News:

Wondering if this will always be free?  See why free is better.

Main Menu

Forum Firewall

Started by butchs, January 15, 2011, 11:00:37 AM

Previous topic - Next topic

huan

thank your mod helped me alot ,now start to like it and i managed to solve my cloudflare problem so combine it togther with cloudflare are equal to getting a $20 cloudflare plan for free :) ,one question on the ddos attack ban trigger beisde of whitelist ip seem most person is dynamic ip what is the recommend trigger #/sec today accident blocked one of my member maybe cos he keep refresh page to check pm that i sent to him so was blocked but lucky i notice it very soon and removed the ban trigger i used the default 0.65 cache duration20 so in my case what is recommended trigger timing

butchs

For some it is a PITA to set up this mod but if you follow the instructions it works.  Not recommended but for my site, I have been deleting the wasted SMF anti-hacking code that slows down the software.

I only whitelist regular members.  But there is a FAQ for whitelists.

I made the mod while using CF.  My goal was to get what it did not get when CF was in beta and the bots were still bugging me...  Now the mod does low level country blocks and an an attack ever other day.

Basically you need to set robots.txt Crawl-delay (I use 5) google webmaters (if they let you) and etc...  after they are all settled you can enable your ban trigger.  I use .7.

I don not ban anyone more than 1 hour with the mod.  Longer bans are done with htaccess.

Detailed info in the FAQ's on the first post.

I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

huan

from what i read from the old post of these thread white can be done by permission usergroup so i whitelist forum firewall group for most important usergroup but still i see the user was banned for ddos it was fake response as he was replying to a few thread in short period of time and got auto banned so far these happen like once per one or two day

butchs

#803
Was his member group white-listed?

The IP may have changed and the member was not logged in.  You can always adjust the trigger.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

huan

yup he usergroup was whitelisted that post i already read i read most of post that contain "whitelist" on the post ,another question is can we whitelist a member so that them will not flag as hack attempt for sql injection character trigger

on side note how we whitelist by ip instead of usergroup seem out of a few thousand only less than 100hundred is important contributor

QuoteThe IP may have changed and the member was not logged in.  You can always adjust the trigger.
what you recommend currently is cache duration 20 trigger  0.65

butchs

The SMF system assumes the user is logged in.  The whitelist uses the SMF system plus I added the last used ip address(s).  If the member hits the site hard, keeps logging out, doesn't use cookies and his IP addresses changes daily there is not I or anyone can do.

Quote from: huan on December 02, 2012, 09:53:37 AM
another question is can we whitelist a member so that them will not flag as hack attempt for sql injection character trigger..

No, that is why I recommend running the mod for a few days in logging not banning mode.  Then you can delete the hack/ injections that are common for your site.

Quote from: huan on December 02, 2012, 09:53:37 AM
what you recommend currently is cache duration 20 trigger  0.65

Each site is different.  If you look a few posts up you see I use a trigger of .7.  You will have to adjust it based on the procedure.  There are a whole bunch of factors that contribute to the duration.  Server speed and forum content also play a factor.  I would try to slowly adjust up it so not to ban regular members while still in logging only.

Access you your phpMyAdmin last 100 visitors can assist if you look it after a bad bot hits you.  You can then see how fast they hit and adjust your duration to make their count fast.  Think of it this way.  A bot will hit the site faster than a human.  So if your members are getting blocked you need to make adjustments.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Howard43Willard

#806
The above protection will not stop a determined attacker but it just may send them looking for easier targets.




butchs

True.  Forum Firewall is written as a supplement to existing site protection methods and should not be the only line of protection.

Sending them elsewhere for easier targets is what it is about.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

huan

#808
2: strpos() [<a href='function.strpos'>function.strpos</a>]: Empty delimiter

getting alooot of these error under error log,is there a solution for these thank

waris

Hi,

Default Curve Theme.

I just installed the forum firewall MOD which went on smoothly without a hitch.
After the saving the settings the following appeared in the top bar under Forum Firewall.

QuoteSECURITY RISK: MAGIC_QUOTES ARE ON!

What do I have to uncheck to remove the above security risk?


butchs

Quote from: huan on December 30, 2012, 11:48:44 AM
2: strpos() [<a href='function.strpos'>function.strpos</a>]: Empty delimiter

getting alooot of these error under error log,is there a solution for these thank

Will look into it and I did.  There are two "||" in a list.  Search the lists for "||" and replace with "|".
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

#811
Quote from: waris on December 30, 2012, 01:54:38 PM
Hi,

Default Curve Theme.
I just installed the forum firewall MOD which went on smoothly without a hitch.
After the saving the settings the following appeared in the top bar under Forum Firewall.
QuoteSECURITY RISK: MAGIC_QUOTES ARE ON!
What do I have to uncheck to remove the above security risk?

Search this thread.  Your host is the only one than can adjust the settings.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

huan

Quoteif (($forumfirewall_edited <= edited) || ($forumfirewall_edited > edited) {
if((!forumfirewall_checkdns($forumfirewall_ip, $modSettings['forumfirewall_domain'])) ||
   if ((empty($modSettings['aeva_enable'])) || (!$modSettings['aeva_enable']) || (($modSettings['aeva_enable'])
if (($forumfirewall_ip == '') || (empty($forumfirewall_ip))) {
if (($forumfirewall_ip == '') || (empty($forumfirewall_ip)))
if (!isset($modSettings['forumfirewall_enable']) || !$modSettings['forumfirewall_enable']) return;


the error is from
2: strpos() [<a href='function.strpos'>function.strpos</a>]: Empty delimiter
Apply Filter: Only show the errors from this file
File: /home//Sources/ForumFirewall.php
so i searched These is the || that i found on Sources/ForumFirewall.php which one should i replace with |

butchs

#813
No no no...   :o  Wrong spot to search...  Do not search the source code for "||"!

Go the "Forum Firewall Admin" page in SMF and search the text in the "Robots to be tested", "Robots.txt action's", "Injection List", "XSS Events" and etc input strings.

Data entered must be in the in the format of "XX|YY" where XX and YY are the Entity.  Having "||" or a single "|" in the beginning or end is  the reason for empty delimiter since there is nothing between the "||".  SEE ATTACHED.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

huan

Empty Delimiter error fixed

thank i notice that i have ended the line with |  and remove that and now it worked

Greenest

If I want to install Enable admin IP confirmation what should I write at
Admin IP low
Admin IP hight
Admi Domain name

butchs

Read "BYPASS PROTECTION HELP" in the 1st post in this thread under "Frequently Asked Questions (FAQs)".
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

After over a year of trying to figure out how to do it I succeeded in making the next generation challenge page.  Sorry it is only available for SMF 2.0X and is used to challenge IP addresses that fail.  ie mobile users.  The list of security features and checks to the challenge include all those recommended by OWASP, others and my own tricks.

I was not able to find the portuguese translator so bear with my lousy portuguese translation.

Changes as follows:

  • Robot UAs updated.
  • Added easter egg to ban bots scans.
  • Updated SQL injection list.
  • Un-idefined proxy error fixed - thanks societyofrobots.
  • Added allow_url_fopen & allow_url_include test.
  • Fixed Strict Standards - thanks baldur2630.
  • Added "Challenge Failed IP's " to Admin options in 2.0x ONLY.  PHP 5.2.0 or greater and GD is required.   Useful to those who have a bunch of cell phone visitors whose proxy is questionable.  Users can log in or try to pass the challenge.  Passing will give them guest access until midnight as long as they do not violate the dos test.  Failing will get them blocked until the cache expires.  If you are using a honey pot in the Bad Behavior mod for SMF the challenge page will transfer the visitor to the honey-pot if they click the wrong choice.  See attached picture.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

pedropais

Hi.

Thanks for making this mod available. It's been very useful, but ever since I installed/enabled it, my Apache gets filled with the errors following:
[Fri Feb 01 15:50:08 2013] [notice] child pid 14130 exit signal Bus error (7)
[Fri Feb 01 17:10:49 2013] [notice] child pid 16329 exit signal Bus error (7)
[Fri Feb 01 18:47:41 2013] [notice] child pid 18495 exit signal Bus error (7)


Is there something I can do about that?

Regards

butchs

Could just be bad timing...  The only part of the mod that may use Apache is the country id and the mod checks to see that "apache_note" exists.    Php mods rarely cause that type of error.  Seems to be a PHP or Apache issue with the host.

Try stopping and restarting Apache.  Next try upgrading php and or Apache.  Or ask your host to.  Third see if geoIP is fully enabled...  But do not mention the mod.  An overseller may point fingers just to do nothing.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Advertisement: