Advertisement:

Author Topic: Being logged out by bots trying to log in  (Read 143361 times)

Offline RustyBarnacle

  • Sr. Member
  • ****
  • Posts: 722
    • Saving Tallingroth
Re: Being logged out by bots trying to log in
« Reply #240 on: February 16, 2011, 05:38:59 PM »
Don't forget to uncheck view profile!

By default this is left on for guests in permissions and so a bot can just go:

forum/index.php?action=profile;u=1
forum/index.php?action=profile;u=2
forum/index.php?action=profile;u=3
etc...

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,837
    • StoryBB/StoryBB on GitHub
Re: Being logged out by bots trying to log in
« Reply #241 on: February 16, 2011, 05:47:04 PM »
Yup, that's true - but there's no evidence that's happening either. The list of accounts the bots are hitting is consistent, and it's not based on the order of users on the memberlist. I still bet it's fed the same way I'd feed it were I writing such a bot: the threads, all of which contain nice juicy links to the profile in a consistent format, just ripe for regex-ing out of a page. Crude bot, fed a forum, all it needs to do is start hitting up a board, munching its way through the links and looking for profile links.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Elysia

  • Semi-Newbie
  • *
  • Posts: 52
Re: Being logged out by bots trying to log in
« Reply #242 on: February 16, 2011, 05:47:39 PM »
That's been locked down forever too. Reg Members can see other members profiles, guests can't see anything other than posts.

Offline RustyBarnacle

  • Sr. Member
  • ****
  • Posts: 722
    • Saving Tallingroth
Re: Being logged out by bots trying to log in
« Reply #243 on: February 16, 2011, 05:49:49 PM »
I just installed a new out of the box SMF2 RC4 forum, made a couple profiles and guests could view profiles until I unchecked that.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,837
    • StoryBB/StoryBB on GitHub
Re: Being logged out by bots trying to log in
« Reply #244 on: February 16, 2011, 05:52:48 PM »
Yup, that's the default, but all the evidence points to not doing that.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline b4pjoe

  • Jr. Member
  • **
  • Posts: 395
  • Gender: Male
    • B4print.com
Re: Being logged out by bots trying to log in
« Reply #245 on: February 16, 2011, 06:11:20 PM »
I have seen them try user names of members that have never posted also. And my member list is not visible to guests but it is to members so it would be easy enough for a human spammer to capture the lists.

Offline busterone

  • SMF Hero
  • ******
  • Posts: 2,150
  • Gender: Male
  • Devil Dog
    • The Demon's Den
Re: Being logged out by bots trying to log in
« Reply #246 on: February 16, 2011, 06:15:22 PM »
It is remotely possible that a human spammer made it past registration and then harvested the names. I did notice a huge increase in attempted spammer regs for about 2 weeks, and then it went quiet. About a week after that, these attacks started getting reported.  I guess I am still lucky. My error log is still clean. They haven't hit me at all.

Offline nend

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 1,755
  • 2 deep n2 the code
    • sicommnend on GitHub
    • SIComm.us
Re: Being logged out by bots trying to log in
« Reply #247 on: February 16, 2011, 07:13:33 PM »
There is a mod for it that I use. cb|Emailogin 0.5. Compatible With: 1.1.13, 2.0 RC5

I can't use it, I still have to design my own. It isn't the mods fault, it is just because the forum code is so heavily modified that I can no longer use packages from SMF. Even upgrades, I have to figure out what has changed and work them into my SMF installation. No big deal, like I said just got to find the time to do it.

And personally, I would lose track if I had a different display from login.   I have used Kindred since the early 90s.

Debate going on in my head about using email addresses. It seems to be the fad though with other websites.

But I am like you, I rather use my old login, but in this case I would choose security over personal preference. I doubt too many users will be too upset about using their email address that they linked to the forum, unless it is one they hardly use. :D

Offline nend

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 1,755
  • 2 deep n2 the code
    • sicommnend on GitHub
    • SIComm.us
Re: Being logged out by bots trying to log in
« Reply #248 on: February 16, 2011, 07:21:15 PM »
Will I was just thinking, I can probably satisfy both ends. If they want to use their email address to login they can or if they want to use their username they can do that too, also they can use both if they wanted too. Maybe make it optional in the user profile which login method they prefer and explanations on why one is better than the other, etc.

This will give the user options instead of saying you have to use this method.

Offline Cal O'Shaw

  • Full Member
  • ***
  • Posts: 444
  • SMF 1.1.14 & 2.0 Sites
Re: Being logged out by bots trying to log in
« Reply #249 on: February 16, 2011, 07:27:46 PM »
And if we could hide member names from guests then they could go either way.  The reason you can use the email addresses is because they are never displayed to guests.  If membernames were the same way you could use those safely as well.

Which is why I keep pushing to have that option, why it's great Arantor wrote his (even if it's 2.0 only), and now wish we could get the same feature for 1.1.x sites.

Cal 

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,837
    • StoryBB/StoryBB on GitHub
Re: Being logged out by bots trying to log in
« Reply #250 on: February 16, 2011, 07:31:31 PM »
To be honest, though, to a point it's now locking the door after the horse has bolted.

Methods to block the attack entirely are being investigated as we speak.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline nend

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 1,755
  • 2 deep n2 the code
    • sicommnend on GitHub
    • SIComm.us
Re: Being logged out by bots trying to log in
« Reply #251 on: February 16, 2011, 07:57:10 PM »
We must consider who's responsibility it is to secure their account. Right now we are trying to play the role of the user but it is their responsibility to secure their account with a strong password. All that we can do is give options IMHO.

Email addresses on the other hand are displayed to members if the user wants to display them to members. Bots don't only have to be guest but can actually be registered members and view these email addresses.

Methods to block the attack entirely do not exist, you and I both know that. Best we can do IMO is to educate our users to make sure they don't leave their accounts vulnerable to these type of attacks.

I am not however saying that we can not help. We can run temp bans to reduce the impact and like I said just give the user options to protect their account.

Login by email address is a great idea, but I am not going to penalize my members who have a strong password. I just finished coding up a optional system for my site. Members can pick if they want to use their email and username, email only or username only to login.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,837
    • StoryBB/StoryBB on GitHub
Re: Being logged out by bots trying to log in
« Reply #252 on: February 16, 2011, 08:01:13 PM »
Quote
Methods to block the attack entirely do not exist, you and I both know that.

This attack, I happen to disagree, because I've been doing some research into the mechanics of this specific attack. There is one notable feature that is rather consistent in the attack pattern. I won't disclose it publicly, naturally, but I'm currently working on a way to neutralise it.

Sure, we can and should be educating users. But we can't make them do anything, and nor should we.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline b4pjoe

  • Jr. Member
  • **
  • Posts: 395
  • Gender: Male
    • B4print.com
Re: Being logged out by bots trying to log in
« Reply #253 on: February 16, 2011, 08:23:32 PM »
We must consider who's responsibility it is to secure their account. Right now we are trying to play the role of the user but it is their responsibility to secure their account with a strong password. All that we can do is give options IMHO.

Email addresses on the other hand are displayed to members if the user wants to display them to members. Bots don't only have to be guest but can actually be registered members and view these email addresses.

Methods to block the attack entirely do not exist, you and I both know that. Best we can do IMO is to educate our users to make sure they don't leave their accounts vulnerable to these type of attacks.

I am not however saying that we can not help. We can run temp bans to reduce the impact and like I said just give the user options to protect their account.

Login by email address is a great idea, but I am not going to penalize my members who have a strong password. I just finished coding up a optional system for my site. Members can pick if they want to use their email and username, email only or username only to login.

In SMF 2.0 if you set it in the Admin panel to not allow viewable email addresses then the users cannot see the email address of other members. If a member has the option checked to "Allow users to email me" they still can't see other users email address as the email goes through the forum software. Of course if they reply you will then see their email address.

Also if they can log in with either their email address or their user name the bot can still continue to use the user name to try and guess the password so that really doesn't help.

Offline nend

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 1,755
  • 2 deep n2 the code
    • sicommnend on GitHub
    • SIComm.us
Re: Being logged out by bots trying to log in
« Reply #254 on: February 16, 2011, 08:35:21 PM »
In SMF 2.0 if you set it in the Admin panel to not allow viewable email addresses then the users cannot see the email address of other members. If a member has the option checked to "Allow users to email me" they still can't see other users email address as the email goes through the forum software. Of course if they reply you will then see their email address.

A user still can show their email address to registered members, check it out it is in your account settings.

Also if they can log in with either their email address or their user name the bot can still continue to use the user name to try and guess the password so that really doesn't help.

I think you didn't get me on this one. I made it optional, the user has three options in their control panel. Will a picture says a thousand words. Screen shot attached.

Also I would like to note, SMF default is both email and username. ;)

Offline butchs

  • SMF Hero
  • ******
  • Posts: 1,730
  • Lost 7GB bandwidth!
    • EastCoastRollingThunder
Re: Being logged out by bots trying to log in
« Reply #255 on: February 16, 2011, 08:42:41 PM »
Humm...  I have not seen it either.  May be stopping it unknowingly.  Still, I hope it comes my way.
 O:)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Offline butchs

  • SMF Hero
  • ******
  • Posts: 1,730
  • Lost 7GB bandwidth!
    • EastCoastRollingThunder
Re: Being logged out by bots trying to log in
« Reply #256 on: February 16, 2011, 08:48:53 PM »
Mods like those listed here might help with preventing or alleviating the attempts made by particular IPs, as these mods typically use online databases of spammers IPs. I should note there is a certain possibility that those databases are not always accurate, since they contain IPs accumulated by anonymous reports (and those reports could be wrong).

Bad Behavior is all php baby!  No lookups.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,837
    • StoryBB/StoryBB on GitHub
Re: Being logged out by bots trying to log in
« Reply #257 on: February 16, 2011, 08:53:14 PM »
I take it you're not counting the variety of hostname queries it makes to validate that if a spider identifies itself as Google or Bing, that it comes from that hostname, as lookups (I guess they're to external DBs but not ones that are anonymous reports etc.)

And the behaviour with DNS lookups is also questionable anyway, which is why it was disabled in recent BB versions...
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline b4pjoe

  • Jr. Member
  • **
  • Posts: 395
  • Gender: Male
    • B4print.com
Re: Being logged out by bots trying to log in
« Reply #258 on: February 16, 2011, 08:55:37 PM »
In SMF 2.0 if you set it in the Admin panel to not allow viewable email addresses then the users cannot see the email address of other members. If a member has the option checked to "Allow users to email me" they still can't see other users email address as the email goes through the forum software. Of course if they reply you will then see their email address.

A user still can show their email address to registered members, check it out it is in your account settings.

Also if they can log in with either their email address or their user name the bot can still continue to use the user name to try and guess the password so that really doesn't help.

I think you didn't get me on this one. I made it optional, the user has three options in their control panel. Will a picture says a thousand words. Screen shot attached.

Also I would like to note, SMF default is both email and username. ;)

Are you on 2.0 because I don't see those settings anywhere in SMF 2.0 unless I'm overlooking them.

Also if email addresses being viewable is disabled in the admin panel and a user checks the option to "Allow users to email me " the other users can still not see that email address. They can email them through the forum software and that will expose that persons email address but not the persons email address they are emailing. At least that is how it is on my 2.0 forum.

Offline butchs

  • SMF Hero
  • ******
  • Posts: 1,730
  • Lost 7GB bandwidth!
    • EastCoastRollingThunder
Re: Being logged out by bots trying to log in
« Reply #259 on: February 16, 2011, 09:32:42 PM »
I take it you're not counting the variety of hostname queries it makes to validate that if a spider identifies itself as Google or Bing, that it comes from that hostname, as lookups (I guess they're to external DBs but not ones that are anonymous reports etc.)

Not the same as searching a database such as project honeypot and etc.  Only one "gethostbynamel" per cache run for only the Big 3 bots which if set 20+ seconds covers most bot runs.

And the behaviour with DNS lookups is also questionable anyway, which is why it was disabled in recent BB versions...

That is only an issue with Ubuntu 10+ servers using the BB code which is not the same as the mod.  The mod's latest code, in testing now at SMF helper, has been proven reliable as long as you use the mods built in disk cache.
« Last Edit: February 16, 2011, 09:35:49 PM by butchs »
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.