Topic: Forum Firewall

[butchs]

Mods are not written to be compatible with other mods.  They are written for a specific purpose.

With that said there are several people who use them together with no issues.

[digit]

Hey Butchs...  I just manually installed the mod and am running in test mode.... (also just tossed you a few coins ;-))  After 1 hour - I have 15 pages of logs under the Visitors tab.

I am waiting for my ISP to turn off Magic Quotes.... thanks for the heads up!

In my visitor log - under the IP column, I see a bunch of....

Keep-Alive

and...

[uScM]

What are those?

Thanks again, for what looks like an awesome mod!

digit

[butchs]

Thank you.

Keep-alive is a bot trying to stay connected.

Not sure what [uScM] is?  It does not look like something good...

If you have a lot of mobile users you may not be able to use the "Review Proxy List" option.
 

[digit]

Sorry - but I failed to add my attachment (now it's there)

Please take a look.

Thanks again

[SugarD-x]

Apologies, when I mentioned that, I just meant it in terms of there being no known issues. For example, I know Bad Behavior isn't compatible with Mod httpBL because of the similar methods they use which conflict and could cause errors.

[digit]

Please take a look at the attachment - now I am seeing the word "close" under IP's as well as other non IP looking strings.

Any ideas?  SIGH.

[butchs]

Bad Behavior isn't compatible with Mod httpBL because of the similar methods they use which conflict and could cause errors.

That is not true!  There is not a compatibility issue.  In fact, Bad Behavior is simply doings it's job.  The code for project honey pot in Bad Behavior is the same code successfully utilized by Bad Behavior in countless other platforms.  The project honey pot code in Mod httpBL is not the same as other platforms.  I tried to explain this to the mod Author several times but he prefers to spread a rumor.  This error is the reason I activated Bad Behavior's httpBL portion.

Unlike other ports of project honey pot, such as Dupal, Mod httpBL lacks either a "die()" or "exit()" in the warning page.  Mod httpBL loads before Bad Behavior in SMF source code and performs it's tests before Bad Behavior.   Some bots take advantage of the php script not being terminated by Mod httpBL and slip past the Mod httpBL warning page to get caught by Bad Behavior's warning page which resides later in SMF source code.  Bad Behavior then terminates the execution of php and further advancement in the code, because it's warning page contains "termination".

This is a serious omission in Mod httpBL which can allow your site to be vulnerable to hacking attempts.
 

[SugarD-x]

Bad Behavior isn't compatible with Mod httpBL because of the similar methods they use which conflict and could cause errors.

That is not true!  There is not a compatibility issue.  In fact, Bad Behavior is simply doings it's job.  The code for project honey pot in Bad Behavior is the same code successfully utilized by Bad Behavior in countless other platforms.  The project honey pot code in Mod httpBL is not the same as other platforms.  I tried to explain this to the mod Author several times but he prefers to spread a rumor.  This error is the reason I activated Bad Behavior's httpBL portion.

Unlike other ports of project honey pot, such as Dupal, Mod httpBL lacks either a "die()" or "exit()" in the warning page.  Mod httpBL loads before Bad Behavior in SMF source code and performs it's tests before Bad Behavior.   Some bots take advantage of the php script not being terminated by Mod httpBL and slip past the Mod httpBL warning page to get caught by Bad Behavior's warning page which resides later in SMF source code.  Bad Behavior then terminates the execution of php and further advancement in the code, because it's warning page contains "termination".

This is a serious omission in Mod httpBL which can allow your site to be vulnerable to hacking attempts.
 

Why not contact the author and discuss fixing the issues so the mods can peacefully co-exist without risk or issue? (And I know you said you tried to tell him. What I'm suggesting is discussing it rather than pointing fingers. See if you both can come to a resolution happily. )

[butchs]

Please take a look at the attachment - now I am seeing the word "close" under IP's as well as other non IP looking strings.

Sorry I went back to sleep then my internet went down.

The invalid ip's you show are in fact ip spoof attempts and should be blocked.

The only concern I see in your log are the DOS attempts.

• If you have not done so you should update your robots.txt file to be similar to [nofollow] http://www.veign.com/blog/2007/10/06/robots-txt-file-for-an-smf-forum/ [/nofollow].
• Make sure you add a Crawl-delay to the end of robots.txt for all the bots that use it (except Google).
• You should also visit [nofollow] http://www.google.com/support/webmasters/ [/nofollow] and set up the crawl rate.
• Then adjust your trigger.

If all the above is well then you have a spoofed Google.  Bad behavior will catch the poor spoof attempts but there are some evil bots out there who spoof Google un-detected.  Usually for DDOS attacks.  They do this because google is white listed by many sites.  I have been working on a new test that so far seems to stop this attack cold.  This will take me a little while to work out all the bugs though...

[butchs]

Why not contact the author and discuss fixing the issues so the mods can peacefully co-exist without risk or issue? (And I know you said you tried to tell him. What I'm suggesting is discussing it rather than pointing fingers. See if you both can come to a resolution happily. )

Please do not reprimand me when you do not have the history.  There is a discussion thread on his homepage that he will gladly point out to you.  I wasted enough time trying to explain things to him.

[SugarD-x]

Why not contact the author and discuss fixing the issues so the mods can peacefully co-exist without risk or issue? (And I know you said you tried to tell him. What I'm suggesting is discussing it rather than pointing fingers. See if you both can come to a resolution happily. )

Please do not reprimand me when you do not have the history.  There is a discussion thread on his homepage that he will gladly point out to you.  I wasted enough time trying to explain things to him.

I'm just trying to help man. No worries. I want to see you both succeed. Modders need to unite against these evil spammers!

[butchs]

We try...  It is an easy fix.  just add exit(); to the end of his warning page.  The line before ?>.

The invalid ip's you show are in fact ip spoof attempts and should be blocked.

More information.  These invalid ip's are from poorly written bots or poorly written/ malicious proxies.

[SugarD-x]

We try...  It is an easy fix.  just add exit(); to the end of his warning page.  The line before ?>.

Thank you!

[digit]

We try...  It is an easy fix.  just add exit(); to the end of his warning page.  The line before ?>.

The invalid ip's you show are in fact ip spoof attempts and should be blocked.

More information.  These invalid ip's are from poorly written bots or poorly written/ malicious proxies.

Thanks - one last post - for awhile - I hope 

See this attachment....

Are the 127.0.0.1 IP's anything to be concerned with?

Thanks again...  can't wait to start blocking!

[SugarD-x]

We try...  It is an easy fix.  just add exit(); to the end of his warning page.  The line before ?>.

The invalid ip's you show are in fact ip spoof attempts and should be blocked.

More information.  These invalid ip's are from poorly written bots or poorly written/ malicious proxies.

Thanks - one last post - for awhile - I hope 

See this attachment....

Are the 127.0.0.1 IP's anything to be concerned with?

Thanks again...  can't wait to start blocking!

I get those in httpBL too. I think they are just bots using very sneaky methods to connect to the forum.

[digit]

YOH NO!

What is THIS entry?

(see attachment)

[SugarD-x]

YOH NO!

What is THIS entry?

(see attachment)

Wow, that almost looks like the output of a page put into a URL. I can't confirm this, but I'm guessing a bot tried way too hard to bypass your anti-spam software and failed horribly.

[butchs]

Are the 127.0.0.1 IP's anything to be concerned with?

Oh yea.  It is something you want to block.  That trick will not work with FF!  Just check out who posted the 1st post ever in your forum.  [nofollow] http://www.tech-faq.com/127-0-0-1.html [/nofollow]

[butchs]

YOH NO!

What is THIS entry?

(see attachment)

A hack attempt.  The bot is using a dictionary "old school crack" type of program to try to get your members passwords.

You should enable blocking.

Please copy and paste the code and PM it to me.

[butchs]

WRT Google bot spoofing.  Here is a snippet of the next revision, in a month or so...

Can't tell you how I did it...  But...  The first post is my bandwidth showing the DDOS attack.  The second post is my test FF log blocking the attack.  Look at all those good bots being spoofed!  As you can see the attacker gave up last night!