Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ Enhancement Requests
Author Message
Duke
Regular
Regular


Joined: Jan 09, 2006
Posts: 56
Location: Under your bed

PostPosted: Tue Mar 07, 2006 2:20 pm Reply with quote

Prolly a stupid idea but that's never stopped me before because I either have no pride and/or lack intelligence. Confused

Anyway, I thought it would be great if somehow Sentinal could have incorporated into it, remote access to a central Sentinal database that stores all IP's based off of attack variables and then signals all Sentinal users that there are category specific IP bans available.

I guess it would work the same as the forums admin. which tells you if your version of phpBB is up to date. Sentinal would do the same and possibly give you a choice to update either manually or automatically.

Also, I believe if this were to actually happen, banning should only be site/information attack based and not include ranges (if possible) or bans for specific users/members of individual sites.

Thoughts?
 
View user's profile Send private message Send e-mail Visit poster's website
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Tue Mar 07, 2006 3:08 pm Reply with quote

I think that would be very cool. Some kind of automated block list like they have for spam, especially to mitigate against known script kiddies.
Possibly a reporting service that could then be put in the database and history tracked. Of course, we'd have to make sure these are legitimate reports and not people trying to mess up others.

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Duke
PostPosted: Tue Mar 07, 2006 6:38 pm Reply with quote

I'm no Sentinal expert but I'm assuming that if it's purely a Sentinal Ban based off of certain attack criteria then it should be a legitimate report. I wonder if there would be a way to embed some sort of tracking ID. or something similar to validate the banning.

I really believe it would be cool if script kiddies could see their bans happen across more than just one site. I'd love to see these tards banned across an entire CMS.

What would be cooler is if these tards were not only banned for ravennuke 7.6, but how about all of phpnuke powered CMS's. What if we were to go one step further and share the system and/or interperit Sentinal to run on pn, XOOPS, Mambo, etc., and share bans across various CMS's?

I also believe that you could possibly charge a small fee for this service to help offset the costs because I'm willing to bet that years of hard work being protected is worth a few bux per month. Multiply this by millions, perhaps billions of sites and you now have a self-sustaining online security company. Something that I believe the net is in dire need of.

Anyway, dare to dream.
 
evaders99
PostPosted: Tue Mar 07, 2006 7:16 pm Reply with quote

I get a lot of robots targetting other CMSs and other scripts. Definitely a good idea
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Tue Mar 07, 2006 7:54 pm Reply with quote

One concern I might have as a site owner is any automation from an external source. What happens when that source is down or very, very, very slow. Some site owners, such as myself, are very picky about scripts going out and getting or sending information from/to external sites (yeah, I know, phpBB does this, but I don't have to like it). So, I am thinking it would great if it was configurable on/off. It could be RSS-like in nature so that it is an occassional "Pull", but personally, I would like to control how frequently this information would get "collected" or maybe "pushed". If it was XML/RSS based going in both directions, almost any CMS could have something written to auto-ban.

Definitely sounds like a cool idea!

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Duke
PostPosted: Tue Mar 07, 2006 9:00 pm Reply with quote

That makes sense as well. I wonder if a priority system could also be attached where severity of attack and site risk is assessed, then beamed back to the mother ship. In this way, it would work more like anti-virus or even windows update.

Also, what if it were configurable to either manually download based on slower times on each individuals website?
 
oprime2001
Worker
Worker


Joined: Jun 04, 2004
Posts: 119
Location: Chicago IL USA

PostPosted: Sat Sep 02, 2006 11:34 am Reply with quote

I know that I could use a shared banning system. I have three phpnuke sites (gaming site, religious org site, and personal site) on one shared hosting account. If I could admin one system and have the changes propagate to the other sites, that would be great. As it stands, I have to synchronize bans manually.
 
View user's profile Send private message
evaders99
PostPosted: Wed Sep 06, 2006 12:26 pm Reply with quote

Well in terms of Sentinel, you could hack the database so they are sharing the Sentinel tables. It would mean you need to have them share a .htaccess file as well, probably from a root folder above each site's folder

Just a thought for now.


I would say we need a measure of severity. So we can ban known proxies and ban agents, while temporarily banning those who could just have been taken over by a bot net.
 
pjdm
Client


Joined: Sep 18, 2003
Posts: 14

PostPosted: Thu Jun 21, 2007 11:08 pm Reply with quote

Adding to this concept. I run 4 RN sites now. When I get a "blocked-abuse" notice on one site, typically the same abuser hits my other nuke sites. I think there must be a search or list that goes out to these guys. Anyway, here's the idea:

When my site gets abused, Sentinel could upload the abusing IP to my other 3 sites through a script and a cron job. But I was thinking that all the RN sites might benefit from this early knowledge too as this thread talks about. The end result would be that some/all RN users could possibly block the abusing IP before it happens by learning from the first few attacks.

Conceptually, my site submits blocked IPs to a master list perhaps on Raven's server and then checks and downloads new blocked IPs every hour or day. This would help prevent everyone's site from being hit by each of these new IPs or attacks. The faster the attack spreads the quicker RN sites would be triggering an update to the ban list.

I'm thinking this would be an optional function in Sentinel. To stop someone from abusing the list (submitting false IPs) the receiving master list would need [5] identical IP abuse reports to validate an abusing IP or some other check.

I don't mind putting some time into the concept if it has merit. Comments?
 
View user's profile Send private message
evaders99
PostPosted: Fri Jun 22, 2007 11:16 am Reply with quote

I think its a good idea. I just don't know what would be an efficient mechanism to do these types of checks. Most types of ban lists use the DNSBL system, which would ask for DNS request based on the IP. Even that takes some fair amount of traffic.
Downloading a list every hour would probably be even more bandwidth, however that may be necessary to keep things current against all these bots
 
Dawg
RavenNuke(tm) Development Team


Joined: Nov 07, 2003
Posts: 910

PostPosted: Sat Jun 23, 2007 5:02 pm Reply with quote

What if it was something manual. Where I as a site admin once every so often hit an "Update" button and pulled the lsit from Raven and it updated my block tables.

In turn we could "Sign" up our sites with Raven and every so often he would hit the "Update" button and pull the blocked IPs from my site and every other site he had signed up. This stops the constant traffic yet keeps the tables up to date.

Dawg
 
View user's profile Send private message
pjdm
PostPosted: Sat Jun 23, 2007 5:32 pm Reply with quote

It think that works...might be as effective. I notice that the attacks seem to hit from the same IPs multiple times, so as long as you manually update I think it helps. However, manually or CRON job the task, I'm not sure I see any difference.
 
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Sat Jun 23, 2007 11:03 pm Reply with quote

Not to rain on this parade, but don't most of the attacks use automated scripts and spoofed IP addresses? They're searching for certain text (e.g. powered by php-nuke) and attacking thousands of sites in a short time frame - making this type of solution ineffective.
Having that text is basically like having a billboard that says "Deface me". They get blocked by the majority of sites (it only takes one successful attack to find NukeSentinel...), and yet I see the same idiots trying again and again. It's Only registered users can see links on this board! Get registered or login!.

What I'd like to automate is a way to notify (and take down) the sites hosting these attacks. But that's a pipe dream since the free sites takes days to respond, and the attacker already has another free site going at that point. Still, it requires the attacker to go through the registration process, and if the free sites get tired of taking down sites hosting defacement attacks, maybe they'll have an incentive to DO something to PREVENT it. OK, that's a pipe dream too...

[EDIT]Changed source of quote - it was Einstein, not Franklin[/EDIT]

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
pjdm
PostPosted: Sat Jun 23, 2007 11:12 pm Reply with quote

Oh well, it sounded like a lot of work and NukeSentinel is working well (at least it is serving up regular reports of abuse). Thanks.
 
evaders99
PostPosted: Sun Jun 24, 2007 8:47 pm Reply with quote

Even the reporting system takes time, esp since most ISPs don't even want to take action unless you can provide server logs, in a certain format, showing 5 or more lines, replied to a confirmation... etc, etc, etc. It really is a hassle when we're trying to report something that is rather time-sensitive. In an hour, an abuser can easily take hundreds of servers into their bot net.

I understand that many companies abuse areas are just overwhelmed, but that's the responsibility they have to take as a hosting service.

As far as I've seen, no IP addresses are spoofed. They have no reason too... one blocked IP adress, they can go to another. It is very tricky to craft a TCP/IP message to spoof the source IP and have it pass through various network traffic correctly. Most don't have the time, they just use a simple LWP library in perl to keep attacking sites. "Google dork" strings provide them easy access to doing so.

I've am using a custom reporting system, since my server gets hit with a couple hundred of these every hour. It is still done manually, as I want to be sure these are legitamate attacks and not false-positives. But it does help me send thousands of emails to those ISPs and some of them do shut down these services.

I am working on collecting data from other sites.. but I want it to be secure. My model is something akin to Spamcop's email reporting service. You won't see this product out right now, but I'm slowly working on it Smile
 
gregexp
The Mouse Is Extension Of Arm


Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol

PostPosted: Sun Jun 24, 2007 10:03 pm Reply with quote

At one point in time, I persude such an idea, I found there to be a couple of issues that I would not be willing to be responsible for that lead to the halting of this project.

The project, took a webmaster to sign up in on part of my site where this system is. Once they create an account, they then get a link to download 2 script that one rests on their server in which my server will get all their blocked ips and incorporate them into a Global Bann database on my system, the second script will install the update CronJob within their site that gets the info off my server and loads it into their database.

Couple of issues, I would have to monitor and regulate every single input from other sites, A hacker could use one of my scripts that I put on the server to output something that could compromise my site and every site that gets the info from my server.

Thats one problem that I could not find a secure and legitimate solution for.

The next problem was the amount of time and effort it would take to monitor, and make sure that every single ip added to the list was truly a bad ip.

All this being said, I personally felt 2 things, one that this would take too much time and effort for a single person, the second thing is, that I felt this service taking so much effort, should be supported by its clients, and I regretfully dont have the heart to turn people away who need the security but dont have the funds, and I dont feel that there is enough people out there willing to support such a thing.

BTW, my system returned all reasons they were banned, in the event that we find a new exploit, it may be possible to use this system to upgrade sentinel.

Just a few points anyone who is considering this idea may want to look at.

_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! 
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
evaders99
PostPosted: Sun Jun 24, 2007 10:20 pm Reply with quote

That is my concern as well, the ability to spoof data and trying to undermine the system. Alas, should I ever polish this up for any kind of release, it would probably be for those users I know that I can trust within the Nuke community
 
gregexp
PostPosted: Mon Jun 25, 2007 3:11 pm Reply with quote

I completely understand, I too felt like that, but thought, that in the event that a hacker actually got access to do damage, the result could be infinitley worse then the potential.

It really bites that it is like that in this community/world.

There are possible ways to make sure nothing was tampered with, an encrypted file that has a variable or Constant that needs to be there, that should not be revealed. If the file is completely encrypted, then perhaps that could help to secure the solution. But then you would also have to have your encryption function publicly accessible. Or would you?......


Im thinking right now.

You wouldnt really need to worry about that IF you setup a php script that takes an FTP username and password, does NOT have to be owner of the account but should have access to public_html. Then creates a directory, RANDOMLY and a file, RANDOMLY with the last character not random(use one digit from the random number you will generate), and saves the info in a database, but also a Random Number generated before the files are generated. Store your encryption info in those files. Now, as the clients server needs to decrypt the info it should connect to your server, getting its ip and whatever verification you have it pass, you deliver the random number you generated before, this random number will tell the server what order to read the files in.


For example:

In file 269635620065.txt I have part 2
In file 255551348649.txt I have part 1
In file 5245152145447446.txt I have part 4
In file 1781754518418.txt I have part 3
But I also have 548545414723.txt
And I also have 15424742244.txt
The random number generated would have been 9586. The other Files would be useless, using multiple encryption methods written by you or generated by a function would allow noone the ability to figure out which method was being used, unless you get something generated standardly, and this is to make it not standard at all.

That should keep hackers very confused, and effectively keep your server secure, Also making something like a password input needed could also be usefull, making it automatic could be a risk.

These are ideas that I had played around with, and really new it would be possible but this is where I thought the coding of such a project alone would get seriously not worth it.

Evaders, I'm not actively persuing these ideas, but if you really are doing something like this, and you need a hand, I will volunteer my time and ability.

BTW, This could stand alone without nuke, if you get my meaning Wink
 
evaders99
PostPosted: Mon Jun 25, 2007 9:16 pm Reply with quote

I already have a system that generates an SSL public/private key. That's not so much an issue. Users can register their site's IP and send data that way, I'm reasonably sure the identity of the reporting site.

Rather, since I'm using mod_rewrite rules, its not hard to redirect good users to my banned/reporting page. I'm not sure if I can encrypt anything inside .htaccess and still have it work. Thoughts?
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ Enhancement Requests

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©