What is happeningLately, a number of forums have reported experiencing ongoing attacks by malicious users repeatedly hitting their pages, especially the login pages. There seem to be several different types of attacks ongoing, and SMF forums are not the only sites being attacked.
How to better protect your forumIf you're on SMF 2.0 RC4 or earlier version, you might have also reports of members being logged out when they shouldn't have been. This is a result of the bots trying a large number of random passwords for member accounts. If you have this problem, please install the
SMF 2.0 RC4 Security Patch or upgrade to
SMF 2.0 RC5 to fix this behavior. On a number of forums, bots attack the login pages, trying random passwords for your member accounts. If you see many more than the usual number of "invalid password" errors in your forum error log than usual, then it seems your forum may be experiencing one of these attacks. On other forums, you may see more requests to to action=login2 in your webserver error log, than you see "invalid passwords" in the SMF error log. If you see this, please let us know here, or feel free to contact me at norv@simplemachines.org.
Set the password strength to high in your Admin panel:Security and Moderation > Required strength for user passwords.
Use strong passwords for your accounts, do not reuse your password at multiple sites. Advise your members to follow these rules, too. A strong password has 8 or more characters, is not a dictionary word or common, easily-guessed combination of characters.
Additional protection for your members accountsWe have verified that several forums have gotten very good protection from these attacks by using httpBL or a forum spam stop mod combined with a Tor blocker.
1.
Switch to email login instead of usernamecb|EmailoginBecause it requires members to use a secret value (their email address) to login, it helps protect your member accounts from being attacked by bots. This option may not be appropriate for all forums. It can be inconvenient on big boards. You know best if it is suitable for your forum or not.
2.
Add verification to the login pageLogin verificationThis mod enhances the login page, by adding security verification, just as can be done during registration. We strongly recommend to use custom questions, rather than Captcha. Questions that a human would answer easily, but a bot could not guess work well. Once you install it, the settings in your forum admin panel
Security and Moderation > Anti-Spam:
> Require verification on registration and login pages
> Visual verification image to display
> Number of verification questions user must answer
> Verification Questions
will be applied to
both registration and login pages.
In addition, the mod enhances logging in your SMF error log.
3.
Blacklist IPs with a configurable number of attempts failuresLogin SecurityPlease see the mod's readme for the added features that it provides. This may cause problems for members who receive dynamic IPs from their ISPs, but it may help. You decide if this is a good choice for your forum.
Protect your forum from the attacking IPs4.
Install anti-spam modsFor example,
httpBL is an implementation of the
Project Honeypot API. The project gathers reports about suspicious activities of IPs and the mod uses their online database to block the blacklisted IPs before doing anything on your forum. Since the project Honeypot seems to verify the reports from more sources before blacklisting IPs, their database has a good chance to be accurate.
There are many other mods fighting spammers, please see the
Customize site.
5.
Temporarily block access to your forum through TorThese mods have been tested and should work. The first has been more thouroughly tested.
Tor BlockerTor accessThe Tor service simply provides a proxy to users all over the world, and there is nothing wrong with that. Unfortunately, these days it has been heavily used by malicious users. Evidence of this use has shown up on quite a number of forums we have checked.
Other enhancementsTargeted at login bots:Login detector mod. It works perfectly fine on many forums preventing successfully the invalid bot login attempts.
Helpful mods on these and related problems:Bad Behavior mod, targeting spam and other malicious attempts against your site.
Forum Firewall, targeting a wide range of possible attempts to the security of your site.
We are monitoring a number of forums and working on enhancing the options presented above and more options. Please try what you think is appropriate for your forum. Search this forum for problems similar to yours, to find out how other forum owners have solved them. Please let us know what works for you.
For support on any the mods listed above, please use the appropriate mod support thread.
