Hacking problem...

[Nodial]

I have a problem, an hacker use a script to crash my server sending a loop command (action=login2)
is there a way to autoban an IP that try to login more than 5 times per second?
My provider can't help me with the firewall, they say i have to find a php solution at the problem
Please someone help me.


| 6695035 | gamevolu  | localhost | gamevolu_game1         | Sleep   | 0
|       |                  |

yabbse/index.php?PHPSESSID=b722bf89ad14de4770245784ed8d54c4&action=login2

About 250 times per second

[Grudge]

I assume you have tried banning them?

SMF does actually have protection against this - the problem is that anyone hammering any script is impossible to stop really without your host blocking them. See, even if SMF does ban them, it still has to load up at least a table of information and a lot of files to get to that position (As is common on all software), and those loads will be enough to cause you massive server problems. If you can find out the users IP (It should be in the error log, as it will be reporting an error), then as a short term fix at the top of index.php you could write:

Code Select Expand


if ($_SERVER['REMOTE_ADDR'] == '35.36.75.23')
  die('nasty person');

Where the IP is their IP.

[Nodial]

Thanks Grudge,
i already had this problem last month then the nasty person leaved me in peace after a week of attack,
the problem is that he change IP (proxy) when the one discovered is banned from the provider, then a good thing would be to autoban him every time he try.
...there must be a solution 

[Oldiesmann]

First, try banning that IP address from your control panel. In CPanel, login and then click on "IP Deny Manager" and enter their IP address. That will ban them from accessing anything on your site.

Next, look up the IP address on dnsstuff.com ("IP Whois"), and ban that hostname (unless it's from a widely used ISP like AOL) as well.

Finally, report this idiot to that ISP...

Download your server's access log. Go through and copy all entries from that IP address and paste them into a new text file and save this file.
Go through your server's error log and your board's error log and see if there are any error messages originating from that IP address. If so, copy these into that text file as well.

Send an email to the ISP and copy all the information from the text file into this message. If you have a lot of information, then just copy a portion of it and tell them you've got the entire log details if they need more info.

You can also find out who's hosting the script and complain to them. Unless that host caters to hackers, they will probably be more than happy to shut off this guy's account. If they give you any problems, tell them you'll be more than happy to report them to the FTC, IANA (the group in charge of handing out IP addresses) and anyone else who might be interested in what they're up to...

You should also discuss this with your host - your host might be able to do more to help stop this idiot.

While it would be nice to be able to ban them if they tried to get at something more than 5 times a second, this wouldn't work very well because SMF can't instantly load the information.

[Trekkie101]

I can see there host being bothered by being reported, why not write a script that fights back, like sends useless info in huge chunks just move your site to a different directory and update the settings then i would like to see what they enjoy doing. With a new 5mb download every 5 seconds.  Either that or get a hitman hacker that would kill there script and there computer. -LOL

no but report it to there ISP

[Christian Land]

Its quite easy to get rid of those kind of guys...

All you need is a piece of code that does the following:

1. count number of entries in "log_errors" with the users ip in the last 60 seconds
(at least if that guys access to your board generate errors - otherwise you must log a timestamp+user ip in a different table)
2. if the number of hits exceeds a certain amount (for example 60), add his IP to a .htaccess file (deny from 123.123.123.123)
(3. delete all old entries in the log-table if you're not using log_errors)

that way, a user is blocked permanently from accessing your site if he messes with your board... only drawback is (beside probably blocking proxy-servers ), that you have to clean up the .htaccess file from time to time the nice thing about using .htaccess is, that later requests from that users aren't even passed to your forum but blocked as soon as the webserver sees their ip

[Nodial]

I need a solution like the one of Grudge but it should be able to spot the IP of the person and autoban him, like this:

This should be added where action login2 is called, so if it's called from the same IP more than once in a second then it should be autobanned.
IS it possible to implement a thing like this in PHP (i can't code in php and i don't know where to add the code lines)

lastIP and lastTime should be global variables.

    if (lastIP == GETpersonIP() and GETTime() < lastTime + 1sec)
         BAN lastIP;
    lastIP = GETpersonIP();
    lastTime = GETTime();


Let me know if it's possible,
thanks.

[Nodial]

Its quite easy to get rid of those kind of guys...

All you need is a piece of code that does the following:

1. count number of entries in "log_errors" with the users ip in the last 60 seconds
(at least if that guys access to your board generate errors - otherwise you must log a timestamp+user ip in a different table)
2. if the number of hits exceeds a certain amount (for example 60), add his IP to a .htaccess file (deny from 123.123.123.123)
(3. delete all old entries in the log-table if you're not using log_errors)

that way, a user is blocked permanently from accessing your site if he messes with your board... only drawback is (beside probably blocking proxy-servers ), that you have to clean up the .htaccess file from time to time the nice thing about using .htaccess is, that later requests from that users aren't even passed to your forum but blocked as soon as the webserver sees their ip

would be nice too mate!
...But i don't know how to code those lines
Someone can help me doing that please? (thanks in advance)

[Grudge]

Here's some code I'm writing as I'm thinking, so watch for errors. Create a table called smf_login_attempts with the variables IP, varchar(22), and logTime, int(11). Then add the following code just after loadSettings in index.php.

Code Select Expand


if (isset($_GET['action']) && $_GET['action'] == 'login2')
{
  // Test if they are already banned
  if (!empty($modSettings['loginBanned']))
  {
    $modSettings['loginBanned'] = explode('#|#', $modSettings['loginBanned']);
    foreach ($modSettings['loginBanned'] as $ip)
      if ($ip == $_SERVER['REMOTE_ADDR'])
        die('Hacker!');
  }
  else
    $modSettings['loginBanned'] = array();
  // Check they shouldn't be banned
  db_query("DELETE FROM smf_login_attempts WHERE logTime < " . (time() - 20), __FILE__, __LINE__);
  $request = db_query("SELECT COUNT(*) AS totalEntries FROM smf_log_attempts WHERE IP = '$_SERVER[REMOTE_ADDR]'", __FILE__, __LINE__);
  list ($totalTries) = mysql_fetch_row($request);
  mysql_free_result($request);
  // Trying too hard?
  if ($totalTries > 30)
  {
    $modSettings['loginBanned'][] = $_SERVER['REMOTE_ADDR'];
    $modSettings['loginBanned'] = implode('#|#', $modSettings['loginBanned']);
    updateSettings(array('loginBanned' => "'" . $modSettings['loginBanned'] . "'"));
  }
}


That was just written in like 3 minutes so please don't hold errors against me. This could obviously be expanded to use with Snowcrashes idea which is actually a damn good idea at that! Basically this code won't stop all the loading as it needs the settings to be loaded, hence this would be best used with the idea of editing the .htaccess file in mind. To do this you'd basically remove the $modSettings stuff, and at the end if tries > 30 edit .htaccess and stick the users IP address at the bottom.

[Nodial]

Before all, thanks a lot for the help

Then, in index.php there is this line:

// Load the settings from the settings table, and perform operations like optimizing.
reloadSettings();

1) should i add your code after it?

2) How to create a table called smf_login_attempts with the variables IP, varchar(22), and logTime, int(11) ?

[Grudge]

1) Yes
2) Use phpMyAdmin, create a new table in your database, and add two columns with the names and types like I said in my post.

[Nodial]

1) Yes
2) Use phpMyAdmin, create a new table in your database, and add two columns with the names and types like I said in my post.

Thanks a lot mate,
i'm using your code right now, i really hope it works, i'll let you know!

THANKS AGAIN

P.S.

SnowCrash, would be nice to implement your idea too, can u code something to add in index.php too so i can live in peace with the forum?

[Nodial]

My provider just ask me if there is a primary key to define,
wich is the right thing to implement?


CREATE TABLE `smf_login_attempts` (
  `IP` VARCHAR( 22 ) ,
  `logTime` INT( 11 )
) TYPE=MyISAM;

---------------------------------------------------------------------

CREATE TABLE `smf_login_attempts` (
  `IP` VARCHAR( 22 ) ,
  `logTime` INT( 11 ),
   PRIMARY KEY  (IP)
) TYPE=MyISAM;

[Oldiesmann]

You don't really need a primary key in this case, and making the IP address the primary key will only cause problems because each record in a primary key column must be unique.

[Christian Land]

Grudge's idea is nice, but there are multiple DB-queries performed before the SMF-banning actually blocks the user... so I don't think that it will help much to add a SMF-based banning if someone floods your server with requests...

[Oldiesmann]

The reason that code won't work is because Grudge forgot one crucial step - logging the login attempts.

[Grudge]

Umm.. what is wrong with that code? The whole point is it bypasses the loading of banning and theme tables. It is designed purely to stop some of the table loading and is specific to the situation the user mentioned (i.e banging on login2). It is only run on login2 calls so won't slow down normal users.

Snowcrash, as I said this could be improved vastly by making my code write the htaccess file, but I don't know enough about htaccess to be able to do that (I know nothing about htaccess!). The code would look like this:

Code Select Expand


if (isset($_GET['action']) && $_GET['action'] == 'login2')
{
  // Check they shouldn't be banned
  db_query("DELETE FROM smf_login_attempts WHERE logTime < " . (time() - 20), __FILE__, __LINE__);
  $request = db_query("SELECT COUNT(*) AS totalEntries FROM smf_log_attempts WHERE IP = '$_SERVER[REMOTE_ADDR]'", __FILE__, __LINE__);
  list ($totalTries) = mysql_fetch_row($request);
  mysql_free_result($request);
  // Trying too hard?
  if ($totalTries > 30)
  {
    // PUT IN CODE TO APPEND A BAN TO HTACCESS HERE!
  }
}

If you put the file open and write stuff in place of the comment then you could make the table work on htaccess. The reason I'm using a table is because the script may be bypassing sessions somehow.

The table doesn't need a primary key...

[[Unknown]]

Add this table in phpMyAdmin or whatever: (replace {$db_prefix} with your prefix.)

CREATE TABLE {$db_prefix}evil_bots (
  ip char(16) NOT NULL,
  logTime int(10) unsigned NOT NULL default '0'
) TYPE=MyISAM;

Or better yet:

CREATE TABLE {$db_prefix}evil_bots (
  ip char(16) NOT NULL,
  logTime int(10) unsigned NOT NULL default '0'
) TYPE=HEAP;

And then, in index.php, find this:

Code Select Expand

$context = array();

Add right after it:

Code Select Expand


$result = db_query("
   SELECT COUNT(logTime) + 1
   FROM {$db_prefix}evil_bots
   WHERE ip = '$_SERVER[REMOTE_ADDR]'
      AND logTime > " . (time() - 1), __FILE__, __LINE__);
list ($clicks) = mysql_fetch_row($result);
mysql_free_result($result);

if ($clicks > 24)
   die;

db_query("
   INSERT INTO {$db_prefix}evil_bots
      (ip, logTime)
   VALUES ('$_SERVER[REMOTE_ADDR]', " . time() . ")", __FILE__, __LINE__);
db_query("
   DELETE FROM {$db_prefix}evil_bots
   WHERE logTime < " . (time() - 1), __FILE__, __LINE__);

This may cause a little more load, but it should save a lot of bandwidth and load in cases where bad things are happening.  I wrote this initially for YaBB SE, and this is a rewrite of it for SMF.

Hope this is helpful.

-[Unknown]

[Pause]

I'll admit I haven't had any problems with this sort of thing, but I've added it anyway just in case... Cheers [Unknown] 

[Nodial]

Hi [Unknown],
Your solution have to work alone or with the one of Grudge?

Thanks.

[Oldiesmann]

[Unknown]'s code will work by itself.

Grudge - I just said that your code never logs the login attempts. I didn't say anything about loading the themes or banned tables. It's a simple thing. Putting an insert query right before the delete query like [Unknown] did would make the code you posted work just fine.

[Trekkie101]

should this not maybe be built into SMF, like to stop things like this happening in the first place, just it would be annoying to have to see this.

[Pause]

should this not maybe be built into SMF, like to stop things like this happening in the first place, just it would be annoying to have to see this.

You've actually got a point there, maybe it should be integrated into the normal SMF installation (ready for 1.0 Final...)
*looks towards the developers with a questioning look...*

[Oldiesmann]

If it can be done without compromising security or slowing SMF down in any way, I'm all for it. That will probably make SMF even more secure than it already is, which is great

[Trekkie101]

This actually proves that help from non-php coding people can actually help, we come up with the requests that seem mad but help in the long run, plus i dont think ever writing a BB would ever get my attention theres too much coding, i get bored writing HTML, i love WYSIWIG editors they are so cool, especially one i have for learning php but its not quite wysiwig.

[Grudge]

[Unknown]'s code will work by itself.

Grudge - I just said that your code never logs the login attempts. I didn't say anything about loading the themes or banned tables. It's a simple thing. Putting an insert query right before the delete query like [Unknown] did would make the code you posted work just fine.

Oh my... that was gross stupidity on my part - sorry I didn't get what you meant first time! Of course the code should be:

Code Select Expand


if (isset($_GET['action']) && $_GET['action'] == 'login2')
{
 // Test if they are already banned
 if (!empty($modSettings['loginBanned']))
 {
   $modSettings['loginBanned'] = explode('#|#', $modSettings['loginBanned']);
   foreach ($modSettings['loginBanned'] as $ip)
     if ($ip == $_SERVER['REMOTE_ADDR'])
       die('Hacker!');
 }
 else
   $modSettings['loginBanned'] = array();
 // Insert their info
 db_query("INSERT INTO smf_login_attempts (IP, logTime) VALUES ('$_SERVER[REMOTE_ADDR]', " . time() . ")", __FILE__, __LINE__);
 // Check they shouldn't be banned
 db_query("DELETE FROM smf_login_attempts WHERE logTime < " . (time() - 20), __FILE__, __LINE__);
 $request = db_query("SELECT COUNT(*) AS totalEntries FROM smf_log_attempts WHERE IP = '$_SERVER[REMOTE_ADDR]'", __FILE__, __LINE__);
 list ($totalTries) = mysql_fetch_row($request);
 mysql_free_result($request);
 // Trying too hard?
 if ($totalTries > 30)
 {
   $modSettings['loginBanned'][] = $_SERVER['REMOTE_ADDR'];
   $modSettings['loginBanned'] = implode('#|#', $modSettings['loginBanned']);
   updateSettings(array('loginBanned' => "'" . $modSettings['loginBanned'] . "'"));
 }
}

Apologies for that Oldiesman. Of course Unknowns will work just as well - my code will probably help less without htaccess built in but would haev less of an effect on the general forum speed as it only looks at login2

[Oldiesmann]

No problem...

PS - Happy Birthday

[[Unknown]]

There are concerns with this being built in, mainly:

1. Firewall software should block such DoS attacks (that's what this is.)
2. It adds notable load and queries to every page view (personally, I would add this to the Fusebox mod and only have it happen when the load is high-ish...)
3. May cause table crashes (remember log_clicks?!) and take down forums completely if the server restarts.

-[Unknown]

[Trekkie101]

Oh i thought it only came on if the load was high, but if not maybe it should be included in the fusebox mod, also the fusebox mod if im not wrong shuts down certain features if the load increases so why not have soemthing like that built in, then SMF would be really host friendly not thats it not, but then i dont think anyone would dos attack my forums, no-one on it knows how, i think i know of a way using a php script thats supposed to be used to increase hit counters.

[[Unknown]]

Because the Fusebox mod only works on Linux or UNIX servers.  If I could get it to work on Windows I would be quite happy, but I'm afraid... I just don't know how.

-[Unknown]

[Ben_S]

Fusebox would be a nice addition for future versions, I imagine the vast majority of installs are on *nix and it could just be hidden on windows, although as long as it keeps being maintained as a mod, I guess it makes no difference as its 2 seconds to install.

[godboko]

Glad you don't want to add this to the system as a whole, really, why could your provider not block the attacks? If they are on a half way ok network they should have hardware firewalls that would block the attacks. And most unix installs have firewall software.

[Trekkie101]

Yeah most do, but its nice to have that extra wall of defense is it not? Just a help if you ever needed it, its not doing any harm.

[AceTW]

Add this table in phpMyAdmin or whatever: (replace {$db_prefix} with your prefix.)

-[Unknown]

Sorry to bump this from so far back,  but I have a php-newb question about it.

In the above bolded part of this code, how exactly should that end up?

{$smf_forum}
or
{$smf_}
?

I have to ask since it's asking for the prefix, not the DB and it looks like it would need the DB name.

[Kirby]

"smf_"
without the quotes. just the database prefix you have installed SMF with. if you don't remember, you can check Settings.php or the admin panel.

[AceTW]

rgr that,  and many thanks!



<--- newb 

[AceTW]

Well,  after trying to implrement this little fix,  I ended up with a clean white page where the forum should be.


What could I have done wrong?  Followed directions to a tea...

[kegobeer]

Possibly a version conflict.  This was developed in 2004, and you are most probably using 1.0.5 or the new beta.  This may not be fully compatible, but it shouldn't output a blank page.  Have you retraced your steps and made sure you did everything?

[AceTW]

Yup,  I put the original index.php back up,  and looked over the code in the modded one.  All 100% okay.




Since this is so old, could one of you code Gods see if anything needs to be updated in it?


Yes,  I'm grovelling...  :p

[AceTW]

Quick update...


I recopied the modded index.php into the forum directory,  and this time it worked.

Didn't change a thing,  but it worked. 


In any case,  thanks for the responses!!!

[xtremecruiser]

Just found this thread after a DOS seach.  My site has been down 2 times this week from a DOS attack, and now for 16 straight hours
I can even get a current backup to move to a new host

[THE BRA1N]

Add this table in phpMyAdmin or whatever: (replace {$db_prefix} with your prefix.)

CREATE TABLE {$db_prefix}evil_bots (
  ip char(16) NOT NULL,
  logTime int(10) unsigned NOT NULL default '0'
) TYPE=MyISAM;

Or better yet:

CREATE TABLE {$db_prefix}evil_bots (
  ip char(16) NOT NULL,
  logTime int(10) unsigned NOT NULL default '0'
) TYPE=HEAP;

And then, in index.php, find this:

Code Select Expand

$context = array();

Add right after it:

Code Select Expand


$result = db_query("
   SELECT COUNT(logTime) + 1
   FROM {$db_prefix}evil_bots
   WHERE ip = '$_SERVER[REMOTE_ADDR]'
      AND logTime > " . (time() - 1), __FILE__, __LINE__);
list ($clicks) = mysql_fetch_row($result);
mysql_free_result($result);

if ($clicks > 24)
   die;

db_query("
   INSERT INTO {$db_prefix}evil_bots
      (ip, logTime)
   VALUES ('$_SERVER[REMOTE_ADDR]', " . time() . ")", __FILE__, __LINE__);
db_query("
   DELETE FROM {$db_prefix}evil_bots
   WHERE logTime < " . (time() - 1), __FILE__, __LINE__);

This may cause a little more load, but it should save a lot of bandwidth and load in cases where bad things are happening.  I wrote this initially for YaBB SE, and this is a rewrite of it for SMF.

Hope this is helpful.

-[Unknown]

Bumping this to ask if anyone knows about it being compatible with 1.0.9. I'm trying to mitigate a dos flood attack on our forum from a few different ips but probably the same guy using proxies. I have banned the ips through the forum but now I have over 70000 pages in the error logs of invalid login attempts. Any other suggestions would be appreciated.

[Twisted Tristen]

Pardon my novice intrusion but..... Might this be a search engine bot?

We found a simple two line fix.

the file name is robot.txt and is put in the public.html folder.

the show things looks like this:

User-agent: msnbot
Disallow: /

You can add more lines to inclusd google or yahoo or any search who sends out bots

They are looking for meta files, or so I'm told
If they dont find them.. they keep trying

They are instructed to not look if they see robot.txt
its an automatic... all stop.

anyway.. i'm sure something this simple does not come close to resolving your issue.
But it's worth trying.. we did it and the attempts stopped.. Immediately.

Kool

Thanks for allowing me to share
Tristen

[kegobeer]

Tristen,

No, this is not a bot.  DDoS attacks are very easy to spot as they quicky and easily overload the server.  The average search bot only connects several times (the largest number of concurrent connections I've seen is 14), compared to hundreds, if not thousands, of connections for a DDoS attack.

Your suggestion is most welcome, and probably will help most webmasters keep the annoying bots to a minimum (for those bots that actually respect robots.txt).

[THE BRA1N]

Any chance of updating the codes in this thread for 2.0 or should it be compatible with it?

[SneakyWho_am_i]

If you can submit and use .htaccess, I suggest you bring it online bit by bit.

Code Select Expand

#an example of blocking by ip in .htaccess - add salt to taste
order allow,deny
deny from 123.45.6.7
deny from 012.34.5.
allow from all
First, just block everyone. This will allow you to tweak things. Then slowly shrinkwhat you're blocking - tighten the noose - watch your logs. I reckon you can cut out the network or host that's doing it fairly quickly.
I say this because mroe than one person has complained abotu DOS in this thread.

Of course, if you're suffereing DDOS from home computers infected with IRC backdoor things, then there's probably nothing you can do -- EXCEPT....

Try to dissuade people from using Internet Explorer. Lol. Sorry, I'm not using it to troll. I'm beign serious. The Department of Homeland Security, of all things, advises people to stop using Virus Explorer. It's not a solution but it may be a part of a solution.

[steighan]

If you can submit and use .htaccess, I suggest you bring it online bit by bit.

Code Select Expand

#an example of blocking by ip in .htaccess - add salt to taste
order allow,deny
deny from 123.45.6.7
deny from 012.34.5.
allow from all
First, just block everyone. This will allow you to tweak things. Then slowly shrinkwhat you're blocking - tighten the noose - watch your logs. I reckon you can cut out the network or host that's doing it fairly quickly.
I say this because mroe than one person has complained abotu DOS in this thread.

Of course, if you're suffereing DDOS from home computers infected with IRC backdoor things, then there's probably nothing you can do -- EXCEPT....

Try to dissuade people from using Internet Explorer. Lol. Sorry, I'm not using it to troll. I'm beign serious. The Department of Homeland Security, of all things, advises people to stop using Virus Explorer. It's not a solution but it may be a part of a solution.

the whole post is basically useless, but that statement was kinda special