Advertisement:

Author Topic: Firewall monitor for SMF code itself – Restricting Mod modules talking to WEB  (Read 3334 times)

Offline Kiriakos GR

  • Jr. Member
  • **
  • Posts: 192
  • Gender: Male
    • @ITTSB_EU on Twitter
It is admirable that some SMF developers they do work on solving security bugs, but the Fix never arrives at the timing that new security threads appear.

I have partial proofs that one mod module that I am using this is now manipulated due hacking attempt.
Every time which I post a message on my Forum, in less than two minutes time, specific hosting provider bot this visiting specific thread and message so to copy it.

I am unaware of which one mod (module) this is now partially hacked, or if SMF database it self this sends such invitations to a foreign IP its time that it size changes. 

Therefore I am here to suggest this Mod request for a Firewall monitor for SMF code itself.
This will restrict any communications of installed mod with out the awareness of forum administrator.
Allowed communication:  Newsletter and board notifications
Anything else will require Administrator approval.
All outbound communication of SMF forum engine, this will be now logged, so any Administrator to be able to evaluate quality and behavior of its new mod regarding security threads due foreign IP communication. 

I am not aiming hiring a developer, I am offering free of charge my own inspiration so any one interested to use it in a productive way.
 
I am founder of ITTSB.eu Blog, if a software developer requiring detailed information’s, I will answer any questions due nothing less than direct email communication.


Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 58,423
  • Gender: Male
    • Kindred-999 on GitHub
There is no hack involved.
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,383
    • StoryBB/StoryBB on GitHub
You mean you have a search engine visiting your site, like Google (that is what you describe)
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Kiriakos GR

  • Jr. Member
  • **
  • Posts: 192
  • Gender: Male
    • @ITTSB_EU on Twitter
There is no hack involved.

You better check Info Center entire code, if this has security holes too.
The hackers will not ask your permission so to hack Open source software.


« Last Edit: March 19, 2019, 03:06:48 PM by Kiriakos GR »

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,383
    • StoryBB/StoryBB on GitHub
It’s not a hack!!!!!! How it is a hack when it is working as designed and you can turn it off whenever you like.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 58,423
  • Gender: Male
    • Kindred-999 on GitHub
There are no known security holes in SMF 2.0.15

additionally. as you have been told, what you describe IS NOT A HACK. It is behaving EXACTLY AS DESIGNED
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,383
    • StoryBB/StoryBB on GitHub
I guess this site is hacked, if I go to the front page of the forum, scroll down and see all those latest posts! (That was sarcasm.)
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Kiriakos GR

  • Jr. Member
  • **
  • Posts: 192
  • Gender: Male
    • @ITTSB_EU on Twitter
There are no known security holes in SMF 2.0.15

additionally. as you have been told, what you describe IS NOT A HACK. It is behaving EXACTLY AS DESIGNED

According my book, anything BAD DESIGNED it must GET CORRECTED, so this to meet  USERS EXPECTATIONS.

Therefore a Firewall monitor for SMF code itself, this is needed and if such a Mod come our Free or Low- Priced at 20E, it will become more popular than hamburgers.
 

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,383
    • StoryBB/StoryBB on GitHub
Your book is wrong.

SMF isn't sending anything out - bots come visit and can see the topics on the front page!
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline doug_ips

  • Jr. Member
  • **
  • Posts: 298
I am a little surprised that you guys are still answering to Kiriakos GR 's topics after all the insult that he threw your way when you were trying to help him in his other topics.

Not to mention he is a complete and total ignorant, but acts like he knows everything with an arrogance and attitude that is laughable. You can not talk sense to a guy like that. It is like trying to get through a brick wall for crying out loud. Why bother?



Offline Study Force

  • SMF Hero
  • ******
  • Posts: 3,699
    • StudyForcePS on Facebook
    • @studyforceps on Twitter
This is not a hack. My website is hammered by Google the second a topic is generated. Forums are designed like maps, hence why bots find topics so easily

Offline Sesquipedalian

  • The Mad Doctor
  • Lead Developer
  • Sr. Member
  • *
  • Posts: 943
  • Gender: Male
  • It works! ... in theory.
    • Sesquipedalian on GitHub
I promise you nothing.

Sesqu... Sesqui... what?
Sesquipedalian, the best word in the English language.

Offline Kiriakos GR

  • Jr. Member
  • **
  • Posts: 192
  • Gender: Male
    • @ITTSB_EU on Twitter
This is not a hack. My website is hammered by Google the second a topic is generated. Forums are designed like maps, hence why bots find topics so easily

I do not  have a problem with Google, it does partially advertise my website due web search, when it does not receive advertising revenue from my competitors.
 
At that period of time, there is no search engine which will promote a single SMF forum if this does not pay the price.
They do collect info, but this is for their own statistics only.   

Offline Kiriakos GR

  • Jr. Member
  • **
  • Posts: 192
  • Gender: Male
    • @ITTSB_EU on Twitter
I am a little surprised that you guys are still answering to Kiriakos GR 's topics after all the insult that he threw your way when you were trying to help him in his other topics.

Not to mention he is a complete and total ignorant, but acts like he knows everything with an arrogance and attitude that is laughable. You can not talk sense to a guy like that. It is like trying to get through a brick wall for crying out loud. Why bother?

I told you that and before, get a dog and find love and respect as you may imagining it.
This is a topic regarding Internet security, you do fall sort, therefore leave and make space for the specialists.
It is interesting that you do not feel identically passionate finding the truth about security threads, what is the key topic in your forum ? How to Planting of coconuts ? 

Offline Kiriakos GR

  • Jr. Member
  • **
  • Posts: 192
  • Gender: Male
    • @ITTSB_EU on Twitter
I am totally aware that specific request this requiring a truly qualifying software developer, him also be expert regarding IT networking.

I will return few months later to check for any progress, currently I am not receiving email notifications due a bug at my member profile, which no one cares to solve.
 

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,383
    • StoryBB/StoryBB on GitHub
Tell you what. I'll build it for you - if you pay my consulting fees. I am a 16 year veteran of PHP, Zend certified, I'm also formerly a member of the SMF dev team, and if you took out a consulting contract with my firm you'd also be getting some input from sysadmins who manage very large websites (like those that cost literal thousands of dollars a month to run because they're not just a little site on a server somewhere, they require a small fleet of servers to cope with)

I'd get this done for you in 40 hours; which would be £3400 (around €4200) including VAT, with full warranty for two months. Naturally terms & conditions would apply but if you were interested I could get our accounts team to write you up the formal statement of work with our terms and conditions in it.

I'd still write a caveat in it that it won't solve your problem, but it would deliver what you asked for.

If you don't want bots visiting like you're getting, disable guest access - it's literally the only way.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline njtweb

  • Sr. Member
  • ****
  • Posts: 916
I'm confused, why would anybody NOT want bots visiting their site? It's how they get indexed?

Offline Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 18,539
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • LexArma on GitHub
    • aleksi-kilpinen on LinkedIn
    • There's No Place Like 127.0.0.1
SMF  has a built in RSS feed, which any and all users/bots/search engines can follow freely.
SMF also has a list of recent posts on the index, to make new content readily availble and accessible to users/bots/search engines.
Almost all social media sharing/liking addons (mods or otherwise) will also ping back to their publisher on first load of any url, for them to scrape the basics of the page and make sure they follow their respective TOSs.
Search engines and web scrapers are plenty, and some of those just hammer you at times, and immediately follow any new links they find. That is how they work.

In all that - nothing is actually inherently dangerous, or in any way harmful to your forum. Some specific bots do however scrape forums exactly for the purpose of stealing contents - and that is a problem with those bots, not SMF.
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.
  Fooling around with an i7 990X @ 3,47Ghz / 12Gb / Win 10 x64 / 3840x2160


How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline Sesquipedalian

  • The Mad Doctor
  • Lead Developer
  • Sr. Member
  • *
  • Posts: 943
  • Gender: Male
  • It works! ... in theory.
    • Sesquipedalian on GitHub
I'm confused, why would anybody NOT want bots visiting their site? It's how they get indexed?

You feel confused because, although Kiriakos GR believes his request makes sense, in fact it is nonsensical. He is fundamentally asking for public data to somehow not be public and yet still be public.
I promise you nothing.

Sesqu... Sesqui... what?
Sesquipedalian, the best word in the English language.

Offline GigaWatt

  • The Smiley Guy
  • Support Specialist
  • SMF Hero
  • *
  • Posts: 2,104
  • Gender: Male
    • Macedonian electronics forum
I'm confused, why would anybody NOT want bots visiting their site? It's how they get indexed?

Certain parties would like to keep their site a secret (I know a few), in which case they can just use htaccess to block anyone without an adequate username and password from accessing their site.
"This is really a generic concept about human thinking - when faced with large tasks we're naturally inclined to try to break them down into a bunch of smaller tasks that together make up the whole."

"A 500 error loosely translates to the webserver saying, "WTF?"..."

Offline Sesquipedalian

  • The Mad Doctor
  • Lead Developer
  • Sr. Member
  • *
  • Posts: 943
  • Gender: Male
  • It works! ... in theory.
    • Sesquipedalian on GitHub
Certain parties would like to keep their site a secret (I know a few), in which case they can just use htaccess to block anyone without an adequate username and password from accessing their site.

Or more simply...

disable guest access
I promise you nothing.

Sesqu... Sesqui... what?
Sesquipedalian, the best word in the English language.

Offline njtweb

  • Sr. Member
  • ****
  • Posts: 916
I'm confused, why would anybody NOT want bots visiting their site? It's how they get indexed?

You feel confused because, although Kiriakos GR believes his request makes sense, in fact it is nonsensical. He is fundamentally asking for public data to somehow not be public and yet still be public.

LOL, that was great!


Offline Sesquipedalian

  • The Mad Doctor
  • Lead Developer
  • Sr. Member
  • *
  • Posts: 943
  • Gender: Male
  • It works! ... in theory.
    • Sesquipedalian on GitHub
I promise you nothing.

Sesqu... Sesqui... what?
Sesquipedalian, the best word in the English language.

Offline doug_ips

  • Jr. Member
  • **
  • Posts: 298
Nothing Kiriakos GR has said so far makes any sense lol :D

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,383
    • StoryBB/StoryBB on GitHub
He just doesn’t want it hard enough, otherwise he could pay a professional services company to implement it.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline doug_ips

  • Jr. Member
  • **
  • Posts: 298
He just doesn’t want it hard enough, otherwise he could pay a professional services company to implement it.

I have a hunch that he needs it, but wants it for free.

Offline GigaWatt

  • The Smiley Guy
  • Support Specialist
  • SMF Hero
  • *
  • Posts: 2,104
  • Gender: Male
    • Macedonian electronics forum
Or more simply...

disable guest access

Most of the parties I mentioned in my previous post wouldn't like anyone to know that that site exists. Only people with the link and credentials can access the site. And they also don't like the site/sites showing up on search engines. That is why using htaccess in those cases is actually a better solution ;).
"This is really a generic concept about human thinking - when faced with large tasks we're naturally inclined to try to break them down into a bunch of smaller tasks that together make up the whole."

"A 500 error loosely translates to the webserver saying, "WTF?"..."

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,383
    • StoryBB/StoryBB on GitHub
If you’re going down that road, don’t use a domain name and just make everyone use IP addresses.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline njtweb

  • Sr. Member
  • ****
  • Posts: 916
Sounds more like an intranet kind of interest. I wonder, what is the point of running a website if you don't want anybody knowing about it?

Offline doug_ips

  • Jr. Member
  • **
  • Posts: 298
Sounds more like an intranet kind of interest. I wonder, what is the point of running a website if you don't want anybody knowing about it?

This is a very good question. The only thing that comes to mind to me, is a website that is up to no good... .

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 58,423
  • Gender: Male
    • Kindred-999 on GitHub
Sounds like the sort of website that wants to be on the "dark web" but does not have anyone in charge of it who has any actual knowledge (and therefore does not belong on the dark web to begin with)
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,383
    • StoryBB/StoryBB on GitHub
Nah, I don’t think it’s that creative, just someone who assumes that bots come to steal content without realising that the content is otherwise publicly visible because if it wasn’t, bots wouldn’t know about it or get it from the board index or RSS feeds.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline doug_ips

  • Jr. Member
  • **
  • Posts: 298
Nah, I don’t think it’s that creative, just someone who assumes that bots come to steal content without realising that the content is otherwise publicly visible because if it wasn’t, bots wouldn’t know about it or get it from the board index or RSS feeds.

In other words a moron then :D

That is the only other possible explanation that makes sense.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,383
    • StoryBB/StoryBB on GitHub
See Hanlon’s Razor.

Also note that this was initially pitched as an idea that can be used for free. Problem is, ideas are bountiful, finding the good ones is hard, making them real harder still.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline GigaWatt

  • The Smiley Guy
  • Support Specialist
  • SMF Hero
  • *
  • Posts: 2,104
  • Gender: Male
    • Macedonian electronics forum
If you’re going down that road, don’t use a domain name and just make everyone use IP addresses.

But... you can't do that on a shared hosting account.

In any case, that is an option if the site was hosted at home, but I don't think most of those sites are... or even if they are, maybe they've got other sites hosted on the same IP, so... once again, a problem.

Sounds more like an intranet kind of interest. I wonder, what is the point of running a website if you don't want anybody knowing about it?

Doing something you wouldn't want anyone, except a certain handpicked crowd, knowing about. There are certain types of info and/or data that is considered precious... not to mention that gaining that info or data involves certain activities that are, at the very least, frowned upon.

And yes... basically these are kind of like intratnet sites... except they're available worldwide and are accessible with the right credentials.

This is a very good question. The only thing that comes to mind to me, is a website that is up to no good... .

I believe I answered that in the previous part of this post ;).

Nah, I don’t think it’s that creative, just someone who assumes that bots come to steal content without realising that the content is otherwise publicly visible because if it wasn’t, bots wouldn’t know about it or get it from the board index or RSS feeds.

Well, I could name a few things that, as far as I know of and as far as I've searched online, aren't available anywhere else on the web... but I'd rather I didn't, at least not in public.

And no, it's not about bots stealing content, it's about anyone without the address knowing about the site, including bots and search engines. And if somehow, someone found out about it, they'll need htaccess credentials to access the site. And if they somehow found them out, guess what, there's another loging screen after that... no signup, no background image, nothing, just a plain login screen saying "Username and Password".
"This is really a generic concept about human thinking - when faced with large tasks we're naturally inclined to try to break them down into a bunch of smaller tasks that together make up the whole."

"A 500 error loosely translates to the webserver saying, "WTF?"..."

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 58,423
  • Gender: Male
    • Kindred-999 on GitHub
in other words, it's a bunch of people who want to think they have something worth protecting but don't actually have any knowledge...

Seriously -- if you're hosting that sort of thing on a share server, then you're not doing it right to begin with... :P



but fine....   add an htpassword, protect the directory level from the server. The turn off the forum for guests.
done.
nothing else needed.

Still a complete waste, IMO.
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline GigaWatt

  • The Smiley Guy
  • Support Specialist
  • SMF Hero
  • *
  • Posts: 2,104
  • Gender: Male
    • Macedonian electronics forum
in other words, it's a bunch of people who want to think they have something worth protecting but don't actually have any knowledge...

Ummm... depends how you look on things... and for the record, I wouldn't call the people running these sites "having no knowledge". Most of them are well established in certain circles... and as I said, I have no idea if they're doing this from their home, a paid server, a shared hosting account, cloud hosting, etc. It was just a guess, I haven't actually tried to find this info out.

Seriously -- if you're hosting that sort of thing on a share server, then you're not doing it right to begin with... :P

Well, maybe they just like to hide in the forest, who knows :).

As I said, I have no idea where they're hosted, and even if I did, I wouldn't share that here.

Still a complete waste, IMO.

Each with his own opinion ;).
"This is really a generic concept about human thinking - when faced with large tasks we're naturally inclined to try to break them down into a bunch of smaller tasks that together make up the whole."

"A 500 error loosely translates to the webserver saying, "WTF?"..."

Offline doug_ips

  • Jr. Member
  • **
  • Posts: 298
in other words, it's a bunch of people who want to think they have something worth protecting but don't actually have any knowledge...

Ummm... depends how you look on things... and for the record, I wouldn't call the people running these sites "having no knowledge".

While that may be true in theory, based on the posts of the OP in this topic, and elsewhere in this forum for that matter, "having no knowledge" can be safely said and it is nicely put imo.

Offline GigaWatt

  • The Smiley Guy
  • Support Specialist
  • SMF Hero
  • *
  • Posts: 2,104
  • Gender: Male
    • Macedonian electronics forum
The last posts in this thread are completely unrelated to what the OP asked for. They're related to "why would anyone have a website and not want it indexed or accessible for everyone".
"This is really a generic concept about human thinking - when faced with large tasks we're naturally inclined to try to break them down into a bunch of smaller tasks that together make up the whole."

"A 500 error loosely translates to the webserver saying, "WTF?"..."

Offline doug_ips

  • Jr. Member
  • **
  • Posts: 298
The last posts in this thread are completely unrelated to what the OP asked for. They're related to "why would anyone have a website and not want it indexed or accessible for everyone".

It is kind of related imho. The thing is that the last posts are a result of the OP 's strange/weird request.

Offline Sesquipedalian

  • The Mad Doctor
  • Lead Developer
  • Sr. Member
  • *
  • Posts: 943
  • Gender: Male
  • It works! ... in theory.
    • Sesquipedalian on GitHub
One can imagine almost any scenario, and some human out there will have tried it. Either way, I don't see anything else constructive happening in this topic at this point.
I promise you nothing.

Sesqu... Sesqui... what?
Sesquipedalian, the best word in the English language.