News:

Wondering if this will always be free?  See why free is better.

Main Menu

Forum Hard Hit Preventer

Started by dougiefresh, March 04, 2016, 07:57:17 PM

Previous topic - Next topic

dougiefresh

Link to Mod



FORUM HIT HARD PREVENTER v1.6
By Dougiefresh -> Link to Mod



Introduction
One day, I released yet another mod to my website and noticed that once I published the link to the new thread, I started getting views on the thread.  In just over 15 minutes, 1,100+ views were logged for JUST THAT ONE THREAD!  It took deleting that thread for the attack to pretty much stop.  So I wrote this mod to try to play interference in attempts to bring a forum down....

This mod records all non-action visits (aka board index, individual boards and topics) from an IP address for all members EXCEPT for admin and moderators within the session data.  If the visitor is recorded as having more hits than a specified number of times per minutes, this mod will automatically place a ban in the .htaccess file.  The default (and minimum) is set to 30 (one hit every 2 seconds), which I feel is more than reasonable for most users.

This mod attempts to detect whether CloudFlare servers are being used, and writes the .htaccess accordingly.

Additional Requirements
Because we really don't want to ban our "wonderful" spiders, this mod turns on Search Engine Tracking Level to Standard setting in order to properly detect spiders.  For SMF 2.0.x, the Search Engine core feature is enabled in order to properly detect spiders.

Recommended Mods To Install
o More Spiders - Adds 83 more spiders/crawlers to your Spiders section in SMF!

Admin Settings
There is a new setting under Admin => Configuration => Security and Moderation called:
o Maximum number of visits allowed before automatic ban

Related Discussions
o [TIP/TRICK] How to ban users properly from .htaccess

Compatibility Notes
This mod was tested on SMF 2.0.11 and SMF 2.1 RC2, but should work on SMF 2.0 and up.  SMF 1.x is not and will not be supported. 

Changelog
The changelog can be viewed at XPtsp.com.

License
Copyright (c) 2016 - 2019, Douglas Orend
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

dougiefresh

Uploaded v1.1 - March 4th, 2016
o Added support for SMF 2.1 Beta 2.  No changes for SMF 2.0.x branch.

nend

I was sort of curious of how the mod worked so looked at the code.

By blocking all ips that hit the forum more than x many times you run the chance of blocking valid users and indexing spiders.

I myself use prefetch on mobile and RSS so I would be on that permanent ban list. Also you have attachments, avatars and Ajax calls that should be ignored but instead each tick is logged.

Just a FYI,

dougiefresh

Quote from: nend on March 05, 2016, 08:01:11 AM
By blocking all ips that hit the forum more than x many times you run the chance of blocking valid users and indexing spiders.

I myself use prefetch on mobile and RSS so I would be on that permanent ban list. Also you have attachments, avatars and Ajax calls that should be ignored but instead each tick is logged.
First, I had forgotten about spiders.  I'll try to fix that so that our "wonderful" spiders (sarcasm intended) don't get blocked.....

Second, you obviously overlooked line 23 in the Subs-HardHit.php file.  It reads:
if ($user_info['is_admin'] || $user_info['is_mod'] || isset($_GET['action']))
This means it won't log admin or moderator requests AND any action specified.  So this URL:
Quoteindex.php?action=dlattach;attach=21;type=avatar
won't get logged.

Third, having noted the second point, (with the possible exception of prefetching), valid users won't hit the forum more than 30 times in a minute.  I obviously have to fix the prefetching situation, though....

Thank you for raising these concerns!

dougiefresh

I did a search for the word "prefetch" in the SMF source files and found several instances of the SMF aborting a prefetch request.  I've altered the mod so that it removes the current URL from the session data upon finding a prefetch request.  This should keep the mod from banning valid users....

I also found where the forum attempts to detect whether or not the "user" is a spider/robot.  Evidentally, when the Search Engine core feature isn't enabled, SMF "guesses" at whether the "user" is a robot or spider.  Obviously, we don't want to ban spiders from the forum, as they are the ones who give us traffic!  So, I figured out how to enable the Search Engine core feature, and turn on Search Engine Tracking Level to Standard setting in order to properly detect spiders.  This step is particularly important because SMF will guess at whether a user is a robot/spider and probably won't return valid results.  Searching for known spiders will help with keeping our "wondering" spiders from getting banned, while keeping other robots out of the forum....

I am also adding a recommended mod to install:
o More Spiders - Adds 83 more spiders/crawlers to your Spiders section in SMF!

dougiefresh

Uploaded v1.2 - March 5th, 2016
o Added code to remove URL log from prefetch requests, since they are aborted anyways...
o Added code to allow Subs-HardHit.php to allow spiders to not log URLs...
o Modified installer to turn on Search Engines core feature during install.
o Modified installer to set Search Engine Tracking Level to Standard (or better).




@Everybody: Usually I post what changes happened when I upgrade a mod.  That didn't happen and I apologize for any confusion this may have caused....

Ninja ZX-10RR

Quick thanks for linking my old thread. :)
Quote from: BeastMode topic=525177.msg3720020#msg3720020
It's so powerful that on this post and even in the two PMs you sent me,you still answered my question very quickly and you're apologizing for the delay. You're the #1 support I've probably ever encountered man, so much respect for that. Thank you, and get better soon.

I'll keep this in my siggy for a while just to remind me that someone appreciated what I did while others didn't.

♥ Jess ♥

STOP EDITING MY PROFILE

dougiefresh

Quote from: Ninja ZX-10RR on March 21, 2016, 10:24:35 PM
Quick thanks for linking my old thread. :)
Sorry about the late reply!  You're welcome!  It was very helpful in building this mod.  I only hope that I got everything right with the mod.....

dougiefresh

Uploaded v1.3 - October 30th, 2016
o Fixed multiple undefined index errors in this mod.

dougiefresh

Uploaded v1.4 - October 16th, 2018
o No functionality change.
o Updated documentation to point to new website.

-Rock Lee-

I already commented on github but left it attached here also in case someone downloads it :)


Regards!
¡Regresando como cual Fenix! ~ Bomber Code
Ayudas - Aportes - Tutoriales - Y mucho mas!!!

ORIONzitos

#11
Hello again!  8) one translate more....
See the code... i only translate...no modify anything
Total of translations: 10

dougiefresh

Uploaded v1.5 - October 17th, 2018
o Added Spanish Latin translation, courtsey of Rock Lee.
o Added Brazilian Portuguese translation, courtsey of ORIONzitos.

dougiefresh

Uploaded v1.6 - May 22nd, 2019
o Added support for SMF 2.1 RC2.
o Removed support for SMF 2.1 Beta 2.

pocttopus

I cannot install with emulating 2.1RC2
Is there any way this mod to be updated for 2.1RC3?

Marina3

Mod is not installed on SMF 2.1.4.
Fatal error: Uncaught Error: [] operator not supported for strings

Doug Heffernan

Quote from: Marina3 on October 03, 2023, 06:29:34 AMMod is not installed on SMF 2.1.4.
Fatal error: Uncaught Error: [] operator not supported for strings

Are you on php 8.x?

Marina3

Quote from: Doug Heffernan on October 03, 2023, 06:44:26 AM
Quote from: Marina3 on October 03, 2023, 06:29:34 AMMod is not installed on SMF 2.1.4.
Fatal error: Uncaught Error: [] operator not supported for strings

Are you on php 8.x?
Yes, php 8.2.

Doug Heffernan

Quote from: Marina3 on October 03, 2023, 07:26:36 AMYes, php 8.2.

The mod doesn't seem to be compatible with that version.

Marina3

#19
Error causes settings_install.php file:

<?php
$SSI_INSTALL 
false;
if (
file_exists(dirname(__FILE__) . '/SSI.php') && !defined('SMF'))
{
    
$SSI_INSTALL true;
    require_once(
dirname(__FILE__) . '/SSI.php');
}
elseif (!
defined('SMF')) // If we are outside SMF and can't find SSI.php, then throw an error
    
die('<b>Error:</b> Cannot install - please verify you put this file in the same place as SMF\'s SSI.php.');
require_once(
$sourcedir.'/Subs-Admin.php');

// In order to detect spiders correctly, we NEED the Search Engine support turned ON!!!
$arr = array(
    
'admin_features' => '',
);
if (empty(
$modSettings['spider_mode']))
    
$arr['spider_mode'] = 1;
if (!empty(
$modSettings['admin_features']))
{
    
$arr['admin_features'] = explode(','$modSettings['admin_features']);
    
$arr['admin_features'] = array_diff($arr['admin_features'], array('sp'));
}
$arr['admin_features'][] = 'sp';
$arr['admin_features'] = implode(','$arr['admin_features']);

// Set the maximum visits if it hasn't been set already:
if (!isset($modSettings['HHP_max_visits']))
    
$arr['HHP_max_visits'] = 30;
updateSettings($arr);

// Echo that we are done if necessary:
if ($SSI_INSTALL)
    echo 
'DB Changes should be made now...';
?>


Please use code tags when posting code. ~ Steve

Advertisement: