News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

Being logged out by bots trying to log in

Started by ACAMS, January 11, 2011, 11:11:02 PM

Previous topic - Next topic

xrunner

I wonder if a better system of account access could be made. Like banks, where you have a "known" computer, like in your house. It has a fingerprint stored (don't know what they store though). You can even have 2 or 3 known computers stored. If you are not at a known computer, you have to answer personal security question before you can even enter a password. Since all these bots are not at the known computer, that would stop them from even getting to the password screen.

Aleksi "Lex" Kilpinen

Something like that could be made I think, but then again I don't know if that would work with forums as well as it does with banks, people may use forums from countless computers, where as they might still avoid doing banking from outside home.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

szinski

Quote from: xrunner on February 15, 2011, 01:16:00 PM
I wonder if a better system of account access could be made. Like banks, where you have a "known" computer, like in your house. It has a fingerprint stored (don't know what they store though). You can even have 2 or 3 known computers stored. If you are not at a known computer, you have to answer personal security question before you can even enter a password. Since all these bots are not at the known computer, that would stop them from even getting to the password screen.

Instead of that, just count the number of failed login attempts. if more than 5 failures, then the next time you attempt to login you're presented with your security question.

Arantor

I think you'd have to combine that with preventing login until security phrase is given, and/or preventing login until entering a code from email, much like the account activation deal.

xrunner

Quote from: szinski on February 15, 2011, 01:22:13 PM
Instead of that, just count the number of failed login attempts. if more than 5 failures, then the next time you attempt to login you're presented with your security question.

Yes, very much simpler. If you are having so much trouble entering your password, you are either very drunk or you are up to no good. Either way, it's probably a good idea to challenge the person with a few security questions.

Arantor

Or, you have a different password for every site but can't remember which one it was...

Aleksi "Lex" Kilpinen

Thats me! :D My passwords are mostly different to each site, and I tend to forget which is which :P
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Astra_200

#147
A couple more bots have just popped into say hello :( but a long .htaccess IP ban list combined with Arantors mod has got the errors down to a trickle now.

These are the banned IP's I've used. Copy and paste them into your htaccess if you like.


order allow,deny
deny from 108.41.42.137
deny from 109.123.119.163
deny from 109.169.29.56
deny from 109.169.41.48
deny from 111.1.32.23
deny from 111.1.32.24
deny from 111.1.32.25
deny from 111.1.32.26
deny from 137.56.163
deny from 137.56.163.46
deny from 137.56.163.64
deny from 142.68.83.148
deny from 144.85.24.218
deny from 144.92.92.15
deny from 150.70
deny from 155.239.155.200
deny from 173.193.221
deny from 173.193.221.27
deny from 173.193.221.28
deny from 173.48.174.212
deny from 173.54.2.197
deny from 174.138.169.218
deny from 174.36.199
deny from 174.36.199
deny from 174.36.199.200
deny from 174.36.199.200
deny from 174.36.199.201
deny from 174.36.199.202
deny from 174.36.199.203
deny from 178.63.246.164
deny from 178.78.255.254
deny from 18.246.0.69
deny from 184.99.175.66
deny from 188.124.19.114
deny from 188.40.51.2
deny from 188.72.225.172
deny from 188.72.241.209
deny from 192.251.226
deny from 192.251.226
deny from 192.251.226.205
deny from 193.138.216.157
deny from 193.198.207
deny from 193.198.207
deny from 193.198.207.8
deny from 194.0.229.54
deny from 194.145.200.128
deny from 194.154.227
deny from 195.43.157.85
deny from 195.71.226.87
deny from 199.48.147
deny from 199.48.147.35
deny from 199.48.147.35
deny from 199.48.147.36
deny from 199.48.147.37
deny from 199.48.147.38
deny from 199.48.147.39
deny from 199.48.147.40
deny from 199.48.147.41
deny from 199.48.147.42
deny from 199.48.147.43
deny from 199.48.147.45
deny from 203.174.87.18
deny from 204.152.222
deny from 204.152.222.140
deny from 204.8.156.142
deny from 208.115.203.16
deny from 208.66.135
deny from 208.66.135.190
deny from 209.159.142.164
deny from 209.159.143.130
deny from 209.44.114.178
deny from 212.13.195.235
deny from 212.42.236.140
deny from 212.78.238.92
deny from 213.112.111.205
deny from 213.220.233.230
deny from 213.239.192.229
deny from 213.46.138.76
deny from 216.24.174.245
deny from 216.243.32.170
deny from 216.86.61.205
deny from 217.114.211.20 
deny from 217.19.50.77
deny from 217.20.114.254
deny from 24.106.191.235
deny from 24.247.220.16
deny from 38.102.94.125
deny from 46.4.237.146
deny from 50.15.57.221
deny from 50.22.180.2
deny from 58.247.181.212
deny from 62.141.53.224
deny from 62.141.58.13
deny from 62.163.180.154
deny from 62.212.67.209
deny from 62.24.181.134
deny from 62.24.181.135
deny from 62.75.139.221
deny from 62.75.159.139
deny from 64.34.162.160
deny from 64.34.184.153
deny from 66.230.230.230
deny from 66.249.9.107   
deny from 66.96.16
deny from 66.96.16.32
deny from 67.207.136.44
deny from 68.126.24.162
deny from 68.71.46.138
deny from 71.165.245.158
deny from 71.198.26.88
deny from 71.244.55
deny from 71.244.55.170
deny from 72.47.252.215
deny from 74.106.17.110
deny from 74.120.12.135
deny from 74.120.15.150
deny from 74.208.243.167
deny from 74.208.246.213
deny from 76.10.214.53
deny from 76.10.214.89
deny from 76.253.141.244
deny from 76.73.56.7
deny from 77.109.139.87
deny from 77.171.107.207
deny from 77.54.97.144
deny from 78.107.233.68
deny from 78.107.237.16
deny from 78.42.9.166
deny from 78.47.251
deny from 78.47.251.152   
deny from 78.48.204.3
deny from 79.120.86.20
deny from 79.136.50.205
deny from 8.18.38.105
deny from 80.237.226.75
deny from 80.237.226.76
deny from 80.62.217.18
deny from 80.81.183.178
deny from 81.169.155.246
deny from 81.218.219
deny from 81.218.219
deny from 81.218.219.122
deny from 82.194.86.135
deny from 82.228.252.20
deny from 83.142.228
deny from 83.142.228.14
deny from 83.163.192.49
deny from 83.168.210
deny from 83.168.210.55
deny from 83.169.9.70
deny from 83.170.92
deny from 83.170.92.9
deny from 83.220.133.86
deny from 83.226.245.207
deny from 83.249.87.238
deny from 83.80.129.253
deny from 83.86.110.188
deny from 83.86.142.62
deny from 84.75.174
deny from 85.17.239.155
deny from 85.114.135.224
deny from 85.114.141.18
deny from 85.17.92.13
deny from 85.214.73.63
deny from 85.235.31.248
deny from 85.25.144.101
deny from 85.8.28.11
deny from 86.101.114.199
deny from 86.201.237.21
deny from 86.205.122.125
deny from 87.118.104.203
deny from 87.126.133.230
deny from 87.236.194
deny from 87.236.199
deny from 87.236.199
deny from 87.236.199.73
deny from 88.189.58
deny from 88.208.121.151
deny from 88.80.28.70
deny from 88.80.29.99
deny from 89.208.236.35
deny from 89.208.237.70
deny from 89.253.105.39
deny from 89.253.97.235
deny from 89.77.213.43
deny from 91.121.152.114
deny from 91.121.170.32
deny from 91.121.175.151
deny from 91.124.187.225
deny from 91.213.50
deny from 91.213.50.235
deny from 91.214.30.60
deny from 91.216.191.11
deny from 92.241.168.146
deny from 92.241.174.9
deny from 92.241.184
deny from 92.241.184.106
deny from 92.241.190.129
deny from 92.241.190.168
deny from 92.241.190.188
deny from 92.9.221.213
deny from 93.104.215.8
deny from 93.115.241
deny from 93.167.245.178
deny from 94.132.72.2
deny from 94.19.12.244
deny from 94.23.215.184
deny from 94.249.153.47
deny from 94.251.75.55
deny from 94.75.253.73
deny from 95.142.174.176
deny from 95.143.193.145
deny from 97.107.142.93
deny from 98.113.149.36
allow from all




edit - please learn to use code tags?

Ok, looks like I've worked it. Sorry about that




Tanks

The bots are saving the names that they already found.

After installing Arantor's mod i tried clearing my htaccess file and within minutes the bots where back trying out the names that they already grabbed before the mod.

Putting my htaccess file back in place stopped it instantly.

So they are NOT getting the names on the fly. These Bots have cache.

青山 素子

You know, instead of individual IPs, you should ban using masks. You'll have a lot fewer lines and it'll be more efficient.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Tanks

So having around 2000 "deny from" in htaccess is bad for performance ?

I'm not sure about masks - I'm afraid to block out normal human beings.

青山 素子

Quote from: Tanks on February 15, 2011, 02:01:16 PM
So having around 2000 "deny from" in htaccess is bad for performance ?

Yes.


Quote from: Tanks on February 15, 2011, 02:01:16 PM
I'm not sure about masks - I'm afraid to block out normal human beings.

Like you might not be already? It's obviously infected computers of end-users.

Looking at the above IPs, for example, the 111.1.32.* addresses could be replaced by a ban on 111.0.0.0/10 (111.0.0.0.0 - 111.63.0.0), which blocks the entire range those IPs are in. Unless you expect visitors who are customers of China Mobile, that should be safe.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Tanks

That makes no sense for me, sorry.

I just copied the IP's that other members posted here on SMF and also the list generated by that TOR generator thingy based on your servers IP

And that stopped all attacks, but yes i feel performance has dropped a lot.

iLCapo

Quote from: 青山 素子 on February 14, 2011, 11:55:03 PM
It shouldn't make a difference. Adding directly to the Apache config and disabling htaccess would have more improvement on performance.

If you have root access, adding the IPs as an iptables (or pf for BSD) deny would be the best choice.

Adding the list of IPs posted earlier to my .htaccess, along with the email login mod, has stopped the attempts cold, but if an iptable is the best way to go about this how would I add one?  I'm using 1.1.13 and do have root access.

Arantor

iptables is part of your server's configuration. If you're on shared hosting, you won't have access to it.

willerby

Install http://custom.simplemachines.org/mods/index.php?mod=1665 and stop trying to block something that is growing - it will drive you and your users mad trying to stop it by IP address blocking. It did me.

All that mod does is require your users to use an email address to log-in, and the bot can't. It just seems such a simple option compared with everything else proposed.
What type of washing machine is September?

An autumnatic. :)

szinski

Quote from: laetabi on February 15, 2011, 04:44:53 PM
Install http://custom.simplemachines.org/mods/index.php?mod=1665 and stop trying to block something that is growing - it will drive you and your users mad trying to stop it by IP address blocking. It did me.

All that mod does is require your users to use an email address to log-in, and the bot can't. It just seems such a simple option compared with everything else proposed.

I have 13,000 members. I can't do a knee-jerk reaction like that... half of my members probably don't even remember the e-mail address that they used to sign up with!

iLCapo

Oh, I thought we were talking about the website root file.  I don't have access to my server's root.  Sorry for my ignorance. 

I have already installed the email login mod and it stopped the password errors but the bots were still trying.  I'm a very small forum for a local club so I don't have any concern with accidentally blocking potential users.  I just want to try to lock the forum down against spammers/bots/etc. as much as possible.

xrunner

Quote from: szinski on February 15, 2011, 04:48:06 PM
I have 13,000 members. I can't do a knee-jerk reaction like that... half of my members probably don't even remember the e-mail address that they used to sign up with!

I agree with this, it's unfortunate, but true. If I did that they'd run me out of town on a rail (if they managed to log in, that is).

Astra_200

Quote from: laetabi on February 15, 2011, 04:44:53 PM
Install http://custom.simplemachines.org/mods/index.php?mod=1665 and stop trying to block something that is growing - it will drive you and your users mad trying to stop it by IP address blocking. It did me.

All that mod does is require your users to use an email address to log-in, and the bot can't. It just seems such a simple option compared with everything else proposed.

Agreed, it was doing my head in for a while and I dont think for a minute other PC's wont become infected and the attack will continue >:(

What I dont really get is the bots are not actually logging in so they must be finding an open door in smf that is allowing them to access usernames??

How does the email login mod actually stop this, as the bots are not logging on as such?

Advertisement: