News:

Wondering if this will always be free?  See why free is better.

Main Menu

Bots, Hacking and Other Mischief

Started by BillLeeDee, April 20, 2013, 09:17:47 AM

Previous topic - Next topic

BillLeeDee

I've been running SMF for years and love it (kudos to the team) and have been here on occasion for support (thanks to all the contributors here) and would like some opinions / guidance on something regarding my forums.

The oddity occurs more than 95% of the time. When I see a guest IP on my forum I immediately add it to my ban list as "can't login" block. Anywhere from seconds to about two days I see these IPs trying to log in with unknown credentials. I've had people email me via my blind contact form but I am suspect, especially when they use one of the freebie web email addresses. FYI: I've disabled the quick log-in to see if that does any good but I'm convinced that it has to be bots when looking at my server's visitor logs.

I wonder if this is really happening or some sort of abnormality. I've pretty much have a decent handle on spam thanks to a large list of challenge questions, httpBL, StopForumSpam, StopSpammer, and Bad Behavior. I block all the free email addresses with the Restrict Email Providers on Registration but I wonder if I am doing a disservice by doing so. I have actual members who have used these email addresses but it seems those addresses are quite common. I had seen sign-ups with a web address in the past and other than a log-in I see an abandoned account, which I delete after a period of time to eliminate a possible security hole.

I've entered a variety of IP addresses and ranges in my forum and site htaccess files but the problem is the file becomes so large that the server bogs to unacceptable performance.

Is there a built-in method to restrict the number of posting a particular member group can make built-in or is this only available as a mod? I make all my registrations by admin-approval only and their membership is assigned manually and not by post count to restrict viewing until proven meaningful participation.

Also, I'd be interested in the experiences any long-term forum admins and mods have as far as dealing with these situations.

Sorry for being so wordy but I wanted to convey my observations and remedies for clear understanding. I thank everyone in advance for their considered opinions and offerings of advice.

Kindred

no I don't believe that there is any way to do what you are asking....

I will say something about your comments though...
1- stop forum spam and stop spammer do the same thing - why do you have both of them?
2- adding IP bans to your SMF ban list will indeed bog down your system. Why do you bother?
3- some of those may be spiders... why do you immediately ban IPs like that?
4- just because someone is "hitting" an action in your list does no mean that they are completing it.

I have Questions, Stop Spammer and bad behavior+httpBL - I don't bother with bans at all... and I have not had a spammer successfully register in over a year.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

BillLeeDee

Quote from: Kindred on April 20, 2013, 11:23:02 AM
1- stop forum spam and stop spammer do the same thing - why do you have both of them?

I was unaware they serve the same, exact functionality. Reading each mod's description makes it appear they were different in some aspect.

Quote from: Kindred on April 20, 2013, 11:23:02 AM
2- adding IP bans to your SMF ban list will indeed bog down your system. Why do you bother?
3- some of those may be spiders... why do you immediately ban IPs like that?

Why would a spider or bot attempt to force a login to any forum? I only check the log-in box when adding bans and I get a slew of hits. Are you telling me the SMF software is faulty and that any visitor will trigger false log-in attempts? I've gone to several free wifi spots and browsed my forums as a guest and never get false log-ins for those IPs.

Quote from: Kindred on April 20, 2013, 11:23:02 AM
4- just because someone is "hitting" an action in your list does no mean that they are completing it.

So, are you telling me SMF will think anybody browsing will trigger an attempted log-in attempt? If so, it sounds like a fatal flaw in the software if you ask me.

In the day where you find people trying SQL injections and other hacking activities you don't sound all that concerned. That's one reason I decided to block the disposable email addresses from registering.

Kindred

what are you talking about?


When you view the "who's online" it takes a snap shot of the ACTION that is being performed. (you know, the one in the url)

So yes...   bots will hit the action=login frequently because the login button is visible on every page and the bots try every link out of every page.

This is not an "attempted login" or a "force" - it just means that someone who is on your site is on the page which is reached by action=login.

There is no security issue or flaw...  if they don't complete the login form, nothing happens. If they do complete the form, but do not have valid crednetials, then they are bounced out.

I think you have a serious misunderstanding of actual security practices versus supposed or perceived flaws.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

BillLeeDee

Quote from: Kindred on April 20, 2013, 11:39:07 AM
When you view the "who's online" it takes a snap shot of the ACTION that is being performed. (you know, the one in the url)

So yes...   bots will hit the action=login frequently because the login button is visible on every page and the bots try every link out of every page.

So, if I understand your thinking, when I see hundreds per day and  thousands of total log-in attempts emanating from IP addresses that resolve to web hosts in China, Germany, Malaysia, Brazil and elsewhere I'm just suppose to ignore these? Sounds like flawed thinking, especially when I see my Apache logs fill of other nonsense (hacking attempts unrelated to my SMF installation) coming from these same IP addresses.

Quote from: Kindred on April 20, 2013, 11:39:07 AM
I think you have a serious misunderstanding of actual security practices versus supposed or perceived flaws.

I don't think so. I believe you're under some delusion that people shouldn't be worried about all the bot activity emanating online.

TheListener

QuoteI don't think so. I believe you're under some delusion that people shouldn't be worried about all the bot activity emanating online.

The only spiders worth worrying about are the ones with eight legs.

Arantor

I think you're both partly right and both partly wrong.

If you are concerned at bot activity from countries like China, by all means block them. But do so at the webserver level, not the SMF level. That of course assumes that you won't ever have legitimate traffic from those places, and without knowing what your forum is about it's impossible to judge whether that is a valid assertion or not.

This forum, for example, cannot legitimately block any country because there are people from all kinds of countries that use the software.

On the other hand, your forum might be a local-based forum for local people, so it would be legitimate to block IP addresses from other countries without affecting legitimate users. Sites need to figure out where on the spectrum they are between the two.

A fair number of them will be harmless bots that just follow every link, it does happen (because there are a surprising number of vertical search engines)

Just as a thought, users who are just logging into the forum (because not every one stays logged in all the time) will be caught by your same approach.

xrunner

#7
Quote from: radiocitybill on April 20, 2013, 12:24:25 PM
So, if I understand your thinking, when I see hundreds per day and  thousands of total log-in attempts emanating from IP addresses that resolve to web hosts in China, Germany, Malaysia, Brazil and elsewhere I'm just suppose to ignore these?

I've seen them for years. I don't even look at them much but I just checked and yea - they are still there -

Guest whatever-IP-xxx Logging into the forum.

All day all night all the time.

winniethepooh

Quote from: radiocitybill on April 20, 2013, 12:24:25 PM
Quote from: Kindred on April 20, 2013, 11:39:07 AM
When you view the "who's online" it takes a snap shot of the ACTION that is being performed. (you know, the one in the url)

So yes...   bots will hit the action=login frequently because the login button is visible on every page and the bots try every link out of every page.

So, if I understand your thinking, when I see hundreds per day and  thousands of total log-in attempts emanating from IP addresses that resolve to web hosts in China, Germany, Malaysia, Brazil and elsewhere I'm just suppose to ignore these? Sounds like flawed thinking, especially when I see my Apache logs fill of other nonsense (hacking attempts unrelated to my SMF installation) coming from these same IP addresses.

Quote from: Kindred on April 20, 2013, 11:39:07 AM
I think you have a serious misunderstanding of actual security practices versus supposed or perceived flaws.

I don't think so. I believe you're under some delusion that people shouldn't be worried about all the bot activity emanating online.
have you tried  checking all ip's against your hosts whitelist before blocking? my log files are filled with errors from foreign ip addresses, most of these are whitelisted with my ip as foreign search engines and 3rd party ad checking bots. the ads themselves can cause error logs to be generated when clicked by a bot, because its calling a function from an external address. K-I-S-S
"But I'm tryin' Ringo.I'm tryin' real hard to be the Shepherd."

MrPhil

If bots following the login links concern you, use robots.txt to tell them to stay away from such pages and actions. Well-behaved bots like Google will obey robots.txt. Ill-mannered bots like Baidu (and, from what I've heard, bad bots masquerading as Baidu) that persist in ignoring robots.txt can be banned in .htaccess.

BillLeeDee

Quote from: Arantor on April 20, 2013, 12:29:39 PM
On the other hand, your forum might be a local-based forum for local people, so it would be legitimate to block IP addresses from other countries without affecting legitimate users. Sites need to figure out where on the spectrum they are between the two.

That's not a problem for me to do since the the forum I'm concerned has an audience of US and Canada.

Quote from: Arantor on April 20, 2013, 12:29:39 PM
A fair number of them will be harmless bots that just follow every link, it does happen (because there are a surprising number of vertical search engines)

Just as a thought, users who are just logging into the forum (because not every one stays logged in all the time) will be caught by your same approach.

I understand that search engines may inadvertently trigger this and I have used robots.txt to attempt to stop them but this only works when a search engine honors the file. And yes, I've occasionally snag a legit user but 96% of the time it's not one of my users.

It's just frustrating since I see these things both chewing up my bandwidth and what I consider suspicious activity on my forums.

Aside from blocking via IP with htaccess am I overdoing it by blocking the free web email addresses like Yahoo and Hotmail from registering? what about limiting new users with a post limit, if there's such a capacity via normal settings or mod.

Arantor

In that case, I'd argue it's fine to block them but block at the webserver level, because it would be much more efficient. Then it won't even chew up bandwidth.

Blocking free web email is not a huge preventative measure but it's probably not over the top either.

BillLeeDee

My only thing about blocking at the webserver level was at one point it was tanking my SEO as it looks that if certain search companies get bad responses on their foreign searches they start to lower your rank.

Thanks for the comment regarding email limiting. I know I always seem to get queries from people via my blind contact form about it and they give a free email address when their connection is from a provider that supplies their own real email address. That always strikes me as a red flag.

MrPhil

Well, if you're blocking legitimate search engine spiders, that's gonna hurt your ranking if they can't see your site. The major search engines obey robots.txt; blocking any bot who doesn't obey it shouldn't hurt you on the majors. Blocking at the "webserver level" means "deny from" entries in /.htaccess, right? Or are you asking your host to block even higher in the chain?

Kindred

and if they are trying hack attempts for other softwares, then they are doing something other than hitting your login form, aren't they?

However, even blocking those IPs is basically useless because hackers don't use their own IP most of the time, hackers can switch IPs in a picosecond, if they are blocked and many of thoe IPs are in rotation and will block valid users (and my forums are international, so I can not afford to stop entire country blocks.

and no... for the most part, people running smf do not need to be worried about the bot activity.
SMF has one of the best security records of all forum software out there - and we patch any discovered holes quickly.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

winniethepooh

Quote from: Kindred on April 20, 2013, 02:50:38 PM
and if they are trying hack attempts for other softwares, then they are doing something other than hitting your login form, aren't they?

However, even blocking those IPs is basically useless because hackers don't use their own IP most of the time, hackers can switch IPs in a picosecond, if they are blocked and many of thoe IPs are in rotation and will block valid users (and my forums are international, so I can not afford to stop entire country blocks.

and no... for the most part, people running smf do not need to be worried about the bot activity.
SMF has one of the best security records of all forum software out there - and we patch any discovered holes quickly.


have to agree here, and alot of it is due to the fact there are so many die functions. an experienced hacker could still perform an sql injection...through methods i will not discuss, haha but the bots are relatively harmless, especially if you enable the extensive security checks for the attachment directory and sanitization. which reminds me, a mod that would be useful is the ones you can get for software like YOURLS, a link sanitizer. it checks the link for malicious content, loop redirects, etc. that would be just one more useful tool for smf.
"But I'm tryin' Ringo.I'm tryin' real hard to be the Shepherd."

Kindred

Pig,  you are quite full of yourself.
However, if you do know of a valid security hole in SMF that would allow sql injection, then please make a security report, immediately.

Otherwise, I call your bluff and say you're full of it.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

BillLeeDee

@MrPhil: Yes, using "deny from" statements in htaccess. In fact I was forced to recently change hosts as once my htaccess file got so full my server instance was blocking access even when all deny from statements were removed from htaccess.

@Kindred: Thanks for the info. I guess I'll just pull all the ban entries out if the general consensus is the security is good in SMF.

Arantor

There is nowhere to my knowledge where an SQL injection can be performed in SMF 2.0, and I've looked.

winniethepooh

Quote from: Kindred on April 20, 2013, 03:02:13 PM
Pig,  you are quite full of yourself.
However, if you do know of a valid security hole in SMF that would allow sql injection, then please make a security report, immediately.

Otherwise, I call your bluff and say you're full of it.
apparently they patched it in 2.0.3. it not working on my forum. theres a white hat hacker i follow on twitter @c0derman or something like that. he's always posting links to articles he writes on security holes in various software and writing patches. i've asked him to test it on my site and he informed me that its indeed been fixed with a 'die' action
"But I'm tryin' Ringo.I'm tryin' real hard to be the Shepherd."

Advertisement: