Forum Firewall

Started by butchs, January 15, 2011, 11:00:37 AM

Previous topic - Next topic

butchs

Mods are not written to be compatible with other mods.  They are written for a specific purpose.

With that said there are several people who use them together with no issues.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

digit

#441
Hey Butchs...  I just manually installed the mod and am running in test mode.... (also just tossed you a few coins ;-))  After 1 hour - I have 15 pages of logs under the Visitors tab.

I am waiting for my ISP to turn off Magic Quotes.... thanks for the heads up!

In my visitor log - under the IP column, I see a bunch of....

Keep-Alive

and...

[uScM]

What are those?

Thanks again, for what looks like an awesome mod!

digit
Happily using a heavily modified 1.1.16 version of SMF!

2748011 Posts in 320998 Topics by 50986 Members


SOLD my website - thanks it was a good run - they converted to vbadvanced. (and screwed it up good!)

butchs

Thank you.

Keep-alive is a bot trying to stay connected.

Not sure what [uScM] is?  It does not look like something good...

If you have a lot of mobile users you may not be able to use the "Review Proxy List" option.
:-X
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

digit

Sorry - but I failed to add my attachment (now it's there)

Please take a look.

Thanks again
Happily using a heavily modified 1.1.16 version of SMF!

2748011 Posts in 320998 Topics by 50986 Members


SOLD my website - thanks it was a good run - they converted to vbadvanced. (and screwed it up good!)

SD-X

Apologies, when I mentioned that, I just meant it in terms of there being no known issues. For example, I know Bad Behavior isn't compatible with Mod httpBL because of the similar methods they use which conflict and could cause errors. :)

digit

Please take a look at the attachment - now I am seeing the word "close" under IP's as well as other non IP looking strings.

Any ideas?  SIGH.
Happily using a heavily modified 1.1.16 version of SMF!

2748011 Posts in 320998 Topics by 50986 Members


SOLD my website - thanks it was a good run - they converted to vbadvanced. (and screwed it up good!)

butchs

Quote from: SugarD-x on July 04, 2011, 06:01:29 AM
Bad Behavior isn't compatible with Mod httpBL because of the similar methods they use which conflict and could cause errors. :)

That is not true!  There is not a compatibility issue.  In fact, Bad Behavior is simply doings it's job.  The code for project honey pot in Bad Behavior is the same code successfully utilized by Bad Behavior in countless other platforms.  The project honey pot code in Mod httpBL is not the same as other platforms.  I tried to explain this to the mod Author several times but he prefers to spread a rumor.  This error is the reason I activated Bad Behavior's httpBL portion.

Unlike other ports of project honey pot, such as Dupal, Mod httpBL lacks either a "die()" or "exit()" in the warning page.  Mod httpBL loads before Bad Behavior in SMF source code and performs it's tests before Bad Behavior.   Some bots take advantage of the php script not being terminated by Mod httpBL and slip past the Mod httpBL warning page to get caught by Bad Behavior's warning page which resides later in SMF source code.  Bad Behavior then terminates the execution of php and further advancement in the code, because it's warning page contains "termination".

This is a serious omission in Mod httpBL which can allow your site to be vulnerable to hacking attempts.
:-X

I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

SD-X

Quote from: butchs on July 04, 2011, 09:54:38 AM
Quote from: SugarD-x on July 04, 2011, 06:01:29 AM
Bad Behavior isn't compatible with Mod httpBL because of the similar methods they use which conflict and could cause errors. :)

That is not true!  There is not a compatibility issue.  In fact, Bad Behavior is simply doings it's job.  The code for project honey pot in Bad Behavior is the same code successfully utilized by Bad Behavior in countless other platforms.  The project honey pot code in Mod httpBL is not the same as other platforms.  I tried to explain this to the mod Author several times but he prefers to spread a rumor.  This error is the reason I activated Bad Behavior's httpBL portion.

Unlike other ports of project honey pot, such as Dupal, Mod httpBL lacks either a "die()" or "exit()" in the warning page.  Mod httpBL loads before Bad Behavior in SMF source code and performs it's tests before Bad Behavior.   Some bots take advantage of the php script not being terminated by Mod httpBL and slip past the Mod httpBL warning page to get caught by Bad Behavior's warning page which resides later in SMF source code.  Bad Behavior then terminates the execution of php and further advancement in the code, because it's warning page contains "termination".

This is a serious omission in Mod httpBL which can allow your site to be vulnerable to hacking attempts.
:-X
Why not contact the author and discuss fixing the issues so the mods can peacefully co-exist without risk or issue? (And I know you said you tried to tell him. What I'm suggesting is discussing it rather than pointing fingers. See if you both can come to a resolution happily. :) )

butchs

Quote from: digit on July 04, 2011, 06:42:55 AM
Please take a look at the attachment - now I am seeing the word "close" under IP's as well as other non IP looking strings.

Sorry I went back to sleep then my internet went down.

The invalid ip's you show are in fact ip spoof attempts and should be blocked.

The only concern I see in your log are the DOS attempts.

If all the above is well then you have a spoofed Google.  Bad behavior will catch the poor spoof attempts but there are some evil bots out there who spoof Google un-detected.  Usually for DDOS attacks.  They do this because google is white listed by many sites.  I have been working on a new test that so far seems to stop this attack cold.  This will take me a little while to work out all the bugs though...
8)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

Quote from: SugarD-x on July 04, 2011, 10:09:17 AM
Why not contact the author and discuss fixing the issues so the mods can peacefully co-exist without risk or issue? (And I know you said you tried to tell him. What I'm suggesting is discussing it rather than pointing fingers. See if you both can come to a resolution happily. :) )

Please do not reprimand me when you do not have the history.  There is a discussion thread on his homepage that he will gladly point out to you.  I wasted enough time trying to explain things to him.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

SD-X

Quote from: butchs on July 04, 2011, 10:18:11 AM
Quote from: SugarD-x on July 04, 2011, 10:09:17 AM
Why not contact the author and discuss fixing the issues so the mods can peacefully co-exist without risk or issue? (And I know you said you tried to tell him. What I'm suggesting is discussing it rather than pointing fingers. See if you both can come to a resolution happily. :) )

Please do not reprimand me when you do not have the history.  There is a discussion thread on his homepage that he will gladly point out to you.  I wasted enough time trying to explain things to him.
I'm just trying to help man. No worries. I want to see you both succeed. Modders need to unite against these evil spammers! :)

butchs

We try...  It is an easy fix.  just add exit(); to the end of his warning page.  The line before ?>.

Quote from: butchs on July 04, 2011, 10:12:05 AM
The invalid ip's you show are in fact ip spoof attempts and should be blocked.

More information.  These invalid ip's are from poorly written bots or poorly written/ malicious proxies.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

SD-X

Quote from: butchs on July 04, 2011, 10:27:03 AM
We try...  It is an easy fix.  just add exit(); to the end of his warning page.  The line before ?>.
Thank you! :)

digit

Quote from: butchs on July 04, 2011, 10:27:03 AM
We try...  It is an easy fix.  just add exit(); to the end of his warning page.  The line before ?>.

Quote from: butchs on July 04, 2011, 10:12:05 AM
The invalid ip's you show are in fact ip spoof attempts and should be blocked.

More information.  These invalid ip's are from poorly written bots or poorly written/ malicious proxies.

Thanks - one last post - for awhile - I hope  8)

See this attachment....

Are the 127.0.0.1 IP's anything to be concerned with?

Thanks again...  can't wait to start blocking!
Happily using a heavily modified 1.1.16 version of SMF!

2748011 Posts in 320998 Topics by 50986 Members


SOLD my website - thanks it was a good run - they converted to vbadvanced. (and screwed it up good!)

SD-X

Quote from: digit on July 04, 2011, 10:41:44 AM
Quote from: butchs on July 04, 2011, 10:27:03 AM
We try...  It is an easy fix.  just add exit(); to the end of his warning page.  The line before ?>.

Quote from: butchs on July 04, 2011, 10:12:05 AM
The invalid ip's you show are in fact ip spoof attempts and should be blocked.

More information.  These invalid ip's are from poorly written bots or poorly written/ malicious proxies.

Thanks - one last post - for awhile - I hope  8)

See this attachment....

Are the 127.0.0.1 IP's anything to be concerned with?

Thanks again...  can't wait to start blocking!
I get those in httpBL too. I think they are just bots using very sneaky methods to connect to the forum. ;)

digit

YOH NO!

What is THIS entry?

(see attachment)
Happily using a heavily modified 1.1.16 version of SMF!

2748011 Posts in 320998 Topics by 50986 Members


SOLD my website - thanks it was a good run - they converted to vbadvanced. (and screwed it up good!)

SD-X

Quote from: digit on July 04, 2011, 11:32:29 AM
YOH NO!

What is THIS entry?

(see attachment)
Wow, that almost looks like the output of a page put into a URL. I can't confirm this, but I'm guessing a bot tried way too hard to bypass your anti-spam software and failed horribly. :D

butchs

#457
Quote from: digit on July 04, 2011, 10:41:44 AM
Are the 127.0.0.1 IP's anything to be concerned with?

Oh yea.  It is something you want to block.  That trick will not work with FF!  Just check out who posted the 1st post ever in your forum.  [nofollow] http://www.tech-faq.com/127-0-0-1.html [/nofollow]
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

#458
Quote from: digit on July 04, 2011, 11:32:29 AM
YOH NO!

What is THIS entry?

(see attachment)

A hack attempt.  The bot is using a dictionary "old school crack" type of program to try to get your members passwords.

You should enable blocking.

Please copy and paste the code and PM it to me.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

WRT Google bot spoofing.  Here is a snippet of the next revision, in a month or so...

Can't tell you how I did it...  But...  The first post is my bandwidth showing the DDOS attack.  The second post is my test FF log blocking the attack.  Look at all those good bots being spoofed!  As you can see the attacker gave up last night!

O:)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Advertisement: