Topic: Being logged out by bots trying to log in

[laetabi]

I have 13,000 members. I can't do a knee-jerk reaction like that... half of my members probably don't even remember the e-mail address that they used to sign up with!

 
 Apologies, my post sounded rather direct and I didn't mean it too.
 
 I'm concerned that some of the solutions proposed so far are only partial and continue to present a risk to the security of members personal data. In particular, they don't address the vulnerability in forum software that half the log-in security is public domain and can be easily harvested, leaving only the password to be cracked.
 
 When this hit my forum I had similar reactions to many who have posted - I posted over 100 IP addresses for others to block but still they came and now we are talking thousands. So I set about this logically and realised that there are two main threats here:
 
 1) User experience - getting logged out
 2) A potential security threat to members if the bots are successful and can access an account
 
 The SMF upgrade/patch fixes the logout issue but not the security vulnerability if indeed that is what is being targeted by the bots. Personally, I don't want to ignore this aspect as it could have serious implications for my members even if the chances of success do seem remote.
 
 Arantors mod is the first to try and hide the log-in userID from guests throughout the forum and is the right approach as long as the spam bot hasn't already harvested any usernames. I think there is some evidence that it is not harvesting on the fly.
 
 Another alternative would be to insist all members change their displaynames to something different to their userID but for a X,000 existing member forum that would be nigh on impossible to manage. Doing this for all members via MySQL is a possibility and I considered doing this but again it doesn't fix the issue if the bot has already harvested some forum userIDs.
 
 The email login is in my view a more secure approach as even a non-guest can't easily access this info. Indeed sites like facebook, paypal, amazon etc all use email log-in and don't display email addresses to the world. It is not ideal for large forums and I did worry about members not remembering what they registered with but in practice this is a minor issue to overcome compared to the alternatives.
 
 I'd also recommend stopspammer or httpBL mods (or both) as a failsafe to deny access to your site from suspect IP addresses. They are both good mods but they haven't proven completely successful in stopping attempts althoghn they reduce the risk considerably. In my experience they can also block genuine users so need to be managed sensitively.

[Arantor]

Indeed sites like facebook, paypal, amazon etc all use email log-in and don't display email addresses to the world.

I guess I need to bash this again. I log into Facebook daily without using my email address. I use my username which is considerably shorter, and public, but I don't use it publicly, so you wouldn't notice, really.

Not all forums are vulnerable, four of the six forums I currently admin, all SMF, have not been targetted with this, and nor do I think they will be.


This same problem affects all forum software, really, it only became noticeable due to the logout aspect.

[laetabi]

Apologies again, Arantor.

Facebook is email log-in by default but user name does work as you say. UserID is however different from display name and not easily harvested. 

I don't use it... 

[Arantor]

UserID is however different from display name

Not exactly, no. I don't know if you can log in with your display name, doubt it, but if you have a personalised URL, that's visible AND your login.

But you're right, it's not so easily harvested.

[青山 素子]

What I dont really get is the bots are not actually logging in so they must be finding an open door in smf that is allowing them to access usernames??

By default, the display name is the same as the username. There is no door, it's public information.

How does the email login mod actually stop this, as the bots are not logging on as such?

It requires the login ID to be the user's account e-mail address. It's not so much a stop as a way to make it much harder to get the credentials needed to login.

I'm concerned that some of the solutions proposed so far are only partial and continue to present a risk to the security of members personal data. In particular, they don't address the vulnerability in forum software that half the log-in security is public domain and can be easily harvested, leaving only the password to be cracked.

This affects other forum software as well, especially those that don't allow a different display name from the account username.

 

Arantors mod is the first to try and hide the log-in userID from guests throughout the forum and is the right approach as long as the spam bot hasn't already harvested any usernames. I think there is some evidence that it is not harvesting on the fly.

It's more than possible that many of the usernames are dictionary-generated as well.

This same problem affects all forum software, really, it only became noticeable due to the logout aspect.

Agreed on that. It probably wouldn't have been all that noticeable except for the side effect that the bruteforcing created.


I will note that bruteforcing attacks against SSH (a remote login for *NIX systems, such as Linux and the various BSDs) have been ongoing for years. There isn't really a good stop for this kind of stuff other than to try and break up the botnets doing the work.


I've thought about working on a mod that acts like a "fail2ban" for SMF. Basically, long temp-bans for too many login failures within a period. Unfortunately, I'm not sure when I could work on such a thing, especially as it could get somewhat complex and resource-hungry.

Potentially, it would be easier (for those on VPS or dedicated) to use the actual fail2ban application and have SMF write failure logs to a location it can scan.

Hmmmmm.

[szinski]

I've been thinking about this and I feel that the "HIDDEN" mod is only a temporary solution.

What's eventually going to happen is that the harvester will simply apply for an account, then use that account to login and then harvest all the now-visible usernames... then we're back to square one.

I like the e-mail login option. It's hidden (or can be hidden) and there won't be a way for bots to know how you're logging in.

What I'll probably have to do is notify my members, give them a few weeks to get their e-mail addresses updated, then turn on that mod. That is, unless a better solution is found.

[青山 素子]

What I'll probably have to do is notify my members, give them a few weeks to get their e-mail addresses updated, then turn on that mod. That is, unless a better solution is found.

The best workable fix, really, is to implement an automatic IP ban solution where too many attempts to login in a time period result in a ban. It's a little tricky, however, as members can easily lock themselves out of the forum if they fail login multiple times too quickly.

I mentioned such a solution above, but it is a bit complex and I don't have too much time to work on it.

[iLCapo]

I've thought about working on a mod that acts like a "fail2ban" for SMF. Basically, long temp-bans for too many login failures within a period.

Wouldn't this type of approach hose the actual user if they should try to log in during the lock-out period?  Based on what I was seeing in my error logs, the bots were hitting the same accounts so frequently that those users may never have been able to get back in. 

The best workable fix, really, is to implement an automatic IP ban solution where too many attempts to login in a time period result in a ban.

Ideally it would be an auto ban on IPs that try unsuccessfully to login to multiple accounts.  My error logs were showing individual IPs attempting to crack as many as 6-7 different accounts.  It would be highly unlikely to have that many failed attempts across multiple accounts from one IP in real life.

[Astra_200]

The best workable fix, really, is to implement an automatic IP ban solution where too many attempts to login in a time period result in a ban. It's a little tricky, however, as members can easily lock themselves out of the forum if they fail login multiple times too quickly.

I mentioned such a solution above, but it is a bit complex and I don't have too much time to work on it.

I'd rather have a couple of unhappy members (because they couldent remember their login details) than this ongoing threat.

A mod like you suggest would be great, just call it a hobby Go for it 青山 素子.. you know you want to

Wouldn't this type of approach hose the actual user if they should try to log in during the lock-out period?  Based on what I was seeing in my error logs, the bots were hitting the same accounts so frequently that those users may never have been able to get back in.

Intersting point.

[busterone]

I am curious if this attack has been hitting this forum here at SM.org too. Can anyone with access to the error logs confirm or deny that this one is being hit as well?

[iLCapo]

I just noticed something puzzling.  I've blocked all the IP ranges assigned to RIPE in .htaccess and at least one is still getting through and trying to log in.  I originally added this range to .htaccess with this notation:

deny from 46.*.*.*

but they got through.  So I thought maybe .htaccess doesn't like this notation so I switched it to:

deny from 46.0.0.0-46.255.255.255

and they're still getting through.  Am I doing something wrong?  They shouldn't even be able to get to the forum to try to login if they're blocked in .htaccess right?

[busterone]

deny from 46

no dot or asterisk afterward

examples-
deny from 77.92.88.25
deny from 77.92.88
deny from 77.92
deny from 46

[iLCapo]

So if I wanted to do a larger range such as:

109.0.0.0 - 126.255.255.255

would I simply type:

deny from 109-126

or would I need to do each range individually like:

deny from 109
deny from 110
deny from 111

etc.?

[RustyBarnacle]

The best workable fix, really, is to implement an automatic IP ban solution where too many attempts to login in a time period result in a ban. It's a little tricky, however, as members can easily lock themselves out of the forum if they fail login multiple times too quickly.

I mentioned such a solution above, but it is a bit complex and I don't have too much time to work on it.

I like this idea coupled with a safe IP range(s).  That way if they login from work, home, friends etc they can set a safe DHCP set(s).  They would also be able to login from other places as long as they don't flub the password too many times.

[szinski]

Even better would be to get Project Honey Pot to add a trap for failed login attempts (single IP address trying multiple user names). Then the bot would get blocked automatically using MOD httpBL.

[b4pjoe]

The best workable fix, really, is to implement an automatic IP ban solution where too many attempts to login in a time period result in a ban. It's a little tricky, however, as members can easily lock themselves out of the forum if they fail login multiple times too quickly.

I mentioned such a solution above, but it is a bit complex and I don't have too much time to work on it.

The thing is though, I've seen as many as 24 hours between attempts on a single user name. At first I thought users were getting logged out after the bot reached the threshold of failed log in attempts but it seems that is not the case. Until the RC4 security fix and RC5 release, just one failed log in attempt would log off the user that was logged in so there was never a problem with multiple attempts within a certain time period.

The SMF fix is kind of misleading in that it didn't really fix anything (not that it could stop it). It's just hiding the fact that attempts are being made to crack user passwords. Unless an admin is diligently checking the error log no one will even know the attempts are being made after the security fix.

Users be damned. I have put the force email log in in place and posted a news item in big red letters as a link to a thread explaining the situation so everyone will know they have to log in using their email address and that it is for their own security. I haven't had any complaints yet. In fact most have thanked me for stopping the auto log outs they were experiencing.

[青山 素子]

I've thought about working on a mod that acts like a "fail2ban" for SMF. Basically, long temp-bans for too many login failures within a period.

Wouldn't this type of approach hose the actual user if they should try to log in during the lock-out period?  Based on what I was seeing in my error logs, the bots were hitting the same accounts so frequently that those users may never have been able to get back in. 

No, unless those users are trying to connect from the IPs being banned. It wouldn't be an account lock-out, but an IP one.

The thing is though, I've seen as many as 24 hours between attempts on a single user name.

That wouldn't be blocked. It's not abusive enough to be an immediate concern.

[Cal O'Shaw]

Hello,

Been busy with this problem in a similar topic (http://www.simplemachines.org/community/index.php?topic=419916.new;topicseen#new).  Reading this page I thought I'd clarify a bit of misunderstanding of what is happening, based on the attack on our site (started 8 Feb 2011, still running on 15 Feb 2011):

- names were harvested, appearing to be looking for 'last post' string on main index and topic indexes.
- set of names harvested are cycled, in order.
- attacker is persistent: our attacks occur about every 6 minutes on average, has been running for 7 days.
- attacker does not re-harvest, as the list has not changed.
- Hiding names from guests will do NOTHING for current attack, but will render harvesting impossible for future attack
- the only way to render attack impotent is to change the login ID, either by Admin changing target names or implementing the email login MOD.

We're a 1.1.13 site, fairly small, which made determining this possible.

Oh, need to use Depreciated's Hide Info Center MOD as unchecking "Show Info Center" permission is ignored.  We also hide most boards, and those visible only show the first post in the topic to guests.

Hope this helps.

Cal

[b4pjoe]

The thing is though, I've seen as many as 24 hours between attempts on a single user name.

That wouldn't be blocked. It's not abusive enough to be an immediate concern.

Well, I don't know. It's still a hacking attempt and I think that is why they programmed it so it wouldn't trip any security features like too many attempts in a certain time period. When it first started on my forums it never tried the same user name for at least 9 minutes. I don't think that was an accident.

[Cal O'Shaw]

I think it's great that Arantor was able to create the Anti-Abuse MOD for 2.x sites.  Not going to ask him (I understand his POV, I think) for 1.1.x version, but is it possible for someone to pursue a 1.1.x version?  Even if 2.0 went gold in the morning a lot of us small sites wouldn't be able to convert for months (lot of reasons, no need to go OT listing them).

I'm thinking we need a number of tools to fight this kind of attack, now and in the future.  The Anti-Abuse (HIDDEN name) MOD, email address login MOD, various firewall and IP MODs. 

It just seems the easiest way to block future attacks is hiding names from guests.

Cal