Being logged out by bots trying to log in

Started by ACAMS, January 11, 2011, 11:11:02 PM

Previous topic - Next topic

SergeantAsh

I've implemented the login_detector mod but I'm still getting password login hacks  :(
Quote"Moderation has been called a virtue to limit the ambition of great men, and to console undistinguished people for their want of fortune and their lack of merit."

Arantor

Different bot - the bot I wrote the mod for has slowed down, and I'm now seeing random brute force attacks on my site - for which none of the users even exist.
Holder of controversial views, all of which my own.


SergeantAsh

Quote from: Arantor on February 22, 2011, 05:15:15 PM
Different bot - the bot I wrote the mod for has slowed down, and I'm now seeing random brute force attacks on my site - for which none of the users even exist.

Ahh ok - I've implemented the new Login Security mod so hopefully that'll slow down the attacks...b*stards!
Quote"Moderation has been called a virtue to limit the ambition of great men, and to console undistinguished people for their want of fortune and their lack of merit."

searchgr

<install for="1.1.*, 2.0 RC3, 2.0 RC4, 2.0 RC5">
<modification type="file">install.xml</modification>
</install>

<uninstall for="1.1.*, 2.0 RC3, 2.0 RC4, 2.0 RC5">
<modification type="file" reverse="true">install.xml</modification>
</uninstall>


Login Detector
Is it compatible to 2.0 RC2? Can i add 2.0 RC2 to the above code?

Arantor

It is not supported, nor recommended for RC2. the code is only tested for RC3 and up. But if you're still using RC2, you have bigger problems to worry about than this bot.
Holder of controversial views, all of which my own.


searchgr

I'm waiting for the final. I have many custom mods that i cannot update them for every RC version .....

Kindred

 and yet.... RC2 is distinctly UNSAFE with some fairly major known issues and bugs. If you have security issues with RC2, the ONLY thing we can say, at this point, is UPGRADE.


At the very least, you should be running RC3, although even that is not really a good choice.
If you upgrade to RC5, mods which install on RC3 should install on RC4, 5 and final... and mods for RC5 will almost definitely install in final with minimal, if any edits.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Storman™

QuoteI'm waiting for the final. I have many custom mods that i cannot update them for every RC version .....

I was like you, but there comes a time when you have to bite the bullet, take the pain, and upgrade  ;)

Danny S.

I use to have about 12 mods installed when I ran RC2, but when I upgraded, I realized alot of them were frivolous and rarely used.

After upgrading to RC3, I only had 7 left.

Now after the recent update to RC5, I only have 4 that are used on a regular basis (and I could probably do without 2 of them).


Moral of the story: upgrading is a good time to check to see if the mod is even being put to good use...

stog

thx everyone -- 1.1.13 heavily modded forums with TP, many forums were troubled. applied Arantor's code and installed suggested mods (httpBL,Bad behaviour, forum firewall and -notified membership to improve their passwords and keep them unique to differring sites etc -- all much better...cheers all

Rob Lightbody

Just to say thank you very much indeed.  My forum was being hammered with failed logins, and now there are only real ones.  Absolutely brilliant.  I think you are right and that this could should be built into the next versions of SMF.

I couldn't get the package to install though (1.1.13) - in fact it got stuck and put thousands of entries in my error log! - so I added the code manually, and all was well.


nutn2lewz

I installed Arantor's mod on 1.1.12 without installing any other mods and it really helped. It's a simple method to deny access without having to add hundreds of ip's to my htaccess file. Thank you! The bots still make their attempts, and the errors still appear in my error log, but at least I know that the bots are not gaining access to my forum and making guessing attempts at passwords.

On a side note, the bot activity has really slowed down in the past two or three days. I expect round two any day now ...

nutN2Lewz

xrunner

I uninstalled the Mod just to see what would happen and the attacks have ceased (for the time being).

Arantor

They appear to have slowed done/stopped against forums that saw them coming, but oddly I know a few forums that didn't bother - and are still being hit.
Holder of controversial views, all of which my own.


Vincent Volmer

Quote from: butchs on February 21, 2011, 09:56:16 PM
Both mods are totally different in what they do and how they load.  Neither will cause a crash if you follow instructions.  Nevertheless, if you want support and/ or come up with more info I can chew on, by all means please come to the support boards, ask away and I will gladly try to solve your problems.


I edited my previous message. FF and BB are not the reason of the problems I had 2 weeks ago because yesterday I had the same issue without FF and BB. A very high Disk I/O (7200 blocks) and about 700 ~ 800 processes.  See attachment.

It could be a sort of attack but I can't find anything in the log. For my webhost is was also not possible to see what or who is causing this traffic.

And yes.... I'm running RC3  :-[ but will update asap. I need to do a lot of translations.... :( Could this be related to RC3?

Thanks for any help on this...

Digiscrap.nl
Vincent

Arantor

And when did the optimize tables scheduled task run, out of interest?
Holder of controversial views, all of which my own.


Vincent Volmer

It runs every week (7 day's interval) starting at 1:00 AM.

I did this manually now without any problem...

If this is what you mean  ;)

Arantor

Well, that particular task is one that will create a LOT of I/O which is why I asked about when it was last run...
Holder of controversial views, all of which my own.


Vincent Volmer

Ah, okay. I checked the VPS and there's only a small peak around 1:00 but not alarming.

butchs

My guess is a bot or several are hitting you hard and fast.  Checking the latest visitor log in cpanel at that time range should confirm it is a bot.  If so FF with just DOS protection, 1 hr ban and cache will stop it in a few weeks.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Advertisement: