• Welcome to Simple Machines Community Forum. Please login or sign up.
December 03, 2021, 07:31:19 AM

News:

SMF 2.1 RC4 has been released! Try it out and help us test! :) Read more.


Fake guests, bots and login attempts

Started by dekatria, November 06, 2019, 05:53:57 PM

Previous topic - Next topic

dekatria

I'm having a problem.
For reasons that are outside of the topic, someone is trying to overload my forum.
I'm not having problems with spam as I have enabled admin approval and I don't get many registrations anyway.
But I'm getting MANY bot visits.
Where I had less than a  hundred guests per hour, I'm now having thousands. And thousands login attempts.
I installed bad behavior and HttpBL, but I'm still having problems.
I even installer LoginVerification and LoginSecurity mods.
But the bots continue to use my server resources.

Any help is welcome. My host suggested to me to... "use CAPTCHA" (LOL, where? how?)

I'm thinking that I could deter those login attempts if the login fields where not visible and one had to login or register via the menu links.
How can I safely disable the:
"Welcome, Guest. Please login or register...." form?

dekatria

Btw, most of those fake guest are coming from China and using Linux.
Would be possible to block those who meet both these conditions? Maybe with some htaccess code?

Sir Osis of Liver

Mods will not stop bots from hosing your forum, they'll just block them from registering.  If you block ips in .htaccess, they won't touch the forum.

https://htaccessbook.com/block-ip-address/
"The best laid schemes o' mice an' men / Gang aft a-gley." - Robert Burns

Biology Forums

Quote from: Sir Osis of Liver on November 06, 2019, 08:21:41 PM
Mods will not stop bots from hosing your forum, they'll just block them from registering.  If you block ips in .htaccess, they won't touch the forum.

https://htaccessbook.com/block-ip-address/


Bad idea, this is good for 1 or 2 ips, but overloading htaccess will bring down the server.

Sir Osis of Liver

Never seen that happen.  Blocking ip range is sometimes ineffective, but doesn't usually affect server load adversely.
"The best laid schemes o' mice an' men / Gang aft a-gley." - Robert Burns

dekatria

November 06, 2019, 09:55:23 PM #5 Last Edit: November 06, 2019, 10:50:11 PM by dekatria
My host is Siteground and they have usually good support. In this issue their technical team was useless. They do pointed me to my server stats though.
There I saw that the vast majority of traffic was from china and using linux.

All the mods I mentioned in op didn't made a difference, completely ineffective in my case. As ineffective were .htaccess codes like 6g firewall and others. I was receiving thousands of guest visitors per hour.

What made a difference was use Coudflare, which fortunately was offer seamlessly by my host (free version).
I added some firewall rules, like country and threat score and linux and it seems my guests have come down to realistic levels again.

a10

^^^ As a coincidence, the last few days a large bunch of china ip's have appeared. Nearly all from Chinanet, and Unknown Action.
2.0.18, php 7.4.25, MariaDB 10.3.30. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

Kindred

Mods won't help....    You need to block them at the HTAccess level, as suggested...

Quote from: Biology Forums on November 06, 2019, 09:03:10 PM
Bad idea, this is good for 1 or 2 ips, but overloading htaccess will bring down the server.


this is untrue.  A well formed DENY set in HTACCESS works just fine and has never crashed my server, in 5 years of using htaccess deny to prevent china and russia IPs
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.<br /><br />"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Arantor

If you put too many individual IPs into an htaccess, on an already overloaded server, yes, you can break it. But that's usually a symptom of a site outgrowing overly stingy hosting.
No good deed goes unpunished
All helpful urges should be circumvented

Kindred

ok, that's true...

if you have a bad host, then there are all sorts of things that will go wrong. :)
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.<br /><br />"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Biology Forums

QuoteBad idea, this is good for 1 or 2 ips, but overloading htaccess will bring down the server.

Speaking from EXPERIENCE

Quotethis is untrue.  A well formed DENY set in HTACCESS works just fine and has never crashed my server, in 5 years of using htaccess deny to prevent china and russia IPs

Do not take advice from this man. Clearly you've never operated a server

Arantor

He operates a server just fine, as do I. The difference is we don't run sites too large for the resources available to save money, and don't add vast swathes of individual IP addresses when we could use blocks.

Or better, iptables if your resources are really that constrained.
No good deed goes unpunished
All helpful urges should be circumvented

Kindred

IN short, Mr Biology Forums....     you have commented on something that other people know more about than you and those people have told you that you are wrong... but then you attempted to double down on being wrong by being insulting....

Using .htaccess to deny blocks from china, russia or any other collected set is demonstrably the correct way to do things as I have a decent host and I have been using such deny blocks for years now without affecting my server performance at all.
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.<br /><br />"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

dekatria

FYI,

This is the result of Cloudflare firewall rules I set:
https://prnt.sc/ptxyi3

The China bots when realized they couldn't get thru, stopped the attack.
The majority of bots are "on paper" legitimate bots like msn, semrush, opensiteexplorer etc.

delta5

If you happen to have the Succuri firewall, it has geo blocking. Just click the countries that you want to block. Default settings are Russia, China, and Turkey. I block n. Korea and France too.

Kiriakos GR

I did IP ban due my forum to 3000 IP, all of them get the  famous nag message SORRY you cannot register ... YOU ARE BANNED for EVER.

SMF this is strong enough to handle sever thousands members, by the same engine YOU can push away several thousands unwanted IPs too. 

Cpanel IP Block, is a known problematic app about handling large htaccess files.
Cpanel team does not do anything to improve  IP Block module, I did personally reported the issue on their Forum. 

Cpanel those days tripled their pricing per month,  I am now switching hosting server and  the new one will not using Cpanel.
   
Some people keep spreading misinformation that htaccess file can crash a server,  these are trash in worth comments.
When and if  Cpanel -> IP Block module starts malfunctioning, it will start blocking and non listed IPs .

Regional firewall block this is also a stupid idea,  several thousands Europeans and Americans they are now located and working in China.
       

Kindred

Once again, you give some not so good recommendations...

Although SMF *CAN* handle that size of ban list, it's not recommended at all...

Every BAN that you add inside of SMF takes resources on EVERY PAGE LOAD...  because SMF has to load itself on the connection attempt, then process (and trigger if needed) the various bans...  If you have 3000 bans in your list, then your system is making a query and processing 3000 potential matches every page load.

the .htaccess route is the correct way to implement bans on IPs (which are mostly useless anyway, when targeted to a specific IP, because it is so simple to get a proxy set up and use a different IP ---even htaccess IP Bans should be by block)

As for banning blocks of IP by country...    depends on your forum and your target audience.
I run several forums which are local.   I block all IPs from outside the US - because no one outside of our area in the US belongs in the forum.
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.<br /><br />"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Advertisement: