NukeSentinel not adding banning IP's to .htaccess

Hangin' Around Joined: Oct 04, 2003 Posts: 35

I updated my site to the latest RavenNuke (v2.30.00 ) around three months ago and I have to say I am extremely pleased with the results. I have polished, professional looking/ functioning website. A real credit to the combined efforts by the phpnuke scene and all at RavenNuke. Thank you.

As with all projects There are a couple of things that are way above me and I would really appreciate some input from other sources. For this particular post I am experiencing a few strange issues with NukeSentinel v2.6.01.

Having rigorously followed the HowToInstall section from ravennuke I successfully enabled the ‘Admin Access Protection’ and the ‘Email Admin, Block, and redirect to Default Page’.

Now that : NukeSentinel is enabled I was surprised to see that the site is pretty much under attack from scripts on a daily basis - through the alert emails (I get anywhere between 5 – 25 a day). A common example of one is as follows:

Code:




Created By: NukeSentinel(tm) 2.6.01


Date &amp; Time: 2009-02-03 08:08:59 UTC GMT +0000 Blocked IP: 194.109.22.106 User ID: Anonymous (1)


Reason: Abuse-Filter


--------------------


Referer: none


User Agent: libwww-perl/5.816


HTTP Host: [ Only registered users can see links on this board! Get registered or login! ]


Script Name: /html/modules.php


Query String: name=Shout_B ...//modules/Forums/admin/index.php?


Get String: name=Shout_B ...//modules/Forums/admin/index.php?phpbb_root_path=http:


Post String: Not Available


Forwarded For: none


Client IP: none


Remote Address: 194.109.22.106


Remote Port: 4652


Request Method: GET

I really want to block these type of attacks. The issue I am having is that I enabled ‘Write to htaccess’ under all the ‘Blocker Settings’ and for some reason this is just not happening? If I manually add a Blocked IP I can see that the .htaccess has been amended. However, if I leave NukeSentinel to add IPs automatically it does not. The CHMOD of .htaccess is 666 as suggested in the HowToInstall section. Have I missed something here?

On a slightly different note browsing through the forums today I managed to find a post on stopping libwww-perl scripts by adding code to the TegoShortLinks section under .htaccess. The code I am trying as of today is below:

Code:




#libwww-perl 


RewriteCond %{HTTP_USER_AGENT} ^libwww-perl 


RewriteRule ^.*$ http://127.0.0.1 [R,L]

Hopefully this will cut a most of the libwww-perl script attacks before they even reach NukeSentinel. However I would still like NukeSentinel to be able to add blocked IP’s automatically.

Any advice would be greatly appreciated.

StalkS

Posted: Tue Feb 03, 2009 5:21 am

Go to the NS administration area and look for the link to 'Blocker Configuration'.
From the list of blocker types select the appropriate one and make sure it is set to 'block'

Posted: Tue Feb 03, 2009 5:25 am

Guardian Thanks for the reply. I'll give that a go now! I cannot believe it was so obvious!

UPDATE:
My issue was that it is actually under the 'Activate' section. Where you have the following options:

Off
Email Admin
Forward
Default Page
Email & Forward
Email & Default Page
Block & Forward
Block & Default Page
Email, Block & Forward
Email, Blockl & Default Page

I just had it on Email Admin Doh! I guess for some reason I thought by enabling 'write to .htaccess' that was enough. thanks for pointing out the blindingly obvious!

Regards

StalkS

Posted: Tue Feb 03, 2009 10:14 pm

Yep, just to let you know, every site is under attack through such automated scripts. So what you're seeing is fairly low - I'm still averaging 400 an hour Smile

Posted: Wed Feb 04, 2009 12:46 am

Good stuff here, I also get those emails, while mine are only in the 50-100 range per day. I had the same problem and now I feel a little dumber... 2 steps back and one step forwards, guess I had to learn somehow. Thanks for the info

Posted: Wed Feb 04, 2009 5:50 am

evaders99 wrote:

Yep, just to let you know, every site is under attack through such automated scripts. So what you're seeing is fairly low - I'm still averaging 400 an hour Smile

Wow! Well I don't think I should even be complaining after hearing that amount!! Shocked

StalKS

Posted: Wed Feb 04, 2009 8:10 pm

The more your site gets picked up by search engines, the easier it is for these scripts to keep using them to hit your site. Sadly you become a high target, even if you're not even running the ___ software that the vulnerability is for. It's no cost to them to scan a million websites looking for one vulnerable machine... they can scan billions of sites, get thousand of them vulnerable machines into their botnet, sell those boxes to scammers and hackers and get the cash.

Posted: Sun Feb 08, 2009 9:00 am

After installing mod_security, I am way down on attack vectors getting to my sites. Not sure, though, if a shared host will install this or not? RavenWebHosting does, however, as Raven makes security a given rather than an after thought. Wink

Worker Joined: Jan 06, 2009 Posts: 183

Hi guys,

I want to make sure I'm understanding this correctly. When I installed NS, I to followed the How To Install. It says the following for block settings: Most have been preset but you should still review them all. So as of right now they are at the default settings. I have not received any emails or ip blocks in my .htaccess file.

So, am I understanding that if I want NS to do the work of banning and emailing me, I need to have the settings set to: Email Block & Default Page and have Write to htaccess turned on? If this is what I need to have my settings at, what has NS been doing for me at the default setting? Keep in mind that I have done everything to the letter in the how to other then not knowing how my blocker settings should be to make my site more secure. So I left them at default.

Posted: Wed Apr 01, 2009 4:28 pm

All you need to do is to to the Blocker settings configuration and review them.
Yes your assumption is correct, 'Email' means you will get an email, 'Block' means NS will perform a block operation. 'Default page' refers to the page the user see's when they are blocked.

NS blocks in two ways - by writing the data to the database and optionally writing to the htaccess file (if it is writable and that option is activated).

Posted: Wed Apr 01, 2009 5:35 pm

Guardian2003,

Thanks for the reply,

My concern is that even at the default setting being set to email me has not happened. I'm sure by now I should have had many attacks happening on my site. I can't be that lucky Smile

I'm just hoping that all my other setting are ok.

Posted: Thu Apr 02, 2009 2:13 am

Why are you "just hoping that all my other settings are ok" - why not go and check them?

Posted: Thu Apr 02, 2009 7:03 am

For a new domain just getting started, it could take awhile for the "google hackers" start finding you... Try adding a string to the String Blocker and have it set to just send an email only and then post something with that string in it. One sure fire way to make that happen is to try and set up a new user with a username or email address with that string in it.

Posted: Thu Apr 02, 2009 7:41 am

The latest on my support site is for users to register and THEN post their advertising ilk in the forums .. bah!! You can't win. I tried "admin approval" but that is just too time consuming to ferret out 100 new apps daily, 99 of which are the bandits. I am going to start a new thread with a suggestion.

Cheers

Posted: Thu Apr 02, 2009 8:05 am

Guardian2003 wrote:

Why are you "just hoping that all my other settings are ok" - why not go and check them?

Meaning that I have everything else set to how the HOW TO INSTALL guide has directed us to. So if there is a better way to setup the NS then how the guide has told us to setup the NS; I haven't found those settings yet.

I have changed the blocker settings and since then I have had a few blocks and emails sent for Harvest attacks.

Posted: Thu Apr 02, 2009 8:20 am

That is why preferences are called just that, preferences. You start with default values and then make individual choices based on the amount and nature of traffic visiting your site. My support site experiences world-wide and huge traffic volumes. All of my "blockers" are set to ON and "block default page email admin". YMMV

And I also have a folder set up in my mail app where all blocker emails are filtered making it quite easy to evaluate.

Cheers

Posted: Mon Apr 06, 2009 7:39 am

Thanks for the information guys. I have it all set up and getting blocked IPs and emails from it now.