Being logged out by bots trying to log in

Started by ACAMS, January 11, 2011, 11:11:02 PM

Previous topic - Next topic

Kindred

I disagree, actually...   At this point, the attacks are distributed and I rarely see concurrent attempts on a single account from any individual IP, or even the same IP hitting multiple accounts.

I've added the .htaccess denies (will eventually convert this to the server side IP list) and the attempts have dropped off precipitously. RThe ones that are still coming through (about 95 in the last 2 days) use one IP to hit one account, a minute or two later, there is another hit on a different account from a new IP.

They cycle... I can usually find 1-2 attempts from a single IP over a 2 day period, but they appear to have a LARGE block of IPs to work from.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

StarWars Fan

Quote from: Arantor on February 16, 2011, 10:48:45 AM
But they use different IP addresses, that's part of the problem. Some of the lists of IP addresses are huge.

Not always - in the Error Log, if you click the IP, you will often see they have attempt to break into multiple accounts...

If SMF would simply check the Error Log, admins won't have to play with IP denying, htaccess, etc...

Quote
And what happens if a genuine user fails to type their password correctly? By that logic, they're booted straight off.

I'm not suggesting booting the IP, merely deny another login attempt especially to another account... And/or SimpleMachines could add the time limit thing (ala Cpanel, etc)

Kindred

Quote from: StarWars Fan on February 16, 2011, 10:58:39 AM
Quote from: Arantor on February 16, 2011, 10:48:45 AM
But they use different IP addresses, that's part of the problem. Some of the lists of IP addresses are huge.

Not always - in the Error Log, if you click the IP, you will often see they have attempt to break into multiple accounts...

If SMF would simply check the Error Log, admins won't have to play with IP denying, htaccess, etc...


Quote from: Kindred on February 16, 2011, 10:56:45 AM
I disagree, actually...   At this point, the attacks are distributed and I rarely see concurrent attempts on a single account from any individual IP, or even the same IP hitting multiple accounts.

...

They cycle... I can usually find 1-2 attempts from a single IP over a 2 day period, but they appear to have a LARGE block of IPs to work from.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Arantor

QuoteNot always - in the Error Log, if you click the IP, you will often see they have attempt to break into multiple accounts...

Not always. On my own sites, the list is a rather large list of IPs being hit, and it's often more than a day between two occurances of a single IP being used in this way. And see Kindred's comment.

QuoteI'm not suggesting booting the IP, merely deny another login attempt especially to another account...

Still affects legitimate users though - if a user typos their password, their IP is now restricted from another login attempt. What happens if, say, the user is in somewhere like a university with a smallish pool of IP addresses, just for example?

The time limit thing would help, provided that it's not going to interfere with legitimate users - but even then, all that happens is the bots will adapt their pattern.


This type of attack has been happening for decades across so many other systems and environments, and there isn't a single way of dealing with it.
Holder of controversial views, all of which my own.

Kindred

for the love of gods...   don't you read?   This is not actually an SMF issue.   You could see the same behavior on Facebook, Hotmail, google, etc.

it's the nature of the internet... as long as people use stupid, insecure passwords, other (bad) people will try to break them.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

StarWars Fan

Quote from: Kindred on February 16, 2011, 11:06:00 AM
for the love of gods...   don't you read?   This is not actually an SMF issue.

Well, sorry guys, I tried - they don't want to do anything about it... I'm out...

nend

My watchdog script I like to call it that I use on SI Community is handling these attacks pretty good IMHO. It tracks errors, logs them in a separate database to be compared to its definitions.

My dictionary bot definition checks to see if a ip address has tried to log in with at least three different usernames with incorrect passwords.

I can't say it is blocking them entirely because there are quite a bit of ips, but I have notice most ip ranges are real close together.

Norv

There seems to be a misunderstanding here. That bots are trying, is not a SMF issue. Bots are trying. Everywhere and anywhere, at various times.
However, whether we can do something to alleviate the problems the attacks might bring, is something we see about, with YOUR help.  All of you. Any information, logs, observations, solutions tried and their result on your particular situation, anything you wish to share can be useful and are under analysis.
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

Arantor

Btw, this particular set of bots is finding forums based on searching for the copyright string. They're not finding certain forums that have customised SMF versions, e.g. one of mine that has 'Powered by a modified SMF' (where $forum_version = 'a modified SMF'), and naturally forums that aren't browsable by guest aren't hit.
Holder of controversial views, all of which my own.

spottedhog

#209
Going back to Arantor's mod...

Instead of having each user name displayed as "HIDDEN", couldn't they be obfuscated something like this?

$obfuscatedName = "";
     for ($i=0; $i<strlen($memberContext[$id_member]['name']); $i++){
         $obfuscatedName .= "&#" . ord($memberContext[$id_member]['name'][$i]) . ";";
     }
   echo $obfuscatedName;


... so Character Entities still show the user name to real humans?

Just thinking out loud...

Edit: I realize this would not stop already harvested user names...

Edit2: It doesn't work with "linked" user names... sooo, may not be good for SMF, but could be used for external pages to still display a user name for whatever reason.

squad

Quote from: Arantor on February 16, 2011, 08:36:45 AM
Quote from: squad on February 16, 2011, 05:16:21 AM


I'd love to use the 'hide authors' but it returns a corrupt reply. I am using
1.1.13. So now will have to wait for either an update or other such mod.
I have and will be using the email log-in, hopefully that will cut back the attacks
in the future.

I am so tired of this and I am only a very small forum,  I wish these bots would
just move on and get well & truly lost :)


If you're referring to my mod, it won't work on 1.1.x, it was written for 2.0 only.



This was what I was referring too, sorry. My head is spinning, I don't think I have
read so much in the past twenty years as I have read in the last week  :o I think
I have finally lost the plot  :P

http://custom.simplemachines.org/mods/index.php?mod=1892

Hide Post Authors From Guests

Written by: Labradoodle-360

nend

Quote from: Arantor on February 16, 2011, 11:30:05 AM
Btw, this particular set of bots is finding forums based on searching for the copyright string. They're not finding certain forums that have customised SMF versions, e.g. one of mine that has 'Powered by a modified SMF' (where $forum_version = 'a modified SMF'), and naturally forums that aren't browsable by guest aren't hit.

Be nice if that where true, but not true. My SMF copyright is not the original either and the site is still getting hit.

Quote from: Norv on February 16, 2011, 11:27:27 AM
There seems to be a misunderstanding here. That bots are trying, is not a SMF issue. Bots are trying. Everywhere and anywhere, at various times.
However, whether we can do something to alleviate the problems the attacks might bring, is something we see about, with YOUR help.  All of you. Any information, logs, observations, solutions tried and their result on your particular situation, anything you wish to share can be useful and are under analysis.

The 3 hits your out method I defined works pretty good, but it takes a while before the bot hits 3 times with different usernames. This still gives the bot 3 chances and you times that by the amount of IPs they have, will they still get allot of tries and can possibly IMHO get through a weak password.

But Arantors method sparked a idea, what if we seed a fake username for the bot and have them try to log in with that. At least we will know they are a bot right off the back.  ;D

Here are my ips being banned and watched at this moment. The ones that say Reason:password are the ones in this case. If you see any other ones ignore them as they pertain to other security code bits I have installed elsewhere in the forum. ;)

http://www.sicomm.us/siforum/watchdog/watchdog.php

b4pjoe

Since installing the email login mod on Sunday I have not had any errors in my log for failed logins for an IP address that was not that users...until this morning. But that user is using his email address as his user name. sigh

青山 素子

Quote from: StarWars Fan on February 16, 2011, 10:58:39 AM
I'm not suggesting booting the IP, merely deny another login attempt especially to another account... And/or SimpleMachines could add the time limit thing (ala Cpanel, etc)

Oops, I mis-typed my account name, now I can't login to my correct account for two hours! Real user friendly, there. (I have about three different user names across six forums, so the chances are medium I'd get denied based on your description.)


Quote from: StarWars Fan on February 16, 2011, 11:04:08 AM
I'm also concerned that if SMF does not do something to thwart this, that regular, non-hacker people will just start trying to log into accounts (maybe at a rival forum, or enemies, etc) knowing full well that SMF is unable to stop this...

Look, fake login attempts are going to happen. It's an internet-wide issue. It pre-dates the Internet, even. Way back when, you'd get people doing war dialing, the phone equivalent of finding a way into the system.

Your situation is rather silly. If someone starts trying to make some login attempts at a rival forum, it would be noticed by the admins if they checked their logs and that user would be banned fairly quickly. Direct attempts by a single person are easy to stop if you notice they are happening.

The situation here is much like the wide-spread SSH and FTP login attempts that have been going on for several years. You have a wide spread of IPs from infected end-user machines attempting logins. You can't easily ban all the IPs because of the collateral damage if you are not careful. You also can't do something like lock accounts after failed attempts because then you turn the attempts into a nice denial of service as your forum members find their accounts locked.

The only real solution that can be handled on the server's end is detecting and temporarily blocking the attempts. Tools like fail2ban were built for this exact scenario. Having a modification for SMF that behaves in a similar way would be worthwhile. Potentially, if these attacks turn into long-term things, integrating such functionality would be a good thing. However, it's not going to happen for 1.1, and 2.0 is too far along for such a large feature addition.

As for slow attacks, they aren't dangerous enough to concern oneself over unless you are allowing simple password complexity and users are using dictionary passwords.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


willerby

Quote from: b4pjoe on February 16, 2011, 12:13:57 PM
Since installing the email login mod on Sunday I have not had any errors in my log for failed logins for an IP address that was not that users...until this morning. But that user is using his email address as his user name. sigh

Change his display name and it will eventually leave him alone...

RustyBarnacle

Currently my error log is clean as my host had issues last night but if more get past the defenses I put in I'll leave them and let you know.

trebul

I haven't read this whole thread but I want to say that my site has been hit with these bots too. I cleared my error log last night and I'm already up to 96 login errors. It picked 12 members and just keeps cycling through trying to log in from different ips. It tries to login with each individual every 1hr 45mins.

      Love talking about pets?
      Visit a friendly pet forum!

      Looking for tips to running a forum?
      Trebul's community guide


         

b4pjoe

Quote from: laetabi on February 16, 2011, 12:18:43 PM
Quote from: b4pjoe on February 16, 2011, 12:13:57 PM
Since installing the email login mod on Sunday I have not had any errors in my log for failed logins for an IP address that was not that users...until this morning. But that user is using his email address as his user name. sigh

Change his display name and it will eventually leave him alone...

Yes, I've let him know he needs a new display name and a new email address since the bots already have his current email address.

nend

Quote from: b4pjoe on February 16, 2011, 12:13:57 PM
Since installing the email login mod on Sunday I have not had any errors in my log for failed logins for an IP address that was not that users...until this morning. But that user is using his email address as his user name. sigh
I have been thinking about changing the log in to email also, just haven't got around into coding it.  :-\

b4pjoe

There is a mod for it that I use. cb|Emailogin 0.5. Compatible With: 1.1.13, 2.0 RC5

Advertisement: