page won't display correctly and the errors are still appearing after clearing the forum cache and the cloudflare one. I have spent too long trying to fix this and the issue with the challenge page is going to become irritating for my users who often want to browse the forum without logging in so I have uninstalled it. I will keep an eye on this topic though in case some kind of solution crops up but I am guessing there must be some sort of conflict with something else.

Mastering

Quote from: Mastering on January 14, 2015, 08:07:27 PMI am unable to find the answer via search and I am sure that this would have been answered before: 

I do not want to lock myself out before I switch on Block Violations but I am receiving: Invalid Admin IP: Repeated! and Hack: Repeated! in my visitors logs.  These are from my internet and phone connection and hence are trustworthy. 

I should not be concerned as these appear to be normal logs and I will be ok when I switch on Block Violations?


I found the answer - It locked me out  :(    I reset the phpadmin and change "forumfirewall_enable' to zero

Therefore how do I fix the  Invalid Admin IP: Repeated! and Hack: Repeated!?  The reason for the lock out was due to the my external IPs connection

dougiefresh

I need to file a bug report about this mod.

I have a forum at http://www.xptsp.com, in which the webpages are run by the forum software by way of some coding I've done to convert posts to webpage material.  When I am logged out, I get this message:
QuoteWarning: file_put_contents(/ff_493c90325e88b2052b90b73489cf0d9994e241e8f34eeadc.php) [function.file-put-contents]: failed to open stream: Permission denied in /home/*******/public_html/site/board/Sources/Subs-ForumFirewall.php on line 1619
I traced this issue back to SSI.php, which my site uses to display the webpages.  It needs the following changes to SSI.php to get rid of this error message:
Code (Find) Select
require_once(dirname(__FILE__) . '/Settings.php');
Code (Add After) Select
// Make absolutely sure the ffcache directory is defined.
$ffcachedir = $boarddir . DIRECTORY_SEPARATOR . 'ffcache';


Hope this helps someone.....

Mastering

#970
Quote from: Mastering on January 15, 2015, 08:00:52 PM
Quote from: Mastering on January 14, 2015, 08:07:27 PMI am unable to find the answer via search and I am sure that this would have been answered before: 

I do not want to lock myself out before I switch on Block Violations but I am receiving: Invalid Admin IP: Repeated! and Hack: Repeated! in my visitors logs.  These are from my internet and phone connection and hence are trustworthy. 

I should not be concerned as these appear to be normal logs and I will be ok when I switch on Block Violations?


I found the answer - It locked me out  :(    I reset the phpadmin and change "forumfirewall_enable' to zero

Therefore how do I fix the  Invalid Admin IP: Repeated! and Hack: Repeated!?  The reason for the lock out was due to the my external IPs connection

I have switched off all IP Address options in the forumfirewall but am still receiving Invalid ip: Repeated! in the visitors logs; and keep getting logged out of my forum

Any advice with my misconfiguration

butchs

Quote from: awolexpat on January 15, 2015, 12:49:23 AM
butchs,
Thanks for your attempts to help me but I have given up...

I do my best to help but I am not perfect.  Just turn off "Challenge Failed IP's" and wait until I upgrade the mod. Reinstalling a mod will reset the forum cache, then you reset CF and all changes will take hold.  Until then I need some time to transfer, learn and set-up my programming tools on a new computer...   Then I will play with Chrome and determine if there is a issue.  My list of household chores is starting to get short so I should be able to get back at it in a month.

Quote from: awolexpat on January 15, 2015, 12:49:23 AM
It needs the following changes to SSI.php to get rid of this error message:
Code (Find) Select
require_once(dirname(__FILE__) . '/Settings.php');
Code (Add After) Select
// Make absolutely sure the ffcache directory is defined.
$ffcachedir = $boarddir . DIRECTORY_SEPARATOR . 'ffcache';


Hope this helps someone.....

Your version may error log issues with the directory.  For a manual install you should make the following changes to SSI.php (which are included in
Code (find) Select
$cachedir;
Code (replace) Select
$cachedir, $ffcachedir;

Code (find) Select
loadTheme(isset($ssi_theme) ? (int) $ssi_theme : 0);
Code (add after) Select


// start ForumFirewall
require_once($sourcedir . DIRECTORY_SEPARATOR . 'ForumFirewall.php');
// end ForumFirewall


So my questions are:

  • Do you have a manual install?
  • Was the code above included in SSI?
  • If yes for #2, maybe I need to change the location, what version of SMF are you using?

Quote from: Mastering on January 16, 2015, 06:23:52 PM
Any advice with my misconfiguration

Instructions state that you test the mod and insure there are not forum members being blocked before enabling blocking.

Try to un-check "Block Violations".
Look at your visitors log and find out the hack text before repeated and remove it from your settings.
Do you have "Review Proxy List" checked?  Does un-checking remove the violation?
Un-check "Enable Admin IP Confirmation".
Test for a few days before you re-check "Block Violations".

Between changes uninstall the mod, reinstall the mod and reset cloudflare cache.

If the error continues please post the first error
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Mastering

Quote from: butchs on January 17, 2015, 08:20:09 AM
Quote from: Mastering on January 16, 2015, 06:23:52 PM
Any advice with my misconfiguration

Instructions state that you test the mod and insure there are not forum members being blocked before enabling blocking.

Try to un-check "Block Violations".
Look at your visitors log and find out the hack text before repeated and remove it from your settings.
Do you have "Review Proxy List" checked?  Does un-checking remove the violation?
Un-check "Enable Admin IP Confirmation".
Test for a few days before you re-check "Block Violations".

Between changes uninstall the mod, reinstall the mod and reset cloudflare cache.

If the error continues please post the first error

The error is still continuing

I do not have anything ticked in 'IP address', also as I am using a hosting company - I have no proxy.

I have uninstalled several times.  The IP address is showing to be 0.0.0.0 in the logs from my desktop and mobile phone connection hence why I decided to uncheck everything from 'IP address'

Any suggestions for the above?

I have spotted a bug.  The error logs will show a mistype password.  Another Administrator could view this and be smart enough to work out my password

dougiefresh

I've gotten logged out of my own forum, too, after enabling the "Block Violators" checkbox.  Had to go into my phpMyAdmin and change the setting just so I could get back online....  My users were locked out of my forum for about 3 hours during this issue....

Anyways, I got into the Visitors logs and everybody has the 0.0.0.0 IP address and there are 10,000+ entries (no, i didn't look at every single one, but page after page of 0.0.0.0 gets annoying)....  There is something really wrong here....

Mastering

Quote from: dougiefresh on January 19, 2015, 06:26:07 PM
I've gotten logged out of my own forum, too, after enabling the "Block Violators" checkbox.  Had to go into my phpMyAdmin and change the setting just so I could get back online....  My users were locked out of my forum for about 3 hours during this issue....

Anyways, I got into the Visitors logs and everybody has the 0.0.0.0 IP address and there are 10,000+ entries (no, i didn't look at every single one, but page after page of 0.0.0.0 gets annoying)....  There is something really wrong here....

Are you using proxy?

If not then it could be a bug when not behind a proxy and using a hosting company

However the password in clear text not good! and I like the mod a lot because it is logging DOS attacks 

butchs

I have well over 50,324 visits with no 0.0.0.0 IPs using Cloudflare.    dougiefresh already admitted his host is using cloudflare.  He needs to fix the"Visitor IP call to Proxy" and " Proxy Header ID" settings.

I will say this once again:
DO NOT ENABLE BLOCKING UNTIL AFTER YOU HAVE THOROUGHLY TESTED THE MOD AND ARE 100% SURE YOU AND YOUR MEMBERS WILL NOT GET BLOCKED!

You need to look at the first issue, read the mods help, read the first page of this thread, adjust settings and remove phrases that can trigger an event.  Test first!
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

Quote from: Mastering on January 19, 2015, 06:43:31 PM
However the password in clear text not good! and I like the mod a lot because it is logging DOS attacks

No I am not going to try to locate a miss-typed password and scramble it.  If you mistype and have multiple admins then you should change your password.  Try saving it in a file and copy and past it.  One more thing, the mod will not log you for a miss-typed password.  Most likely there is a phrase in one of the tests that should be removed (maybe your password).  Look at the first reason.  The log is intuitive.


I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

Here is an example reason:

      Bad Cookie: /CGI-BIN/VBOX_REDIRECT: Redirect!

Bad Cookie - This is where is found the issue.
Redirect - The phrase that caused the block that is located in the "XSS Events" list.

another one...

    Request Entity Attack: %2f!

Request Entity - The test.
%2f - the phrase in the "Request Entity Attacks" list.


I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Mastering

Quote from: butchs on January 19, 2015, 06:58:07 PM
Quote from: Mastering on January 19, 2015, 06:43:31 PM
However the password in clear text not good! and I like the mod a lot because it is logging DOS attacks

No I am not going to try to locate a miss-typed password and scramble it.  If you mistype and have multiple admins then you should change your password.  Try saving it in a file and copy and past it.  One more thing, the mod will not log you for a miss-typed password.  Most likely there is a phrase in one of the tests that should be removed (maybe your password).  Look at the first reason.  The log is intuitive.

Please until we get to the bottom of this there is no work around for displaying a password in clear text

This part of my log:

0.0.0.0
Yesterday at 23:58:23
POST0: [Username is displayed] [password is displayed] 1 2: on 3: /forum/index.php?action=login2 HTTP/1.1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/6.2.2 Safari/537.85.11 http://www.myforumwebsite.com/forum/index.php?action=login2 [nofollow]
Invalid ip: Repeated!


butchs

To do it I would have to describable the SMF password and check the text.  This could slow things down.  Best solution is to delete the log (Remove All) after logging in or keep your cookies.

You need to find the things before "Repeated!".  Since you are hanging out here try visiting the forum at the "Protected by: Forum Firewall © 2010-2014" link.  Tell me the date and time you visited.  If you do not get a 0.0.0.0 block at my site then it is on your end.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Advertisement: