Bad Behavior for SMF mod

butchs · February 23, 2011, 08:03:26 PM

Here is what is happening. BB is loaded after httpbl mod and httpbl mod (not associated with this mod) is allowing the bad guys to pass thru only to get blocked by this mod BB.

butchs · February 23, 2011, 08:11:09 PM

Quote from: packman on February 23, 2011, 02:20:05 AM
Quote from: butchs on February 22, 2011, 07:40:39 PM
badbehavior_httpbl_key
badbehavior_httpbl_threat
badbehavior_httpbl_maxage

httbl_key is obvious, but the other two values aren't quite so obvious? The httpBL mod has two threat values and three values that might correspond to maxage, or maybe your values mean something completely different?

BB has only one for each. You exceed the set point(s) and the visitor will get blocked.

badbehavior_httpbl_key: http:BL Access Key obtained from Project Honey Pot
badbehavior_httpbl_threat: Minimum Threat Level (25 is recommended)
badbehavior_httpbl_maxage: Maximum Age of Data (30 is recommended)

This is the Honey Pot Configuration for literally hundreds of thousands of BB installations throughout the world. At this time I have no intension of expanding this feature beyond it's default.

Glasso · February 25, 2011, 02:20:45 AM

Hi buchs,

Thanks for this great mod.

I have bad behaviour installed but most connections from phones are bloceked. Here is more detail:

Code Select

ID: 	90
IP: 	<IP reported correctly>
DATE: 	2011-02-25 11:59:09
METHOD: 	GET
URI: 	/forum/
PROTOCOL: 	HTTP/1.1
HEADERS: 	GET /forum/ HTTP/1.1 Connection: Keep-Alive, keep-alive Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,image/png,*/*;q=0.5 Accept-Charset: iso-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Language: en;q=1.0,en;q=0.5 Cookie: <removed>; <removed>; has_js=1; PHPSESSID=<removed>; OAID=<removed> Cookie2: $Version=1 X-Nokia-MusicShop-Version: 11.1014.15 X-Nokia-MusicShop-Bearer: GPRS/3G x-wap-profile: "http://nds1.nds.nokia.com/uaprof/NN97-4r100-3G.xml" Referer: http://<removed>.com/forum/ Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Host: <removed>.com X-Forwarded-For: 10.12.159.128 Via: 192.168.1.79:8080 (TeleDNA 2.0) User-Agent: Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 NokiaN97-4/12.0.110; Profile/MIDP-2.1 Configuration/CLDC-1.1) AppleWebKit/525 (KHTML, like Gecko) BrowserNG/7.1.4 X-Network-Info: UDP, 10.12.159.128 Called-Station-Id: <removed> X-Mms-SgsnIp: <removed> X-Mms-SgsnMccMnc: 40473 X-Mms-Prepaid-Flag: N X-MSISDN: <removed> 
AGENT: 	Mozilla%2F5.0%20%28SymbianOS%2F9.4%3B%20Series60%2F5.0%20NokiaN97-4%2F12.0.110%3B%20Profile%2FMIDP-2.1%20Configuration%2FCLDC-1.1%29%20AppleWebKit%2F525%20%28KHTML%2C%20like%20Gecko%29%20BrowserNG%2F7.1.4
ENTITY: 	
KEY: 	a52f0448
DENIED REASON: 	Header 'Connection' contains invalid values
EXPLANATION: 	An invalid request was received. This may be caused by a malfunctioning proxy server or browser privacy software. If you are using a proxy server, bypass the proxy server or contact your proxy server administrator.
ERROR: 	400

Can you please help? Thanks.

Kindred · February 25, 2011, 11:09:02 AM

hmmm... these errors just started showing up today:

2: in_array() [<a href='function.in-array'>function.in-array</a>]: Wrong datatype for second argument
File: /....../Sources/bad-behavior/bad-behavior/roundtripdns.inc.php
Line: 27

butchs · February 25, 2011, 08:41:41 PM

Quote from: Glasso on February 25, 2011, 02:20:45 AM
Code Select Expand
[quote author=Glasso link=topic=375980.msg2967788#msg2967788 date=1298618445] I have bad behaviour installed but most connections from phones are bloceked. Here is more detail: DENIED REASON: Header 'Connection' contains invalid values EXPLANATION: An invalid request was received. This may be caused by a malfunctioning proxy server or browser privacy software. If you are using a proxy server, bypass the proxy server or contact your proxy server administrator. ERROR: 400

Bad Behavior it's self is extremely conservative, is being used by a large volume of web sites, the package has strong support and does everything possible to prevent blocking valid users.

In extremely rare circumstances, Bad Behavior may block actual human visitors. Bad Behavior was designed to target robots, not people. If this happens, the profile presented by your browser matched that seen from actual malicious robots. In some cases, this is caused by over-aggressive personal firewall/browser privacy software. In other cases, this is caused by improperly configured Web proxy server software.

First, make a note of the technical support key and e-mail address shown on the error page. Then click the link to "fix it yourself" for suggestions on how you may be able to resolve the problem.

If you continue to have trouble, contact the e-mail address on the error page and be sure to provide the technical support key "a52f0448". This will allow the site administrator to tell you what you need to do to resolve the problem.

If you are the site administrator receiving a trouble report from a user, contact me and provide the technical support key and a copy of the logs which Bad Behavior stores in the database showing the IP address which was blocked. The core author provide further assistance until the trouble is resolved.

For more information on how to diagnose a Bad Behavior blocking problem, see the Bad Behavior weblog entry on the topic.

butchs · February 25, 2011, 08:46:55 PM

Quote from: Kindred on February 25, 2011, 11:09:02 AM
hmmm... these errors just started showing up today:

2: in_array() [<a href='function.in-array'>function.in-array</a>]: Wrong datatype for second argument
File: /....../Sources/bad-behavior/bad-behavior/roundtripdns.inc.php
Line: 27

I need to think about this some...

butchs · February 26, 2011, 08:59:10 AM

Kindred. Try the attached and let me know if it solves the issue?

Kindred · February 26, 2011, 12:12:15 PM

immediate errors

8: Undefined index: badbehavior_roundtripdns
File: /home/fortyk/public_html/community/Sources/bad-behavior/bad-behavior/roundtripdns.inc.php
Line: 25

butchs · February 26, 2011, 01:11:37 PM

That line did not change from the last version (Bad Behavior 1.4.1). Version 1.4.1 includes the new 'badbehavior_roundtripdns' modsetting. So if you do not have the latest version please update. If you upgraded please go to the setting page and hit save so that the modsettings will get saved in to the mysql database.

The attached version should eliminate that in the future. But it will not do anything unless the modsetting exists.

You may see an error burp if someone is online during the installation. This happens when the file changes while it is being used.

Glasso · February 26, 2011, 01:23:51 PM

Quote from: butchs on February 25, 2011, 08:41:41 PM
Quote from: Glasso on February 25, 2011, 02:20:45 AM
Code Select Expand
[quote author=Glasso link=topic=375980.msg2967788#msg2967788 date=1298618445] I have bad behaviour installed but most connections from phones are bloceked. Here is more detail: DENIED REASON: Header 'Connection' contains invalid values EXPLANATION: An invalid request was received. This may be caused by a malfunctioning proxy server or browser privacy software. If you are using a proxy server, bypass the proxy server or contact your proxy server administrator. ERROR: 400

Bad Behavior it's self is extremely conservative, is being used by a large volume of web sites, the package has strong support and does everything possible to prevent blocking valid users.

In extremely rare circumstances, Bad Behavior may block actual human visitors. Bad Behavior was designed to target robots, not people. If this happens, the profile presented by your browser matched that seen from actual malicious robots. In some cases, this is caused by over-aggressive personal firewall/browser privacy software. In other cases, this is caused by improperly configured Web proxy server software.

First, make a note of the technical support key and e-mail address shown on the error page. Then click the link to "fix it yourself" for suggestions on how you may be able to resolve the problem.

If you continue to have trouble, contact the e-mail address on the error page and be sure to provide the technical support key "a52f0448". This will allow the site administrator to tell you what you need to do to resolve the problem.

If you are the site administrator receiving a trouble report from a user, contact me and provide the technical support key and a copy of the logs which Bad Behavior stores in the database showing the IP address which was blocked. The core author provide further assistance until the trouble is resolved.

For more information on how to diagnose a Bad Behavior blocking problem, see the Bad Behavior weblog entry on the topic.

Hi butchs,

I understand; I have sent you the logs by email. Appreciate your help, thanks.

butchs · February 26, 2011, 01:31:08 PM

No problem but, the core author is Michael Hampton. He will investigate your request and make adjustments or suggestions as required based off of your feedback and the thousands of others he gets every day. Then I will incorporate those changes into the SMF port.

Glasso · February 26, 2011, 02:14:56 PM

Quote from: butchs on February 26, 2011, 01:31:08 PM
No problem but, the core author is Michael Hampton. He will investigate your request and make adjustments or suggestions as required based off of your feedback and the thousands of others he gets every day. Then I will incorporate those changes into the SMF port.

Man, Michael is quick! He confirmed there is indeed an issue with what header the Nokia phone/service provider is sending and that BB is working as expected.

Butchs, if you don't mind taking a look at the Forum Firewall log with a bunch of 'keep-alive's in the IP field, please PM me your email id.

Many thanks.

butchs · February 26, 2011, 02:37:58 PM

Quote from: Glasso on February 26, 2011, 02:14:56 PM
Butchs, if you don't mind taking a look at the Forum Firewall log with a bunch of 'keep-alive's in the IP field, please PM me your email id.

What happened in BB is not the same as FF. The tests are not the same. BB does not look at the ip address field. It checks the "Connection " where Keep-alive are supposed to reside. When that field is in error it is blocked.

Now Michael has been working on the Core for over 5 years and the core is so widely used that he actually has the umph to have Nokia fix the header or face being blocked from many sites.

This is why BB is the choice for spambot protection by many sites.

butchs · February 27, 2011, 08:12:00 AM

New update posted today. Changes are minor, only upgrade if you are experiencing errors in your log.

fiver · March 01, 2011, 01:13:38 AM

SMF 2 RC5
Bad Behavior 1.4.2

What should the permission be for core.inc.php? Mine is set 666. Is that correct?

2: require_once(/Sources/bad-behavior/bad-behavior/banned.inc.php) [<a href='function.require-once'>function.require-once</a>]: failed to open stream: Permission denied

File: /Sources/bad-behavior/bad-behavior/core.inc.php
Line: 19

butchs · March 01, 2011, 06:51:22 PM

Do not change the permission of banned.inc.php. Ignore the change request.

The reason is the method I have to install the mod, first I install the BB package then write over the banned.inc.php file. I checked my file in cpanel and it's permissions were fine so no changes are required.

butchs · March 01, 2011, 07:10:52 PM

The read me has red letters that tell you that when you install the mod with 2.0x you may get a permission error. If you listen to SMF and change the permission, I have found exactly what that user has posted. So unless his server acts differently than my test server uninstall the mod, reinstall it and do not change the permissions and it should work.

Here is the readme text:
During installation of SMF 2.0x, SMF may ask to "Restore File Permissions" for "banned.inc.php". Do not make any changes!

If not then you find that you need to change the permission do it in cpanel. Make it the same as all the other files in the BB folder.

butchs · March 01, 2011, 07:19:16 PM

Duuh, if you do not follow the instructions in the read me during installation then you risk having a problem after installation.

butchs · March 01, 2011, 07:40:17 PM

Each server may have a different set of default permissions. Sites such as host gator do not allow you to use 666 or 777 because they are world writeable. If you do not know what works on your server contact your host and ask them what permission to use.

Besides, I run a gentile Web Site and as such do not have files set with the Devils Permissions.

butchs · March 05, 2011, 02:16:45 PM

The following was taken fro the Forum Firewall thread:

Quote from: Glasso on March 05, 2011, 10:43:35 AM
Butchs, this is causing some genuine googlebot requests to be blocked as I see in my webmaster logs. I can send you some trail that I had with Michael where he thought roundtripdns is not fully reliable, if you believe it is worthwhile to go deeper.

A statement by Michael may not apply with the SMF version. My version has improved DNS tests and has been running on my site for well over 6 months with ZERO issues. Needless to say that it is not 100%, fake bots can still get past. As per the help icon "?" and stated before my roundtrip works fine for some sites but if your host is using Ubuntu 10.x it may not work. In that case uncheck "Search Engine DNS".

The following is taken from the core website:

Quote from: bad-behavior.ioerror.usGoogle operates a proxy server for "feature phones" (dumb mobile phones; perhaps should be called feature limited) with limited Web browsers which reformats web pages into a simpler format for viewing on such phones. While it is now rarely used, requests from this proxy server, known as Google Wireless Transcoder, were being treated as search engine requests (and denied for not being a search engine). This issue has been fixed.

Please note the rare statement. I personally have not seen the google wireless bot get blocked. So unless you have a popular website with over 400 visitors a day there is the chance that the bot you are seeing may or may not be a fake. This is the internet and anything can be spoofed. Do you think the bad guys will never try to edit google?

I do not know what to tell you, nothing is perfect. BB runs on many sites that get thousands of blocked visitors a day. He uses his best judgement. When the core author sees a major problem he will upgrade and this mod will follow.

News:

Bad Behavior for SMF mod