News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

Bad Behavior for SMF mod

Started by butchs, April 12, 2010, 05:23:56 PM

Previous topic - Next topic

djkimmel

Quote from: butchs on September 02, 2012, 04:14:31 PM
New version.  Upgraded to 2.2.9.

  • Corrected error where the malicious activity address variable was incorrect in the core 2.2.9 release (SMF ONLY).

So basically, your SMF Bad Behavior 2.2.9 core = his 2.2.10, correct? Thanks for fixing that.

butchs

Quote from: djkimmel on September 03, 2012, 02:52:26 AM
So basically, your SMF Bad Behavior 2.2.9 core = his 2.2.10, correct? Thanks for fixing that.

Yes, I am used to fixing bugs in BB core. The core's reverse proxy still does not work where the SMF version does.  This is why I test the code throughly before releasing it.

Quote from: djkimmel on September 03, 2012, 02:13:29 AM
I don't use the Search Engine DNS checked option but I'm curious to see if he changed his Yahoo round trip check from crawl.yahoo.net to what they appear to use now - yst.yahoo.net. Not a big deal for me either way though it will add a little to my understanding of how your mod and his core works.

Everything listed under SMF only options is my code.  The integration with SMF, including the changes to make it compatible is my code.  As far as I can tell I am the first to migrate the whitelist to a forum DB, google safe honeyposts, cache and a BBC where suspicious visitors can not view portions of posts and etc..

The reverse DNS is my area.  I looked into it and here is what I found:

I do not catch all the changes so please let me know.  I am sure I will eventually miss something.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

djkimmel

More helpful information. Fishing yesterday was a lot easier than figuring out all this stuff and deciding what to do about it. Not sure I like 'unofficial' bots? Seems like the search engines would be aware of the hacker challenges and make our lives easier by being cleaner and more clear on their IP ranges, user agents and RDNS.

Guess I will have to put some thought this week into image scraping and which bots I like and don't like (Baidu and Yandex went bye bye for me a while ago - ignoring my robots.txt and not my market, plus they hang out with more bad characters). Thanks.

butchs

Thank you...  So much for a relaxing programming weekend...  Time to go back to the drudgery of my real job to pay the bills...  Check out SMFHelper for some cool additions to BB.  ;)

Another option:  Some say that if a bot obeys "robots.txt " it is a good bot.  If the bot ignores "robots.txt " it is a bad bot.  This is the basis for my Forum Firewall "Robots.txt Validation".   Though not a newbie toy, when implemented correctly, it stops them cold!
:o
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

djkimmel

I signed up on SMFHelper. I've been reading on there a number of times but never signed up apparently.

I've also been looking at your Forum Firewall mod. I have no idea why I could not get Baidu to follow my robots.txt but I made changes for a couple months, waiting 5 days or so between each change. I even sent an email and filled out their form. No response. They just kept pounding away at a ridiculous rate so I blocked them. Considering all the other 'spiders' out there hitting my site and the less than savory traffic they seem to send me, I will need a better method than I have now of trying robots.txt, waiting a few days, looking at logs and then firewalling the ones who keep coming in plus all the 'spiders' who completely ignore robots.txt.

djkimmel

Quote from: butchs on September 01, 2012, 12:17:47 PM
Quote from: djkimmel on September 01, 2012, 04:47:06 AM
I usually have 12 to 18 pages of my old "Database Error: No database selected
File: /home/djkimmel/public_html/forum/Sources/bad-behavior/BadBehavior-SMF.php
Line: 74" per day (never did get that issue figured out) not ~800 pages in one day! Something changed.

I reviewed the mod and as far as I know there was no change there.  This could be an error in your settings or a bot.  The mod uses $db_prefix.  I am interested in eliminating this error. Start by looking at your "Settings.php" in your root directory and insure that $db_prefix is correctly defined.  You may want to try repair settings.


I do use a different $db_prefix than the SMF default but it is set correctly. I ran repair settings again. The only thing missing was a setting for queryless url's. When I first installed SMF it said I couldn't use them. I didn't want to turn them on later. I will look at some previews I found online about how the bad behavior page looks to those who get it on my site using my customized theme. I changed some paths too since I have the default files in Themes/default and just images and the bare necessities in my custom theme folder.

djkimmel

I did sign up on smfhelper.info but I'm unable to post or send a private message. I just keep getting the "The following error or errors occurred while posting this message:
The message body was left empty.
" message though I've logged in and logged out, cleared browsing data, tried different browsers. I can read stuff and look for additional information and additions anyway.

butchs

Well...  I do not know what to do since this is outside my mod.  But I gave Bigguy your message.  He thinks he fixed it.  If not please PM Bigguy here.
O:)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

djkimmel

That was all I could hope for. I could have sent him a PM on here I guess but I try to avoid that since many are PM-adverse (for good reasons often, I'm sure). I will check it out. Thanks. SMF Bad Behavior 1.5.12 is working great on my forum. Hackers will have to try a little harder.

tMicky

For some reason, this Firewall Mod and the Bad Behavior Mod - have an issue with:
./Themes/Glacier/index.template.php - for both mods, I got Test Failed.

I haven't had issues with other mods and this Theme.

Kindred

glacier themes suck...  **NO** mods will install correctly into them.

So, as has been said several thousand times... you will have to manually edit those files.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

tMicky

Quote from: Kindred on September 07, 2012, 05:52:08 PM
glacier themes suck...  **NO** mods will install correctly into them.

So, as has been said several thousand times... you will have to manually edit those files.
thanks

tMicky

(Find)

// Show the load time?


(Add Before)

if ($modSettings['badbehavior_display_stats']) {
if (!function_exists('bb2_insert_stats')) {
global $sourcedir;
require_once($sourcedir . '/bad-behavior/BadBehavior-SMF.php'); }

bb2_insert_stats();
}


However, I can't find the // Show the load time? code in index.php. I have searched each word, but it's not there. The test failed said - Add Before    ./Themes/Glacier/index.template.php    Test failed

butchs

I can not help you with individual themes.  Supporting them will simply take way too much time...  :-[

Good news though...  Here is a link to a mod parser:  SMFHelper
:-*
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

djkimmel

Find were it should be in the default or core SMF theme and then find the corresponding place in the Glacier theme. If you can. That is what I would do.

domscatterbrain

Can i whitelisted an ip range with this mod?
This mod is awesome, but since i installed this mod many of my forum member complained that they receive 403 error.
For a while, i put an announcement to mail me their IPs in our forum facebook group so i can put them into Bad Behavior's whitelist.
And there is another problem, most of my member's IP are dynamic so the best thing i can think is whitelisting a certain IP range from their ISP.

butchs

WHITELIST MEMBERS HELP

Yes.  First off I recommend that you whitelist you ALL your regular members.

In SMF you can whitelist member groups only.  Unlike other security mods, this mod will use the last known ip address of a whitelisted member and not block them if they are logged in or not logged in and their ip address has not changed.  I highly recommend this procedure for all FORUMS!  Here is the procedure:

  • In SMF 2.0 GOTO "Admin Center/Members/Permissions/" (slightly different for SMF 1.1.X)
  • modify "Regular Members"
  • Under "Use basic forum functionality" select "Bad Behavior Whitelist Group" to make a member group exempt from all Bad Behavior tests.
  • Repeat for all forum member groups (do not whitelist guests)

There is am image of the permission location on the mod page.

If they are among the RARE users who logout every time and when they return their IP address changed follow this procedure AS A LAST RESORT:

  • goto Bad Behavior Admin.
  • Select "Settings/ IP Address"
  • Enter their host range in CIDR format.

The above is not required for static addresses and 99.9% of users.  I have over 250 members and only one (1) member who services a hospital with crazy security.  He is my only member who requires a CIDR whitelist.
:D
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Omebolle

Sorry to budge in, but I have a question

Some time ago I installed Bad Behavior on my forum running on SMF 2.0 RC5.

Stopped all the spam I wanted to get rid of, great!!!. But now all of a sudden I get messages of blocked spam which are in fact legal and admitted posts on the forum. In one case a long time member, the other one a new member.

I'm not really an expert on this, anyone got an idea?

butchs

First off, if you have not done so whitelist your members as explained in the first half of my last post.

Second I have no idea what the problem is without more details.  I know there was some anti-hacking stuff added to the core...  Please provide the Event details by clicking on the visitor in the denied entries log.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Omebolle

Thanks, did the whitelist change, let's see what happens.

Here are the event logs for the two members, they CAN post on the forum though

The new member and I see something about blackberry??
ID: 65
IP: 74.82.64.160
74-82-64-160.rdns.blackberry.net
DATE: 2012-09-09 22:34:11
METHOD: GET
URI: /test/index.php?topic=246.new;topicseen
PROTOCOL: HTTP/1.1
HEADERS: GET /test/index.php?topic=246.new;topicseen HTTP/1.1 Host: dutchy.info User-Agent: Mozilla/5.0 (BlackBerry; U; BlackBerry 9810; en-US) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.0.0.583 Mobile Safari/534.11+ Accept: text/html,application/xhtml+xml,application/xml,*/*;q=0.5 Referer: Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip,deflate Cookie: PHPSESSID=8o13i7ah30vlif9krpsu39ncc0 X-Wap-Profile: "http://www.blackberry.net/go/mobile/profiles/uaprof/9810_umts/7.0.0.rdf" Cache-Control: max-age=0 Connection: close
AGENT: Mozilla%2F5.0%20%28BlackBerry%3B%20U%3B%20BlackBerry%209810%3B%20en-US%29%20AppleWebKit%2F534.11%2B%20%28KHTML%2C%20like%20Gecko%29%20Version%2F7.0.0.583%20Mobile%20Safari%2F534.11%2B
ENTITY:
KEY: 69920ee5
DENIED REASON: Header 'Referer' present but blank
EXPLANATION: An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.
ERROR: 400


This is the Old member
: 54
IP: 195.241.190.199
195-241-190-199.ip.telfort.nl
DATE: 2012-09-03 11:57:43
METHOD: GET
URI: /test/index.php?action=dlattach;topic=193.0;attach=3951;image
PROTOCOL: HTTP/1.1
HEADERS: GET /test/index.php?action=dlattach;topic=193.0;attach=3951;image HTTP/1.1 Host: dutchy.info Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.83 Safari/537.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: nl-NL,nl;q=0.8,en-US;q=0.6,en;q=0.4 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: bb2_screener_=1346666252+195.241.190.199; SMFCookie759=a%3A4%3A%7Bi%3A0%3Bs%3A2%3A%2223%22%3Bi%3A1%3Bs%3A40%3A%222d6d2405e2962083fea946cd1d37923b91d05c76%22%3Bi%3A2%3Bi%3A1532780001%3Bi%3A3%3Bi%3A0%3B%7D; PHPSESSID=evqolvstcos57dhufm313k8220
AGENT: Mozilla%2F5.0%20%28Windows%20NT%206.0%29%20AppleWebKit%2F537.1%20%28KHTML%2C%20like%20Gecko%29%20Chrome%2F21.0.1180.83%20Safari%2F537.1
ENTITY:
KEY: 17566707
DENIED REASON: Required header 'Accept' missing
EXPLANATION: An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.
ERROR: 403

Advertisement: