News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

Forum Firewall

Started by butchs, January 15, 2011, 11:00:37 AM

Previous topic - Next topic

Storman™

Butch - you need to update the pack-info.xml file for version 1.1.4 as it still shows (in package manager) when installed as 1.1.3

The "About" page shows as 1.1.4 though so that's ok.

Cheers  ;)

butchs

Great.  ;)

Quote from: aerolite on September 02, 2011, 11:55:28 AM
Where can I see the firewall option? Im using Rc2 4,

When I click direct to setting something after the installation, I just get directed to Administration Center.


Confirm that "ForumFirewall.english.php" is in your themes language directory.   
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

Quote from: Storman on September 02, 2011, 01:47:19 PM
Butch - you need to update the pack-info.xml file for version 1.1.4 as it still shows (in package manager) when installed as 1.1.3

Package manager is now corrected. 
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

chris @ Alpine

Thank you so very much for your mod!  It helps a lot!

One question, I don't seem to be able to search for the answer...

Can you send an example of the "User-Agent Whitelist" ?  I don't understand the instruction of "XX|YY".

Thank you again!

MiY4Gi

I think an example would be

Googlebot|Slurp|Bingbot
Check out my new website, MyAnimeClub.net. I plan to create the largest anime community, and most fun and user-friendly anime forum in the world. It's still in the development stage though.

butchs

Be forth-warned some bad people spoof Google et al for that very reason.

Attached is a blocked google ip spoof to my site via an ip array.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

chris @ Alpine

Yes, I have been getting a lot of those lately also.

So are you suggesting to let the "User-Agent Whitelist" field blank and let Bad Behavior to do its job, while ENABLING to the Firewall's "User-Agent Inspection" and "DOS Attack" options?

Thanks.


MiY4Gi

Quote from: chris @ Alpine on September 22, 2011, 08:24:37 PM
Yes, I have been getting a lot of those lately also.

So are you suggesting to let the "User-Agent Whitelist" field blank and let Bad Behavior to do its job, while ENABLING to the Firewall's "User-Agent Inspection" and "DOS Attack" options?

Thanks.



Yep. Leave the UserAgent whitelist blank. Also, make sure you have the DOS Protection settings configured correctly. I'm using SEF urls, so my DOS settings had to be changed accordingly. You must set up your robot.txt file properly. 
Check out my new website, MyAnimeClub.net. I plan to create the largest anime community, and most fun and user-friendly anime forum in the world. It's still in the development stage though.

chris @ Alpine

Ok, thanks to both.  I will try it out.

By the way, love the Country block.  It works perfectly.

rebekahc

Hi!  I have this mod installed but have only enabled testing so far because my site just went live a few days ago.  I seem to be having a problem with legit Blackberry users getting caught by the program.  I have pages of hits for IP: BISB_3.5.1.84 with Invalid ip! and Invalid ip in proxy list! alerts.  I'm sure that's one of my members on her Blackberry - the hits exactly mirror her navigation through my site.  When I research that "IP", I think it's the Blackberry proxy from Research In Motion.  The IP shown in my Blackberry user's posts is her actual IP - the BISB_3.5.1.84 seems to be some kind of additional tag (layer? not sure what the correct term would be) added to her IP.

So, two questions: 

If this is a legit Blackberry proxy, how do I get it to stop triggering Forum Firewall so I can turn on blocking?

If this member who uses a Blackberry is in a membergroup on the Whitelist, will she still be blocked since my fourm associates her with her actual IP and Forum Firewall seems to be picking up this extra tag and therefore wouldn't recognize her as the same person/IP from the whitelist or does FF use the actual membergroup designation to determine the block?

Another similar issue.  I have a member whose work uses a private IP address.  Forum Firewall picks it up as an Invalid ip.  Her posts reflect the IP of her actual computer at work, so SMF is somehow able to look past the Private IP and get her real IP.  Which I think is probably the same thing happening with my Blackberry user.  It seems they both have an extra layer before their actual IPs that's getting caught by Forum Firewall.  So, I have the same question about my private IP person - will she be blocked even if she's in a whitelist membergroup since FF "sees" her IP as one thing and the forum "sees" her actual IP? 

How can I configure FF to look past these items and get to the users actual IPs?  Obviously it's possible because the forum is able to do it.

Thanks for any insight!

butchs

#610
I will give you a quick reply now since i have to leave soon.  Some of those phone proxies are badly configured.  Some have security issues. Multiple ip addresses can be used, spoofed, and etc (there were several posts about this before).

I for one would not adjust my security because a member spoofs a private IP.

If it annoys you, turn off "Review Proxy List".  This will stop the proxy list! alerts.

Whitelist only prevents the member from being tested for DOS attack.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

Quote from: chris @ Alpine on September 22, 2011, 08:24:37 PM
Yes, I have been getting a lot of those lately also.

This is an easy one to spot.  Search the 1st ip and you will note it is not from google.  It is most likely the script kiddies ip address.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

rebekahc

Quote from: butchs on September 23, 2011, 04:56:26 AM
I will give you a quick reply now since i have to leave soon.  Some of those phone proxies are badly configured.  Some have security issues. Multiple ip addresses can be used, spoofed, and etc (there were several posts about this before).

I for one would not adjust my security because a member spoofs a private IP.

If it annoys you, turn off "Review Proxy List".  This will stop the proxy list! alerts.

Whitelist only prevents the member from being tested for DOS attack.

Thanks for your quick reply.  The two members mentioned before are extremely reliable, long-term members - one is staff.  I don't want to risk them being blocked - which would happen even if I disable "Review Proxy List" because they both hit as invalid ip.  The Blackberry user alternates between invaid ip and invalid ip in proxy list.  Plus, there are banned users who keep trying to access with proxies; I want them blocked.

I had read through the other posts, but didn't see any solutions other than disabling some of the security features.  I'd really like a way to keep legit members from being blocked while retaining as much security as possible.  :-\

MiY4Gi

Banned users aren't that much of an issue. Also, there's no way to entirely block banned users unless you block ALL proxies. I'm having a similar problem where a friend of mine can't get access to my website from his work, since his works router alters the packet headers IP structure. At the moment he's visiting the site from home.

For now, to allow Blackberry users access, un-tick "Enable IP Validation" and "Review Proxy List", until an alternate solution is found.

Butchs, perhaps you could incorporate a General IP White List, similar to the User Agent White List, where users bypass the firewall entirely. Of course, its possible to spoof IP's, but normal users won't know which IP's are white listed, so they won't know which IP's to spoof.

@rebekahc, if you really want to allow those users access without heavily compromising your site's security, then make sure those users have fixes IP's on their PCs/Phones. If their IP's constantly change, then whitelisting individual IPs won't work, and so an entire IP range would need to be whitelisted, which isn't really safe. Ask your site's blocked users to check whether proxies have been configured on their phones/PC's.
Check out my new website, MyAnimeClub.net. I plan to create the largest anime community, and most fun and user-friendly anime forum in the world. It's still in the development stage though.

T3CHN0

Quote from: JoeB on January 26, 2011, 07:53:53 AM
As an admin, Now I can not log in the forum :
HTTP Error 403 Forbidden You don't have permission to access
Please advice. Only can use FTP to change any file

I stopped two commands by downloding index.php by ftp

in your /index.php find
//      'forumfirewall' => array('ForumFirewall.php', 'forumfirewall'),
// start ForumFirewall
//   if (isset($modSettings['forumfirewall_enable']) && !empty($modSettings['forumfirewall_enable']) && $modSettings['forumfirewall_enable']) {
//      require_once($sourcedir . '/ForumFirewall.php'); }
// end ForumFirewall

I had this same problem. Thanks JoeB for this post.
by doing this in ftp I got access to my forum again.
before clicking on forum firewall>settings revers them edits and untick Block Violations

My own fault for turning Block Violations ON, I did read
QuoteWARNING: It is recommended that you do not enable this feature until after you operated the mod for several days
but thought "I should be OK" :D

great mod... fo far my forum has not been hacked/hijacked again.. after this month if still blocking the  theat
I will donate..

cheers

butchs

#615
Quote from: MiY4Gi on September 23, 2011, 03:32:21 PM
For now, to allow Blackberry users access, un-tick "Enable IP Validation" and "Review Proxy List", until an alternate solution is found.

Butchs, perhaps you could incorporate a General IP White List, similar to the User Agent White List, where users bypass the firewall entirely. Of course, its possible to spoof IP's, but normal users won't know which IP's are white listed, so they won't know which IP's to spoof.

Why can't the users can simply change to a more solidly programmed proxy?  Come on, if the ip address is wrong then the proxy code is poor.

If there is no other option a preferred solution would be to research the Blackberry proxy and see if there is some logic behind it and investigate a method to determine that specific proxy is being used.  An alternative would be to contact them and ask them to fix their code.  In either event, I will need to figure out where to start.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

Many mobile phone proxies are badly written.  As per this security research page, random tales by a mobile hacker:

Mobile Phone Web Proxies -  It seems like some operators have different proxies for different kinds of customers:
● Proxies are also operated by 3rd parties
● Companies that build these "mini-browsers"
● Mobile web optimizers

Data leakage from mobile proxies is a security risk and totally not necessary
● Operators Need to fix their proxies
● Make their contractors fix their proxies

My opinion: If a proxy is so poorly written that it does not generate a proper ip address it is a security risk and you need to find another proxy.
:)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

MiY4Gi

Quote from: butchs on September 24, 2011, 09:45:42 AM
Many mobile phone proxies are badly written.  As per this security research page, random tales by a mobile hacker:

Mobile Phone Web Proxies -  It seems like some operators have different proxies for different kinds of customers:
● Proxies are also operated by 3rd parties
● Companies that build these "mini-browsers"
● Mobile web optimizers

Data leakage from mobile proxies is a security risk and totally not necessary
● Operators Need to fix their proxies
● Make their contractors fix their proxies

My opinion: If a proxy is so poorly written that it does not generate a proper ip address it is a security risk and you need to find another proxy.
:)

Well, no objections there, however it might not be possible to simply change proxies. And if one can't change proxies, one has to ask his mobile operator to change the proxy, and I doubt they'll listen.

Like you said, a preferred solution would be to figure out how their proxy works. Then the Firewall could be adjusted to cater for those proxies as well, rather than just letting the proxies bypass the Firewall.
Check out my new website, MyAnimeClub.net. I plan to create the largest anime community, and most fun and user-friendly anime forum in the world. It's still in the development stage though.

rebekahc

Quote from: MiY4Gi on September 24, 2011, 10:49:41 AM
Quote from: butchs on September 24, 2011, 09:45:42 AM
Many mobile phone proxies are badly written.  As per this security research page [nofollow], random tales by a mobile hacker [nofollow]:

Mobile Phone Web Proxies -  It seems like some operators have different proxies for different kinds of customers:
● Proxies are also operated by 3rd parties
● Companies that build these "mini-browsers"
● Mobile web optimizers

Data leakage from mobile proxies is a security risk and totally not necessary
● Operators Need to fix their proxies
● Make their contractors fix their proxies

My opinion: If a proxy is so poorly written that it does not generate a proper ip address it is a security risk and you need to find another proxy.
:)

Well, no objections there, however it might not be possible to simply change proxies. And if one can't change proxies, one has to ask his mobile operator to change the proxy, and I doubt they'll listen.

Like you said, a preferred solution would be to figure out how their proxy works. Then the Firewall could be adjusted to cater for those proxies as well, rather than just letting the proxies bypass the Firewall.

Yes, I'm quite sure my Blackberry using member has no way to control the proxy Blackberry uses.  The same for my user whose work uses a private IP.  But, there must be some way to filter those out since SMF gives me their actual IPs rather than that proxy/private layer FF is catching.  Maybe have a whitelist of members for whom FF looks past that layer before blocking?

butchs

Whenever In make a major change I end up fixing minor bugs from obscure servers.  Right now, I am swamped (working long hours) with the job that pays my bills.  When I get some time I will look into it.
:)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Advertisement: