SMF Security

[iago]

Not really, not in any way that would justify the work of getting bots. 

[Newby]

That is true. Especially since anybody who is out to get bots is more than likely going to have more than three...

[iago]

That too. 

And like I said, it's getting more and more rare to see people using bots for attacks, they tend to be focussed on what's profitable, ie, spam.

[Chavo]

Why would he have bots? 

Anyways, the only thing you can do is require admin approval for new members, and to require an account to view anything.  But that's not practical on most boards, so just back up your DB every night (to either a write-once media or to a remote server) or deal with it. 

Here's my current backup script that runs via cron every night:

Code Select Expand

#!/bin/sh
DATESTAMP=`date +%m-%d-%Y-%H%M`
cd /home/check6ga/public_html/chavo/backup
rm *.gz
mysqldump --opt -p******** -u******** check6ga_tdtboards | gzip >$DATESTAMP.gz
cd /home/check6ga/public_html/chavo/
echo $DATESTAMP >> msg.txt
cat msg.txt | /usr/lib/sendmail -t

Is there an easy way to modify that to store it to a remote server instead?

[iago]

I use scp to copy it to another Linux server.  Set up your public keys and it doesn't prompt for a password.

[nslay]

In order to defeat ssh bruteforce bots, I made a firewall rule that blocks for an hour anyone who connects more than 3 times within 30 seconds.  It's amusing to look at the auth log:

Code Select Expand

Jan 25 01:50:41 BOTTLE sshd[58117]: Invalid user staff from 211.239.154.81
Jan 25 01:50:44 BOTTLE sshd[58119]: Invalid user sales from 211.239.154.81
Jan 25 01:50:46 BOTTLE sshd[58121]: Invalid user recruit from 211.239.154.81
Jan 25 13:09:43 BOTTLE sshd[60605]: Did not receive identification string from 159.226.234.16
Jan 25 13:11:04 BOTTLE sshd[60625]: Invalid user webmaster from 159.226.234.16
Jan 25 13:11:07 BOTTLE sshd[60627]: Invalid user admin from 159.226.234.16
Jan 25 17:24:40 BOTTLE sshd[61268]: Did not receive identification string from 219.127.251.175
Jan 25 17:26:31 BOTTLE sshd[61275]: Invalid user staff from 219.127.251.175
Jan 25 17:26:33 BOTTLE sshd[61277]: Invalid user sales from 219.127.251.175
Jan 25 17:26:35 BOTTLE sshd[61279]: Invalid user recruit from 219.127.251.175

Additionally, I use a "badguys" list to permanently block network blocks that are from say China or Korea...most bruters on BLENDER oddly had Chinese and Korean IPs.  Now that those have all been blocked, BLENDER hasn't been bruted in months.

Maybe you can do something similar to prevent bruteforcing on the forum?

[Chavo]

Sounds like an interesting idea, but I don't have shell access on this host so I don't know if I can do that.  Our sponsor said they want to switch to a dedicated host soon, so hopefully when that happens I can implement something like that.  scp sounds promissing too.

[iago]

In order to defeat ssh bruteforce bots, I made a firewall rule that blocks for an hour anyone who connects more than 3 times within 30 seconds.

Personally, I'd block somebody permanently after 50 attempts.  But I like being a jerk :)

If you had the ability to use snort-inline (which I know you don't) (not you, nslay), you could automatically block anybody with 3 failed logins to SMF.  That'd be a pretty cool rule :)

[AntiVirus]

... you could automatically block anybody with 3 failed logins to SMF.  That'd be a pretty cool rule :)

What would happen to those that forgot their password and they tried more than three times?

Why would he have bots? 

Anyways, the only thing you can do is require admin approval for new members, and to require an account to view anything.  But that's not practical on most boards, so just back up your DB every night (to either a write-once media or to a remote server) or deal with it. 

I would agree that you should try and do an admin approval for new members.  I also agree that having an account to view anything isn't practical, but can't you set the permisisons of a guest to have "View Only" on specific (of all) boards, so that they can only view certain boards of the forum and not actually post? 


P.S.
Sorry for a late reply. :P

[Joe]

... you could automatically block anybody with 3 failed logins to SMF.  That'd be a pretty cool rule :)

What would happen to those that forgot their password and they tried more than three times?

Contact an administrator.

[Ersan]

http://cbl.abuseat.org/
http://www.njabl.org/

open relays/proxies, exploited computers, computers infected with viruses, known botnets, spammers, etc.

http://tor.noreply.org:9030/ (http://www.noreply.org/tor-running-routers/)

open tor exit nodes.

Trying to ban anyone using a proxy is impossible, it's the inherent nature of the concept of proxies...

[iago]

Trying to ban anyone using a proxy is impossible, it's the inherent nature of the concept of proxies...

It's inherent? Last time I checked, proxies are for relaying traffic, not for anonymization. That just happens to be a side effect, not its inherent nature.

[Ersan]

Ok, side effect, who gives a fuck?  Stop trolling and learn something about network security.

[Sidoh]

Ok, side effect, who gives a fuck?  Stop trolling and learn something about network security.

Why use words when you clearly don't know what they mean?

[iago]

Ok, side effect, who gives a fuck?  Stop trolling and learn something about network security.

Ok, one of us is being paid for being a security analyst with over a year of professional experience. Which is it? I'll give you a hint: not you.