Being logged out by bots trying to log in

Started by ACAMS, January 11, 2011, 11:11:02 PM

Previous topic - Next topic

ACAMS

There seems to be IS a problem with being logged out by bots trying to log in with various user names.
This seems to be a unique SMF problem......any plans on blocking them as I have SEVERAL IP's blocked, and new ones try every day!

What is going to be done about it?


I have these blocked so far with .htacces, but getting tired of adding IP's every day!!!!!!



deny from 109.169.29.56
deny from 137.56.163
deny from 144.85.24.218
deny from 150.70
deny from 155.239.155.200
deny from 173.193.221
deny from 173.193.221.27
deny from 173.193.221.28
deny from 173.48.174.212
deny from 174.138.169.218
deny from 174.36.199
deny from 174.36.199.200
deny from 174.36.199.201
deny from 174.36.199.202
deny from 174.36.199.203
deny from 178.63.246.164
deny from 178.78.255.254
deny from 18.246.0.69
deny from 188.124.19.114
deny from 188.40.51.2
deny from 192.251.226
deny from 192.251.226.205
deny from 192.251.226.206
deny from 193.198.207
deny from 193.198.207.8
deny from 194.154.227
deny from 195.71.226.87
deny from 199.48.147
deny from 199.48.147.35
deny from 199.48.147.35
deny from 199.48.147.36
deny from 199.48.147.37
deny from 199.48.147.38
deny from 199.48.147.39
deny from 199.48.147.40
deny from 199.48.147.41
deny from 199.48.147.42
deny from 199.48.147.43
deny from 199.48.147.45
deny from 203.174.87.18
deny from 204.152.222
deny from 204.152.222.140
deny from 204.8.156.142
deny from 208.66.135
deny from 208.66.135.190
deny from 208.66.135.190
deny from 209.159.142.164
deny from 212.42.236.140
deny from 213.112.111.205
deny from 213.239.192.229
deny from 217.19.50.77
deny from 24.106.191.235
deny from 24.247.220.16
deny from 50.22.180.2
deny from 62.141.53.224
deny from 66.230.230.230
deny from 66.96.16
deny from 66.96.16.32
deny from 68.71.46.138
deny from 71.198.26.88
deny from 71.244.55
deny from 71.244.55.170
deny from 74.106.17.110
deny from 77.54.97.144
deny from 78.107.237.16
deny from 78.42.9.166
deny from 78.47.251
deny from 79.120.86.20
deny from 79.136.50.205
deny from 80.62.217.18
deny from 80.81.183.178
deny from 81.169.155.246
deny from 81.218.219
deny from 81.218.219.122
deny from 82.228.252.20
deny from 83.80.129.253
deny from 83.142.228
deny from 83.142.228.14
deny from 83.168.210
deny from 83.168.210.55
deny from 83.170.92
deny from 83.170.92.9
deny from 83.220.133.86
deny from 83.226.245.207
deny from 84.75.174
deny from 85.235.31.248
deny from 87.126.133.230
deny from 87.236.194
deny from 87.236.199
deny from 87.236.199.73
deny from 88.189.58
deny from 89.208.237.70
deny from 89.253.105.39
deny from 89.253.97.235
deny from 89.77.213.43
deny from 91.213.50
deny from 91.213.50.235
deny from 92.241.184
deny from 92.241.184.106
deny from 92.241.190.168
deny from 92.9.221.213
deny from 93.104.215.8
deny from 93.115.241
deny from 94.251.75.55
deny from 94.75.253.73
deny from 95.143.193.145
deny from 98.113.149.36
deny from 80.237.226.75
deny from 98.113.149.36
deny from 67.207.136.44
deny from 98.113.149.36
deny from 91.214.30.60
deny from 188.72.225.172
deny from 208.115.203.16
deny from 62.24.181.134
deny from 62.24.181.135
deny from 111.1.32.23
deny from 111.1.32.24
deny from 111.1.32.25
deny from 111.1.32.26
deny from 62.75.139.221
deny from 85.114.141.18
deny from 85.114.135.224
deny from 46.4.237.146
deny from 86.101.114.199



ACAMS

Just that quick I had to add this IP  88.80.29.99

This mod did not work for me

http://custom.simplemachines.org/mods/index.php?mod=2728

Kindred

how are spambots and spamtards a unique smf problem?
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

青山 素子

Quote from: Kindred on January 12, 2011, 12:32:22 AM
how are spambots and spamtards a unique smf problem?

I think their specific problem is that login attempts against existing usernames are somehow causing existing user sessions to expire.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Aleksi "Lex" Kilpinen

I believe this happens at the point where a bot reaches the limit for failed logins - I've seen this issue raised a couple of times now, never seen it myself though.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

ACAMS

I just raised the Failed login threshold so maybe we won't be logged out before I can IP block the bots, BUT I wish something can be done to stop this.

b4pjoe

I'm seeing it every day but it only happens to each user for about 24 hours. If it's happening to a user that doesn't log in much you don't hear about it but if it's a regular user it annoying as heck.

ACAMS

I went into Configuration/Security and Moderation and raised the Failed login threshold to 99 so members wont be logged out, and I go to maintenance and check the error log (filter user) and ban all bots that don't have a regular member IP.

I add them to a .htacces in the root of my domain....they never make it to the forum after that.........BUT I should not have to, they should not be able to get to the member list!

Here is my Current .htaccess......I add about 20 IP's a day!


#--- DH-PHP handlers ---
AddHandler fastcgi-script fcg fcgi fpl
AddHandler php-fastcgi .php
Action php-fastcgi /cgi-bin/dispatch.fcgi
Options -Indexes
ErrorDocument 403 /403.html
ErrorDocument 404 /404.html
ErrorDocument 500 /500.html
<Limit GET HEAD POST>
order allow,deny
# ACAMS Pissed off
deny from 109.169.29.56
deny from 137.56.163
deny from 144.85.24.218
deny from 150.70
deny from 155.239.155.200
deny from 173.193.221
deny from 173.193.221.27
deny from 173.193.221.28
deny from 173.48.174.212
deny from 174.138.169.218
deny from 174.36.199
deny from 174.36.199.200
deny from 174.36.199.201
deny from 174.36.199.202
deny from 174.36.199.203
deny from 178.63.246.164
deny from 178.78.255.254
deny from 18.246.0.69
deny from 188.124.19.114
deny from 188.40.51.2
deny from 192.251.226
deny from 192.251.226.205
deny from 192.251.226.206
deny from 193.198.207
deny from 193.198.207.8
deny from 194.154.227
deny from 195.71.226.87
deny from 199.48.147
deny from 199.48.147.35
deny from 199.48.147.35
deny from 199.48.147.36
deny from 199.48.147.37
deny from 199.48.147.38
deny from 199.48.147.39
deny from 199.48.147.40
deny from 199.48.147.41
deny from 199.48.147.42
deny from 199.48.147.43
deny from 199.48.147.45
deny from 203.174.87.18
deny from 204.152.222
deny from 204.152.222.140
deny from 204.8.156.142
deny from 208.66.135
deny from 208.66.135.190
deny from 208.66.135.190
deny from 209.159.142.164
deny from 212.42.236.140
deny from 213.112.111.205
deny from 213.239.192.229
deny from 217.19.50.77
deny from 24.106.191.235
deny from 24.247.220.16
deny from 50.22.180.2
deny from 62.141.53.224
deny from 66.230.230.230
deny from 66.96.16
deny from 66.96.16.32
deny from 68.71.46.138
deny from 71.198.26.88
deny from 71.244.55
deny from 71.244.55.170
deny from 74.106.17.110
deny from 77.54.97.144
deny from 78.107.237.16
deny from 78.42.9.166
deny from 78.47.251
deny from 79.120.86.20
deny from 79.136.50.205
deny from 80.62.217.18
deny from 80.81.183.178
deny from 81.169.155.246
deny from 81.218.219
deny from 81.218.219.122
deny from 82.228.252.20
deny from 83.80.129.253
deny from 83.142.228
deny from 83.142.228.14
deny from 83.168.210
deny from 83.168.210.55
deny from 83.170.92
deny from 83.170.92.9
deny from 83.220.133.86
deny from 83.226.245.207
deny from 84.75.174
deny from 85.235.31.248
deny from 87.126.133.230
deny from 87.236.194
deny from 87.236.199
deny from 87.236.199.73
deny from 88.189.58
deny from 89.208.237.70
deny from 89.253.105.39
deny from 89.253.97.235
deny from 89.77.213.43
deny from 91.213.50
deny from 91.213.50.235
deny from 92.241.184
deny from 92.241.184.106
deny from 92.241.190.168
deny from 92.9.221.213
deny from 93.104.215.8
deny from 93.115.241
deny from 94.251.75.55
deny from 94.75.253.73
deny from 95.143.193.145
deny from 98.113.149.36
deny from 80.237.226.75
deny from 98.113.149.36
deny from 67.207.136.44
deny from 98.113.149.36
deny from 91.214.30.60
deny from 188.72.225.172
deny from 208.115.203.16
deny from 62.24.181.134
deny from 62.24.181.135
deny from 111.1.32.23
deny from 111.1.32.24
deny from 111.1.32.25
deny from 111.1.32.26
deny from 62.75.139.221
deny from 85.114.141.18
deny from 85.114.135.224
deny from 46.4.237.146
deny from 86.101.114.199
deny from 88.80.29.99
deny from 217.20.114.254
deny from 80.237.226.76
deny from 109.169.41.48
deny from 86.205.122.125
deny from 91.216.191.11
deny from 62.212.67.209
deny from 184.99.175.66
deny from 188.72.241.209
deny from 74.208.243.167
deny from 85.25.144.101
deny from 212.13.195.235
deny from 92.241.190.188
deny from 142.68.83.148
deny from 193.138.216.157
deny from 94.249.153.47
deny from 85.214.73.63
deny from 94.132.72.2
deny from 92.241.190.129
deny from 144.92.92.15
deny from 89.208.236.35
deny from 206.221.217.246
deny from 216.24.174.245
deny from 58.247.181.212
deny from 87.118.104.203
deny from 83.169.9.70
deny from 68.126.24.162
deny from 94.19.12.244
deny from 86.201.237.21
deny from 216.243.32.170
deny from 64.34.162.160
deny from 78.48.204.3
deny from 93.167.245.178
deny from 62.141.58.13
deny from 92.241.168.146
deny from 76.253.141.244
deny from 194.145.200.128
deny from 91.121.175.151
deny from 95.142.174.176
deny from 92.241.174.9
deny from 38.102.94.125
deny from 50.15.57.221
deny from 62.75.159.139
deny from 216.86.61.205
deny from 76.10.214.89
deny from 72.47.252.215
deny from 173.54.2.197
deny from 213.46.138.76
deny from 108.41.42.137
deny from 97.107.142.93
deny from 74.208.246.213
# bots be gone
allow from all
</LIMIT>

青山 素子

Quote from: ACAMS on January 13, 2011, 12:39:47 PM
Here is my Current .htaccess......I add about 20 IP's a day!

You should consolidate and use subnets where possible. The WHOIS command is great for looking up allocations for blocks.

If you have server access, use iptables (Linux) or pf (BSD) to block the IPs at the system level.

Unless you need to, disable memberlist access for guests. You can't block member names in posts without blocking all guests, however.

You could see if you can add a referrer check to the login process to avoid direct submissions. Note that this will break logins for a very small percentage of users that block sending referrers or who use networks that do so.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


ACAMS

Quote from: 青山 素子 on January 13, 2011, 12:50:59 PM
You should consolidate and use subnets where possible. The WHOIS command is great for looking up allocations for blocks.

I have 2.0 RC3.....How would I do that?


Quote from: 青山 素子 on January 13, 2011, 12:50:59 PM
If you have server access, use iptables (Linux) or pf (BSD) to block the IPs at the system level.

I do have server access, but you lost me....what do I need to do?


Quote from: 青山 素子 on January 13, 2011, 12:50:59 PM
Unless you need to, disable memberlist access for guests.

I would love to, I have 2.0 RC3.....How would I do that?


Quote from: 青山 素子 on January 13, 2011, 12:50:59 PM
You could see if you can add a referrer check to the login process to avoid direct submissions. Note that this will break logins for a very small percentage of users that block sending referrers or who use networks that do so.

I have 2.0 RC3.....How would I do that?




青山 素子

Quote from: ACAMS on January 13, 2011, 06:17:12 PM
Quote from: 青山 素子 on January 13, 2011, 12:50:59 PM
You should consolidate and use subnets where possible. The WHOIS command is great for looking up allocations for blocks.

I have 2.0 RC3.....How would I do that?

If you are using Linux or OS X as your desktop system, open up a terminal and simply run "whois ip address". If you're on Windows, you will probably want to download JWhois from GNUWin32, then run that from the command prompt.

Reading WHOIS info on IPs takes some learning, and is a bit more involved than I will get into here. However, I will give an example from on of your above listed IPs.


$ whois 174.36.199.200
#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 174.36.199.200"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=174.36.199.200?showDetails=true&showARIN=false
#

torservers.net NET-174-36-199-200 (NET-174-36-199-200-1) 174.36.199.200 - 174.36.199.207
SoftLayer Technologies Inc. SOFTLAYER-4-7 (NET-174-36-0-0-1) 174.36.0.0 - 174.37.255.255


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


From the above search, we see that the range that IP falls in is specifically "174.36.199.200 - 174.36.199.207". In SMF, you can add the IP ban as "174.36.199.200-207". Checking with an online subnet calculator, they are likely a /29. (In some notation it would be: 174.36.199.200/29). Some WHOIS servers will kindly provide the subnet mask bits (the number after the /)

Further, the range that service is in is owned by SoftLayer, a server provider. No humans should normally be browsing from that their range, so you can block 174.36.0.0 - 174.37.255.255. That's two /16 blocks, by the way (I am a sysadmin by trade, so I know the basic subnet masks).



Quote from: ACAMS on January 13, 2011, 06:17:12 PM
Quote from: 青山 素子 on January 13, 2011, 12:50:59 PM
If you have server access, use iptables (Linux) or pf (BSD) to block the IPs at the system level.

I do have server access, but you lost me....what do I need to do?

Using the IP ranges I looked up above, you can do the following using iptables.

For the most restrictive set (the /29 network), the following command will work.


iptables -I INPUT -s 174.36.199.200/29 -j DROP


For that whole block for SoftLayer, you'd use:


iptables -I INPUT -s 174.36.0.0/16 -j DROP
iptables -I INPUT -s 174.37.0.0/16 -j DROP


As a bonus with iptables, httpd doesn't even see the requests as they are being blocked before they ever go to it. If you don't want to figure out the mask bits (the number after the /) you can also use full ranges like show in the WHOIS output, just don't use spaces around the hyphen.

You'll need to look up the rules for pf if you're on BSD.

Also note that these will only stay applied until the firewall service is restarted, or a reboot. Different distributions store iptables information in different ways. Check documentation on how to save the rules so they persist.



Quote from: ACAMS on January 13, 2011, 06:17:12 PM
Quote from: 青山 素子 on January 13, 2011, 12:50:59 PM
Unless you need to, disable memberlist access for guests.

I would love to, I have 2.0 RC3.....How would I do that?

Admin -> Members -> Permissions

Modify the permisions for Guests. Uncheck "View profile summary and stats" and save.



Quote from: ACAMS on January 13, 2011, 06:17:12 PM
Quote from: 青山 素子 on January 13, 2011, 12:50:59 PM
You could see if you can add a referrer check to the login process to avoid direct submissions. Note that this will break logins for a very small percentage of users that block sending referrers or who use networks that do so.

I have 2.0 RC3.....How would I do that?

That would require code changes and I honestly don't have the time to dig into the code and find the best way to handle it. Honestly, it's a last-choice option, something that you should only do if all other efforts fail as it has the most chance of causing issues for real users.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


ACAMS

Thanks, I Modified the permisions for Guests and hope that will stop them.

THE BRA1N

I'm having the exact same problem with many of those same IPs. Many are TOR proxy IP's so I used a TOR bulk list exporter to block them on .htaccess - https://check.torproject.org/cgi-bin/TorBulkExitList.py

The number of invalid logins have dropped significantly since I did that (as well as members getting logged out) but I am still getting a few attempts every day. I will also try the suggestion here to increase the invalid login threshold to see if that helps. The main problem I was having is that most members online were getting logged out every 3-5 mins.


willerby

This issue was really annoying my users - reported in 2.0 Support board.

Best solution for me, to stop them dead, was to switch log-ins to email address rather userID - there is a mod for this called 'force email registration' I think.

I also installed Snoopy's httpBL Project Honeypot mod - follow his excellent instructions, a very worthwhile spambot blocker.

It'll scare you how many of these things are visiting your site every hour!

W
What type of washing machine is September?

An autumnatic. :)

bluecar1

Quote from: ACAMS on January 11, 2011, 11:11:02 PM
There seems to be IS a problem with being logged out by bots trying to log in with various user names.
This seems to be a unique SMF problem......any plans on blocking them as I have SEVERAL IP's blocked, and new ones try every day!

What is going to be done about it?


I have these blocked so far with .htacces, but getting tired of adding IP's every day!!!!!!



deny from 62.24.181.134
deny from 62.24.181.135


those IP are related to a stalker bot from Talk Talk, there is a bit of controversy over it following TT users around the net supposedly for an antimalware product TT are supposed to be trialing

it has been breaking a few thing all over the web,

have alook at www. the-phoenix-broadband-advice-community .co. uk/index.php/topic,1828.0. html and https :// nodpi. org/forum/index.php/topic,2991.0. html

sorry both are long threads but have a lot of information in them

the owner of pheonix is taking legal action against talk talk over it


bluecar1

acams,

could you clarify which ip's are the main causes of the logging out issues?

is it all in your HTACCESS list or just some?

thanks

BC1

b4pjoe

Since about 2:00 pm today USA time I've had to block these IP addresses for failed logins that do not match the IP's of any of my members.

18.246.0.69

46.4.237.146

66.230.230.230

74.3.165.39

78.46.39.228

78.47.251.152

80.81.183.178

80.237.226.76

81.169.155.246

82.243.137.200

83.170.92.9

85.235.31.248

89.13.19.86

92.241.190.168

92.241.190.188

95.143.193.145

96.57.72.219

96.226.189.3

109.169.29.56

137.56.163.46

140.180.130.93

142.68.83.148

173.54.2.133

174.36.199.200

174.36.199.201

178.33.149.173

188.72.225.172

188.120.245.249

192.251.226.205

192.251.226.206

209.44.114.178

213.46.88.109

ACAMS

Quote from: bluecar1 on January 14, 2011, 05:48:10 PM
acams,

could you clarify which ip's are the main causes of the logging out issues?

is it all in your HTACCESS list or just some?

thanks

BC1

Most of the ones in the bottom half of my list, I got the top half from Dermot


Here is my list now

青山 素子

I just installed the httpBL modification recently on two of the boards I manage. It seems to work very well. You might want to try it out.

* 青山 素子 is an active contributor to Project Honeypot with 6 HoneyPots and 5 MX records donated.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Advertisement: