|Automatic hacker IP filter to the Forum [message #163619]
||Fri, 19 November 2010 21:55
I have included a simple IP blocker to my forum. I would like to give it to you! |
The IP filters; it really don't work, as you can simply connect and hack using another connection, or use any of the "anonymous" servers, to provide a new/different IP address to hack from. The following modified method have indeed stopped hackers, both first-time and come-back-hackers.
I use only php scripts and a text log-file. It is simple, and in addition you can check for hacker before the forum connect to the database, or start other complex stuff. The complex stuff is what the hacker try to exploit; it is also what the forum code needs to work properly.
The log file contain a time-stamp, the hacker IP, and the original URL that the hacker have submitted.
1282823954; 220.127.116.11; /forum/index.php??t=post
1282823964; 18.104.22.168; /forum/index.php//*.php?option=
1282823990; 22.214.171.124; /forum/index.php??t=post
When a hack attempt is detected, the hacker time, IP, and URL go to the log file. The hacker is prevented to reach the forum php code. Shortly, and possibly aggressively, the hacker will try again with a new IP. To prevent the hack, the entire forum is now closed down by having the php script compare the current time with the last installed hack, in the log file. You can have any time-out, and on my low-volume forums not much is lost with a few minutes downtime. Your forum might be different!
The log file is checked on every access, and if the first three numbers of the IP address match (126.96.36.199 is equal to 188.8.131.52) we simply add in the access attempt to the log file. The script do this every time on every access that match the IP list, so the log file will contain a list/log of all the hacker's accesses.
If you have a restricted/locked/secret part of your forum, any access to this by URL manipulation should go to the log file. This is if you change manually the URL from the Category=3 to Category=12, and try to access the category in this manner. (I don't have this implemented).
If the forum code detect some other problem, you can also write to the log file (I don't have it!).
Typically the hacker will try to get access to some install script or system resource. The URL typically include two ".php" specifications. I have no idea why they try this, but scanning for '.php' is not hard. The string '../../../' is also forbidden. We send them to the log file!
File access is easy to install, and works every time. A modified version of the log file software is used, with the difference that it simply write the access to the log file. We now copy, rename, and install this php in a number of places:
We include some directories; this has to be adopted to your local install and forum type. "restricted" "admin" "secret" "system" "new_products" etc. !!
What I don't have, and would like to implement, is to change name of the /forum/adm/ dir to /forum/star_42517 and
then install on /forum/adm/ ! I don't have this; how do I change the name of the admin-console-dir ??
ALWAYS password-protect these directories using some easy-guess ID and password: Login: admin PASS; microsoft (password, Password, admin, forum).
You can direct, or inform, the hacker using a robots.txt file in the root directory
The final step is to process the php IP blocker script also on ordinary HTML pages, if he try to "check" things before he launch the hack-URL. Include the script in an image tag, one-pixel image, that is left blank.
The message sent to the hacker has to be psychological. No use of "ban" "hack" "detect" or "go away". Try to make the message look like some usual automatic system maintenance; some small glitch has occurred. Another option is to enable (!!!) the apache directory listing (temporarily !), and then save the listing (HTML page) in a HTML file. Remove the real directories for the file, but it still looks real. Use this as the hacker message.
A second IP list, that is a white-list, where the IP numbers don't get registered on the hack list is used for the google+ other search engines, that occasionally come to your site. Not implemented, is a function where log-in and OK forum users pass by the php script when it is in Block-all mode.
A final part is an automatic clean up of the hacker-IP-list. When an OK access is made, the list is checked for time, and the hacker's IP numbers get cleaned after some time longer than He Thinks; I have used a week, and have trapped the same hacker 10+ times on this. He never get it. When the block have started, so no IP at all go through, he try an anonymous server.
I don't have a hack-test site set up, sorry!
$teststr = strtolower( $_SERVER["REQUEST_URI"]);
if ( substr_count( $teststr, '.php') > 1 )
[Updated on: Fri, 19 November 2010 22:15]
Report message to a moderator