Web Hosting Forum | Lunarpages


*
Welcome, Guest. Please login or register.
Did you miss your activation email?


Login with username, password and session length
May 24, 2012, 09:43:46 AM

Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: SMF hackers - Should I use APF?  (Read 8431 times)
nutn2lewz
Pong! (the videogame) Master
*****
Offline Offline

Posts: 22
« on: February 17, 2011, 08:20:13 PM »
Hello,

Many SMF forum sites are presently being attacked from about 1,500-2,000 different ip's (TOR server?). A SMF Forums link here explains the problem (logon attempts trying to harvest passwords from SMF user accounts). My SMF forum is getting one attempt every 6 minutes so it is not a big problem at the moment but I want to secure my server as much as possible and I imagine that the problem is only going to get worse.

I have a list of the offending ip's that I want to block. I can block the ip's within SMF but this is very tedious and blocking 2,000 ip's will greatly slow down the SMF php software. I can "deny from" using my .htaccess file but adding 2,000 "deny from"'s will slow down my server.

I have a managed dedicated server here at LP. Would using the APF firewall be the best solution to this problem? Add the ip's to iptables? Will blocking 2,000 ip's in APF slow down my server? Is there a simpler or more effective solution? Can I email dedicated support and ask them to add the ip's or is this something I have to do myself? I can ssh into my server and do basic things on my own but I am kinda new at this.

Looking for advice on the best (most efficient) way to tackle this problem.

Thanks, nutN2Lewz
Logged
KJones
Galactic Royalty
*****
Offline Offline

Posts: 327



WWW
« Reply #1 on: February 28, 2011, 12:57:53 PM »
Hi,

I've been having the exact some problem for the last week or so. Be prepared to hear people defend the use of TOR servers... but as far as I'm concerned they are used mostly by hackers and child pornographers.

I complained to a very large hosting company who shall remain nameless (it's not Lunar Pages) about the attacks coming from their servers. At first they were supportive and promised to look into it, but yesterday they sent me a message quoting the owner of the offending website:

Quote
... I run an anonymous relay service called Tor (
http://www.torproject.org/). With how Tor operates it is certainly possible
that a legitmate user was attempting to login via Tor and forget their
password.

As the reporter doesn't seem to have provided their IP, host or any other
information there is nothing I can do about this. If provided with either
I'd gladly put in a block rule in my exit list.

The host then close my complaint report. End of story.

My website was inundated by failed login attempts this week. The number would be unusual for a year, never mind a week. And since the person responsible for these attacks attempted to log into multiple accounts using the same IP address, that alone tells me it wasn't a legitimate user.

Also, many of these attempts were against my own admin account, and I know I haven't been using a TOR server and I haven't forgotten my password. And on top of that, one of the accounts that these hackers were trying to get into belonged to someone who died seven years ago... something tells me it wasn't really him.

So needless to say, I didn't buy the excuse that all of these failed logins were by legitimate users of my forum.

Anyhow, I have put a huge dent in the number of these attempts to hack my forum by adding just a few bans in my forum software. Add the following in the hostname field of the ban form:

*privacyfoundation*
*tor-exit*
*tor-node*
*tor-proxy*
*torproject*
*torserver*

Don't ban just the word TOR because that appears in a lot of hostnames of people from Toronto, Canada. Wink Ban the full hostname (not using *wildcards*) if you want to be extra careful.

Of course it's only a matter of time before the operators of these TOR servers realize that using terms like the ones I listed above in their hostname kind of makes it easy to block them. So this might not work forever.
Logged
"I believe that this nation should commit itself to achieving the goal, before this decade is out, of landing a man on the moon and returning him safely to the earth." - John F. Kennedy
nutn2lewz
Pong! (the videogame) Master
*****
Offline Offline

Posts: 22
« Reply #2 on: March 03, 2011, 12:00:59 PM »
Thanks KJones. There is a partial solution in an SMF Forums thread here. The patch will ban the TOR servers without having to add multiple ip's to the SMF ban system. It is working for me - all the TOR servers are now banned from my forum using this simple patch. The good news is that the bots can no longer access my forums and guess at passwords ... the bad news is that my SMF error log now gets filled up with multiple "ban" errors instead of the previous "incorrect password" errors. But at least now the bots are prevented from accessing my forum and guessing at user passwords.

I gotta say that I am dissappointed in the lack of response from any LunarPages personnel to my question. All I really wanted to know  was if APF would be the best solution to this hacker/bot problem. I would prefer to stop the hackers at the server level, rather than at the SMF software level, so I will call LunarPages dedicated support and ask them the exact same questions that I asked here.

nutN2Lewz
Logged
katrina1
Guest
« Reply #3 on: March 03, 2011, 02:28:31 PM »
Please be aware that these forums are not for official support. They are for users to help other users and yes, sometimes our staff may be in here when they are not too busy providing official support on the desk.

Glad to see you found a solution and thank you very much for helping others by posting it here. That is what forums are all about, helping each other.  Clapping
Logged
KJones
Galactic Royalty
*****
Offline Offline

Posts: 327



WWW
« Reply #4 on: March 03, 2011, 08:34:52 PM »
Quote from: nutn2lewz on March 03, 2011, 12:00:59 PM
Thanks KJones. There is a partial solution in an SMF Forums thread here.

Thanks, I found that thanks to the links in your original post. The problem with the TOR servers and people trying to hack into member accounts has died down quite a bit, but I'm still getting a lot of spammers registering. But I've installed the httpBl mod and another one that checks new members against the Stop Forum Spam list (which I was doing manually before). So although there is still a spammer problem it is easier to deal with.
Logged
"I believe that this nation should commit itself to achieving the goal, before this decade is out, of landing a man on the moon and returning him safely to the earth." - John F. Kennedy
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to: