SMF Security Concerns - Ask Security Questions when Multiple Failed logins Occur

Started by xrunner, February 16, 2011, 08:49:57 AM

Previous topic - Next topic

xrunner

Referencing this current bot attack -

http://www.simplemachines.org/community/index.php?topic=416928.0

I humbly suggest and ask that more security features be added to SMF2.0, as soon as possible. I would start by suggesting that a member have several personal security questions in their profile that they can make themselves, such as "What street did you grow up on?". These security question would have to be answered if a given scenario was met, such as exceeding x number of failed login attempts over x minutes or hours (not necessarily x number in a row). The member account should be locked down until the questions are answered, or an Admin can contact the user and determine why they had so many failed login attempts.

If there are better ideas, then implement those ideas - SOON!

It has come to many of our attentions that this problem is not going to go away, and will only get worse as time goes on. More and better attacks will be orchestrated, and now is the time to add more security to SMF - Built-In security.

Thank you for your attention.

Illori

1.1.1* branch as well as 2.0* branch are feature locked, even if smf were to work on such a feature it would not be part of the core due to that feature lock. this could though be requested as a mod and then you could install it as you wish.

xrunner

Quote from: Illori on February 16, 2011, 08:54:44 AM
1.1.1* branch as well as 2.0* branch are feature locked, even if smf were to work on such a feature it would not be part of the core due to that feature lock. this could though be requested as a mod and then you could install it as you wish.

They need to make an exception then, this is too important to overlook. An exception for security is reasonable and prudent. Times are changing faster than SMF can react, unfortunately.

Illori

this is a feature request not a security fix. a security fix will fix a possible known security breach in the software. http://www.simplemachines.org/community/index.php?topic=322506.0

Aleksi "Lex" Kilpinen

Any way to Block TOR networks, even a full out Proxy Blocker, combined with HttpBL Mod (and Project Honeypot) will deter most of these attackers.

That said, I do believe this issue will be further discussed in team.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

xrunner


Arantor

Firstly, more than one of the forums I run has not been affected AT ALL. Admittedly, one is private and so usernames aren't visible to guess, and the others don't match the terms being used by the attack to find sites...

Secondly, I disagree that it should be added by default. As evidenced above, I don't have the issues others are having, but that's because I know my way around various coding techniques to convince them to go away/remain hidden in the first place. I would anticipate the coding techniques will become more relevant after 2.0 final anyway, but that's another story.

The fact remains that there is no technical measure that can stop this. Sure, you can have security questions for users, but some forums allow guest posting, which leads towards making it as painless to post as possible. You're potentially talking about making it easier to register for online banking (which doesn't have as many things to fill in as you're talking about!) than a humble community.

Additionally, I'll echo what the above have said: if you add new features to 2.0 now, they have to be tested etc. which means 2.0 final probably won't happen this year. After 5 years, it would be nice to get it finished. Additionally, as said, 1.1 is in security-only mode, this is NOT a security issue. It's not a vulnerability that didn't exist before, it's not a vulnerability unique to SMF... it's a vulnerability of sorts that affects most types of software out there.

xrunner

I'm going to keep pressing this issue for a bit ...

Quote from: Arantor on February 16, 2011, 09:16:40 AM
Firstly, more than one of the forums I run has not been affected AT ALL. Admittedly, one is private and so usernames aren't visible to guess, and the others don't match the terms being used by the attack to find sites...

All forums don't have to be affected for it to be a concern.

Quote
Secondly, I disagree that it should be added by default. As evidenced above, I don't have the issues others are having, but that's because I know my way around various coding techniques to convince them to go away/remain hidden in the first place. I would anticipate the coding techniques will become more relevant after 2.0 final anyway, but that's another story.

I'm very glad you can code your way around it - but most others can't, so that doesn't help them.

Quote
The fact remains that there is no technical measure that can stop this. Sure, you can have security questions for users, but some forums allow guest posting, which leads towards making it as painless to post as possible. You're potentially talking about making it easier to register for online banking (which doesn't have as many things to fill in as you're talking about!) than a humble community.

It's not about stopping it, it's about putting in security measures that can make SMF more secure. No attack can ever be stopped 100%. But we have to move with the times, and the times they are a changin (fast).

Quote
Additionally, I'll echo what the above have said: if you add new features to 2.0 now, they have to be tested etc. which means 2.0 final probably won't happen this year. After 5 years, it would be nice to get it finished. Additionally, as said, 1.1 is in security-only mode, this is NOT a security issue. It's not a vulnerability that didn't exist before, it's not a vulnerability unique to SMF... it's a vulnerability of sorts that affects most types of software out there.

OK, so it takes another year. If it's more secure then so be it. Why sacrifice security for a final release if the final release has security issues that are KNOWN. What's more important? To me it's security, but if a final release is more important to the powers that be, then I can't do anything about it except what I'm doing here. If they ignore these concerns then I've done what I could do.

These attacks will only get more sophisticated as time goes on. What is SMF going to do about it - stand still as the hackers grow better and better? I surely hope that isn't the case!

Norv

Strengthening security is a security fix IMO.

Unfortunately, for the main problem here - the attacks themselves - SMF itself cannot help, but there are third party mods that can help.

Thank you, xrunner. We're keeping an eye on all this, and looking for solutions applicable if possible, to a wide range of forums. Please however, do consider to use one or more of these mods like httpBL, to block a range of them, that's the best thing you can do for this exact moment IMHO.
More ideas and information are appreciated, anywhere - be it the other relevant threads on the support boards or here.
If the affected forum admins agree to provide us your server access and error logs, it would be very (very!) useful, too.
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

xrunner

Quote from: Norv on February 16, 2011, 09:57:05 AM

Thank you, xrunner. We're keeping an eye on all this, and looking for solutions applicable if possible, to a wide range of forums.

Thank you for listening.


IchBin™

Your idea in the first post xrunner would drive a lot of people crazy. If a bot starts hitting all these user accounts on forums and forces people to answer their own security questions every time they come to the forum, people will probably stop visiting forums. lol But I do see your point. One thing that's been suggested before, but not in this topic is to change the login to require the email login instead of username.

http://custom.simplemachines.org/mods/index.php?mod=1665
IchBin™        TinyPortal

xrunner

Quote from: IchBin™ on February 18, 2011, 12:38:58 PM
Your idea in the first post xrunner would drive a lot of people crazy. If a bot starts hitting all these user accounts on forums and forces people to answer their own security questions every time they come to the forum, people will probably stop visiting forums.

No, not every time they visit the forum.

Example: My "known" computer is in my house. It has a technical footprint of IP, and other things that are collected. If some hacker tries to log in from India, the footprint of the machine doesn't match my "known" computer, so they have to answer security questions. If they can't answer the questions, they don't get a chance to even submit a password. It doesn't affect me logging in from the same home computer. I can also have footprints of several other computers, such as work or a friend's house.

IchBin™

IchBin™        TinyPortal

Norv

Please see also, for further information and options,
Simple Machines Forums attacks

Any further ideas and information as to what works for your forum will be appreciated.
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

Advertisement: