News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Tracking failed sign-ups?

Started by MarcoSkoll, February 16, 2020, 10:16:58 PM

Previous topic - Next topic

MarcoSkoll

Hello - I run hxxp:the-conclave.co.uk [nonactive] which uses SMF for our forums. We're currently on 2.0.15, but I'll be updating that shortly (the problem with the 2.0.16 patcher made me put it off and I forgot to get back to it).

We've been having problems with resource limits on our server over the last couple of weeks, which carries with it the potential implication that the server is being targeted.

We're not showing an unusual number of failed log-in attempts, but I'd also like to check the number of failed sign-ups to see if there's a concern there, and I couldn't immediately find a way to do so that didn't involve just turning off our anti-spam measures, turning on admin approval and seeing what happens (which I'd prefer not to do, for a couple of reasons).

(Part of the problem here is that our current set of anti-spam questions has yet to be defeated; they're easy for any actual enthusiast, but it's still specialist knowledge*, so it stops spammers dead. If we had a few spammers getting through before, then twice as many would have warned me that twice as many spammers were trying, but no spammers were getting through before, so I have no idea if more people are trying).

*But we do have a contact e-mail in case someone legitimately can't answer them.


Marco

a10

Just search\count in the server logs.
Visited the site, 114 guests, if it was 114.000 I'd really see a problem :O)
"resource limits on our server", running own setup, or a (bad) host issuing warnings?
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

MarcoSkoll

A good host issuing warnings. Yes, we're on a modest hosting package, but the limits have always previously been sufficient, and they've provided us with excellent service for the money. I'm actually currently trying to work this through with the hosts, and their response hasn't been "screw you, buy more services from us", but trying to help us work out what's eating up the resources.

In this case, the site's resource usage has spiked since the 26th January, and we're trying to track down why.

Nothing currently seems to be out of place. While we had a large increase in guests around the 22nd (up to 1400 from an average of 100-200) that we can't currently explain (and which the server seems to have handled fine, as we didn't even notice until later), it since dropped back down to the normal levels and the problems have started since.

And we're not showing an unusual number of failed log-ins (just a few in the last month, all of which were from the correct IP addresses for those users). That's why I'd like to know if we're getting a particularly huge number of sign-up attempts - I'm not seeing a particularly ridiculous number of guests on the log showing as signing up, but an actual figure on it would be useful.

Sir Osis of Liver

If you're running on cpanel server you should be able to get detailed activity stats in Metrics (try Awstats).  Will show you breakdown of page hits.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Illori

but that will not show attempts at registering. just number of people that may end up on that page.

Sir Osis of Liver

You have to use what you can get.  Host support should be able to determine where traffic is coming from.  Been seeing this a lot lately, huge spikes in traffic.  Some hosts will limit or suspend account when this happens.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

MarcoSkoll

Unfortunately, the metrics only show it as our index.php page, it doesn't seem to track the specific sign-up page.

However, going through the metrics, it does seem that some of it may be msnbot, which has already this month done more trawling than it did in the whole of last month, so I'm going to try banning it via robots.txt and see if that improves things at all.

I don't really want to go banning search engine crawlers, and I may take less drastic measures if it seems to ease the problem, but might as well be sure.

a10

Sudden & very unwanted influx of visitors do happen, example > https://www.simplemachines.org/community/index.php?topic=570548.0

If really bad, stop them using htaccess (for as long as the 'attack' lasts).
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

MarcoSkoll

Although it would still be nice to be able to track the number of failed sign-up attempts, I think I've mostly resolved the problem.

It seems that msnbot was being particularly aggressive about indexing the site, frequently making several requests at the same time; it probably didn't help that another admin had managed to put a formatting error in our robots.txt file so the crawl-delay parameter wasn't valid.

I've updated the robots.txt file, and as msnbot doesn't seem to be checking the file regularly, I've barred its IP ranges until it resets, checks for the file again, and starts playing nice.
I've also banned a few IP ranges that were generating unreasonable levels of traffic (but no actual registered users) in the hope that this will also free up resources. (And, certainly, our number of online guests has considerably plummeted. Most of the traffic that wasn't msnbot was mainly from three fairly narrow ranges).

a10

Just a comment, today got flooded with continuous hits from 114.119.131>166 (huawei, again).
.htaccess to stop the rats.
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

Antechinus

<IfModule mod_rewrite.c>
RewriteCond %{REMOTE_HOST} All\.of\.bloody\.China
RewriteRule https://www.youtube.com/watch?v=wZZ7oFKsKzY [R=301,L]
</IfModule>

a10

^^^ great. lol. & an alternative https://www.youtube.com/watch?v=eBPfnj8_4W4

For forum ban list, security.php

      // You banned, sucka!
      redirectexit('https://www.youtube.com/watch?v=eBPfnj8_4W4';, false);
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

YogiBear

SMF v2.1.3  Mods : Snow & Garland v1.4,  PHP  v.7.4.33

SpacePhoenix


Antechinus

If you have to ban people, you might as well have fun with it. :)

Advertisement: