• Welcome to Simple Machines Community Forum. Please login or sign up.
October 15, 2021, 10:56:14 PM

News:

SMF 2.1 RC4 has been released! Try it out and help us test! :) Read more.


Simple Machines Forums attacks

Started by Norv, February 19, 2011, 04:33:48 PM

Previous topic - Next topic

b4pjoe

Quote from: aoife on February 20, 2011, 09:49:39 AM
Quote from: LexArma on February 20, 2011, 12:45:56 AM
Disabling Tor Access and setting up a Honeypot and installing httpBL worked for very well for me, and I've also been able to keep other bots like spammers at bay with this setup very well.

I'd love to be able to use httpBL but don't run my own server.  I've installed Arantor's patch and it's cut down the number of login attempts significantly but my main forums are still getting hit with registration attempts by bots that are blacklisted in the Project Honey Pot database. I closed registration several days ago so they can't get in, just fill up my error log.

Thanks to all who have been and are still working on these issues! I appreciate everyone's efforts!

Check out QuickLinks at the HoneyPot site. It's for people that don't have server access.

robbie93

I woke up to nine pages of errors today guys, it seems one set of errors have been replaced by another I'm now getting nine pages of these.

Guest
195.191.54.64   
Type of error: User 
http://robbie93andhotchildxox.net/index.php?action=login2
The letters you typed don't match the letters that were shown in the picture

busterone

Quote from: aoife on February 20, 2011, 09:49:39 AM
I'd love to be able to use httpBL but don't run my own server.  I've installed Arantor's patch and it's cut down the number of login attempts significantly but my main forums are still getting hit with registration attempts by bots that are blacklisted in the Project Honey Pot database. I closed registration several days ago so they can't get in, just fill up my error log.

Thanks to all who have been and are still working on these issues! I appreciate everyone's efforts!
You don't need to have server level access to use the httpBL mod or install a honeypot. As long as you have ftp access and Cpanel(or whatever control panel your host uses), the mod works. See the documentation at http://www.projecthoneypot.org In short, install the honeypot within your webspace directory structure somewhere, get an API key, install httpBL, and enter the honeypot's url and your API key in the admin section of the mod. Hide your links in your forum and any other site you may have running and you are done. 

Aoife

Quote from: busterone on February 20, 2011, 11:20:21 AM
Quote from: aoife on February 20, 2011, 09:49:39 AM
I'd love to be able to use httpBL but don't run my own server.  I've installed Arantor's patch and it's cut down the number of login attempts significantly but my main forums are still getting hit with registration attempts by bots that are blacklisted in the Project Honey Pot database. I closed registration several days ago so they can't get in, just fill up my error log.

Thanks to all who have been and are still working on these issues! I appreciate everyone's efforts!
You don't need to have server level access to use the httpBL mod or install a honeypot. As long as you have ftp access and Cpanel(or whatever control panel your host uses), the mod works. See the documentation at http://www.projecthoneypot.org In short, install the honeypot within your webspace directory structure somewhere, get an API key, install httpBL, and enter the honeypot's url and your API key in the admin section of the mod. Hide your links in your forum and any other site you may have running and you are done.

oh ok, kewl! I'll do that!  I do have a QuickLink installed too, btw - on all my sites and forums.  Thank you for the info!


busterone


Norv

February 20, 2011, 11:50:48 AM #45 Last Edit: February 20, 2011, 11:57:05 AM by Norv
Quote from: robbie93 on February 20, 2011, 11:10:29 AM
I woke up to nine pages of errors today guys, it seems one set of errors have been replaced by another I'm now getting nine pages of these.

Guest
195.191.54.64   
Type of error: User 
http://robbie93andhotchildxox.net/index.php?action=login2
The letters you typed don't match the letters that were shown in the picture


None of these mods can STOP the bots from trying. Bots are trying. It's a fact of the internet.
Some of the mods log the attempts in SMF's error log (which IMHO it's useful for the admin to know that the attempts are happening on their forum), some don't, but they enhance protection nonetheless.
If you installed a mod that doesn't log anything, I would recommend to take a look in your webserver access log, to see if there are many requests to login2 or register2. You might find there are, meaning bots are still trying.

So what you see means probably that bots are trying, but they're stopped by Captcha on the login page. I strongly recommend activating a custom question too. Even a simple question like "3 + 2 = ?" would be useful.
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

codenaught

I assume that this is going to be addressed in the final release of 2.0. :)

Good luck continuing to handle all this nonsense. It's a shame how bad people force us to spend time on malicious prevention instead of on innovation at times.
Dev Consultant
Former SMF Doc Coordinator

robbie93

Quote from: Norv on February 20, 2011, 11:50:48 AM


None of these mods can STOP the bots from trying. Bots are trying. It's a fact of the internet.
Some of the mods log the attempts in SMF's error log (which IMHO it's useful for the admin to know that the attempts are happening on their forum), some don't, but they enhance protection nonetheless.
If you installed a mod that doesn't log anything, I would recommend to take a look in your webserver access log, to see if there are many requests to login2 or register2. You might find there are, meaning bots are still trying.

So what you see means probably that bots are trying, but they're stopped by Captcha on the login page. I strongly recommend activating a custom question too. Even a simple question like "3 + 2 = ?" would be useful.

Ok, I added the question to the login page also, I'm not very good at mathematics so I used your example.  :D

Arantor

QuoteI assume that this is going to be addressed in the final release of 2.0.

This specific bot with this specific hack, I doubt it. It's not elegant enough nor broad enough to catch the entire set of bad behaviours. It just targets the MO of this specific bot.

I should note that there is discussion underway about nailing down the entire subsystem that the bot uses to try getting in, which would make it a general strengthening rather than something specific.
No good deed goes unpunished
All helpful urges should be circumvented

Norv

February 20, 2011, 01:44:23 PM #49 Last Edit: February 20, 2011, 01:50:10 PM by Norv
Quote from: akabugeyes on February 20, 2011, 01:25:34 PM
I assume that this is going to be addressed in the final release of 2.0. :)

Good luck continuing to handle all this nonsense. It's a shame how bad people force us to spend time on malicious prevention instead of on innovation at times.

There will be improvements allowing to strengthen security. Thank you. :)
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

butchs

As far as bots go, I have been battling them over a year with Bad Behavior (recently re-written) and Forum Firewall and quite frankly they are no longer a issue for me.  The American way:  Block first, ask questions later works great.  Every now and then I will see a straggler.   That is it!

I believe SMF should concentrate on the things that cause the errors in the error logs.  Because bugs are a favorite target of bots.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Arantor

The matter I refer to is something I consider a bug ;)
No good deed goes unpunished
All helpful urges should be circumvented

Masterd


SomaliDoc

Login detector worked for me as well but still there is a problem that members can't login to the forums in the first try, they have to enter the password again to log in.

When they first log in, the login2 page show up with the message "Password Incorrect". but when they put the same correct password again they are in.

Is this problem related to the bot issue & How I can solve it?

Thanks

Aoife

Quote from: SomaliDoc on February 21, 2011, 11:51:21 AM
Login detector worked for me as well but still there is a problem that members can't login to the forums in the first try, they have to enter the password again to log in.

When they first log in, the login2 page show up with the message "Password Incorrect". but when they put the same correct password again they are in.

Is this problem related to the bot issue & How I can solve it?

Thanks

I've had issues with this as well, without having any of the mods listed in this thread installed. It seems to happen after the members have requested a password reminder and change their passwords.



b4pjoe

I have the login detector and httpBL installed and have not seen this issue on RC5.

SomaliDoc

Quote from: aoife on February 21, 2011, 12:02:21 PM
Quote from: SomaliDoc on February 21, 2011, 11:51:21 AM
Login detector worked for me as well but still there is a problem that members can't login to the forums in the first try, they have to enter the password again to log in.

When they first log in, the login2 page show up with the message "Password Incorrect". but when they put the same correct password again they are in.

Is this problem related to the bot issue & How I can solve it?

Thanks

I've had issues with this as well, without having any of the mods listed in this thread installed. It seems to happen after the members have requested a password reminder and change their passwords.




This is happening all the time even without requesting password reminder?
Anyone knows what it's going in my forum?

ethankcvds

Quote from: Arantor on February 19, 2011, 05:08:22 PM
QuoteIs there a maximum password length (some of my users want to go to the max)?

I don't believe there is. If there IS, it'll be something like 50 characters.

You'll laugh but it is true (On SMF 2.0 at least) that you can use a 99 + character password.
No Pm's for support please!


Joshua Dickerson

Looks like your theme or a mod is broken.
Come work with me at Promenade Group



Need help? See the wiki. Want to help SMF? See the wiki!

Did you know you can help develop SMF? See us on Github.

How have you bettered the world today?

Advertisement: