FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum » FUDforum Suggestions » Automatic hacker IP filter to the Forum (Detect and stop hacker by IP number)
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
Automatic hacker IP filter to the Forum [message #163619] Sat, 20 November 2010 02:55 Go to next message
Atomicrun is currently offline  Atomicrun   Sweden
Messages: 54
Registered: November 2010
Location: Lund
Karma: 0
Member
I have included a simple IP blocker to my forum. I would like to give it to you!
The IP filters; it really don't work, as you can simply connect and hack using another connection, or use any of the "anonymous" servers, to provide a new/different IP address to hack from. The following modified method have indeed stopped hackers, both first-time and come-back-hackers.

INSTALL
I use only php scripts and a text log-file. It is simple, and in addition you can check for hacker before the forum connect to the database, or start other complex stuff. The complex stuff is what the hacker try to exploit; it is also what the forum code needs to work properly.

The log file contain a time-stamp, the hacker IP, and the original URL that the hacker have submitted.


1282823954;  72.51.39.230; /forum/index.php??t=post
1282823964;  72.51.39.230; /forum/index.php//*.php?option=
1282823990;  72.51.39.230; /forum/index.php??t=post



ACTION
When a hack attempt is detected, the hacker time, IP, and URL go to the log file. The hacker is prevented to reach the forum php code. Shortly, and possibly aggressively, the hacker will try again with a new IP. To prevent the hack, the entire forum is now closed down by having the php script compare the current time with the last installed hack, in the log file. You can have any time-out, and on my low-volume forums not much is lost with a few minutes downtime. Your forum might be different!

The log file is checked on every access, and if the first three numbers of the IP address match (82.101.101.12 is equal to 82.101.101.201) we simply add in the access attempt to the log file. The script do this every time on every access that match the IP list, so the log file will contain a list/log of all the hacker's accesses.

DETECTION
If you have a restricted/locked/secret part of your forum, any access to this by URL manipulation should go to the log file. This is if you change manually the URL from the Category=3 to Category=12, and try to access the category in this manner. (I don't have this implemented).

If the forum code detect some other problem, you can also write to the log file (I don't have it!).

Typically the hacker will try to get access to some install script or system resource. The URL typically include two ".php" specifications. I have no idea why they try this, but scanning for '.php' is not hard. The string '../../../' is also forbidden. We send them to the log file!

File access is easy to install, and works every time. A modified version of the log file software is used, with the difference that it simply write the access to the log file. We now copy, rename, and install this php in a number of places:
/forum/install.php
/forum/administrator_login.php
/forum/update.php

We include some directories; this has to be adopted to your local install and forum type. "restricted" "admin" "secret" "system" "new_products" etc. !!

/forum/admin/login.php
/forum/admin/index.php

/forum/restricted/login.php
/forum/restricted/index.php

What I don't have, and would like to implement, is to change name of the /forum/adm/ dir to /forum/star_42517 and
then install on /forum/adm/ ! I don't have this; how do I change the name of the admin-console-dir ??

ALWAYS password-protect these directories using some easy-guess ID and password: Login: admin PASS; microsoft (password, Password, admin, forum).

You can direct, or inform, the hacker using a robots.txt file in the root directory
User-agent: *
Disallow: /cgi-bin/
Disallow: /admin/
Disallow: /administrator_login.php

The final step is to process the php IP blocker script also on ordinary HTML pages, if he try to "check" things before he launch the hack-URL. Include the script in an image tag, one-pixel image, that is left blank.

MESSAGE
The message sent to the hacker has to be psychological. No use of "ban" "hack" "detect" or "go away". Try to make the message look like some usual automatic system maintenance; some small glitch has occurred. Another option is to enable (!!!) the apache directory listing (temporarily !), and then save the listing (HTML page) in a HTML file. Remove the real directories for the file, but it still looks real. Use this as the hacker message.

WHITE-LIST
A second IP list, that is a white-list, where the IP numbers don't get registered on the hack list is used for the google+ other search engines, that occasionally come to your site. Not implemented, is a function where log-in and OK forum users pass by the php script when it is in Block-all mode.

CLEAN-UP
A final part is an automatic clean up of the hacker-IP-list. When an OK access is made, the list is checked for time, and the hacker's IP numbers get cleaned after some time longer than He Thinks; I have used a week, and have trapped the same hacker 10+ times on this. He never get it. When the block have started, so no IP at all go through, he try an anonymous server.

Right!
I don't have a hack-test site set up, sorry!
Best regards!

/forum/index.php//*.php?option=com_product&controller=../../../../../../../../../../../../../../../../../../../proc/self/environ

$teststr = strtolower( $_SERVER["REQUEST_URI"]);
if ( substr_count( $teststr, '.php') > 1 )
{
   return false;
}

[Updated on: Sat, 20 November 2010 03:15]

Report message to a moderator

Re: Automatic hacker IP filter to the Forum [message #163623 is a reply to message #163619] Sat, 20 November 2010 04:06 Go to previous messageGo to next message
naudefj is currently offline  naudefj   South Africa
Messages: 3772
Registered: December 2004
Karma: 28
Senior Member
Administrator
Core Developer
Sounds interesting.
Can you please also make the code available?
Maybe mail it to me if you don't want to post it here.
Re: Automatic hacker IP filter to the Forum [message #163624 is a reply to message #163623] Sat, 20 November 2010 04:17 Go to previous messageGo to next message
Atomicrun is currently offline  Atomicrun   Sweden
Messages: 54
Registered: November 2010
Location: Lund
Karma: 0
Member
OK; If you help with MY install first, we post the code here later ?
I want to check that the install go away with the "theme" update.
[edit] the install don't go away with the "theme" update!

[Updated on: Sat, 20 November 2010 06:31]

Report message to a moderator

Aw: Re: Automatic hacker IP filter to the Forum [message #163672 is a reply to message #163624] Tue, 23 November 2010 05:34 Go to previous messageGo to next message
Martin_E is currently offline  Martin_E
Messages: 16
Registered: November 2010
Karma: 0
Junior Member
I think this is a operation system stuff. If someone tries to hack the server the server should deny access. Some scrips like http://www.fail2ban.org do that.
Re: Automatic hacker IP filter to the Forum [message #163737 is a reply to message #163672] Mon, 29 November 2010 07:40 Go to previous message
Atomicrun is currently offline  Atomicrun   Sweden
Messages: 54
Registered: November 2010
Location: Lund
Karma: 0
Member
It clearly is. As far as I know, this style of attacks only works on IIS servers.

Oh. I found that the Administrator panel, the "Files", when you click on a php-file, function is to view the file, then the URL actually contain two ".php" strings.

[Updated on: Mon, 29 November 2010 07:45]

Report message to a moderator

  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: Multi-Quote
Next Topic: Websites Using Fudforum
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Thu Dec 26 13:02:43 GMT 2024

Total time taken to generate the page: 0.03612 seconds