Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.6.x
Author Message
StalkS
Hangin' Around


Joined: Oct 04, 2003
Posts: 35

PostPosted: Tue Feb 03, 2009 4:38 am Reply with quote

I updated my site to the latest RavenNuke (v2.30.00 ) around three months ago and I have to say I am extremely pleased with the results. I have polished, professional looking/ functioning website. A real credit to the combined efforts by the phpnuke scene and all at RavenNuke. Thank you.

As with all projects There are a couple of things that are way above me and I would really appreciate some input from other sources. For this particular post I am experiencing a few strange issues with NukeSentinel v2.6.01.

Having rigorously followed the HowToInstall section from ravennuke I successfully enabled the ‘Admin Access Protection’ and the ‘Email Admin, Block, and redirect to Default Page’.

Now that : NukeSentinel is enabled I was surprised to see that the site is pretty much under attack from scripts on a daily basis - through the alert emails (I get anywhere between 5 – 25 a day). A common example of one is as follows:

Code:


Created By: NukeSentinel(tm) 2.6.01
Date & Time: 2009-02-03 08:08:59 UTC GMT +0000 Blocked IP: 194.109.22.106 User ID: Anonymous (1)
Reason: Abuse-Filter
--------------------
Referer: none
User Agent: libwww-perl/5.816
HTTP Host: Only registered users can see links on this board! Get registered or login!
Script Name: /html/modules.php
Query String: name=Shout_B ...//modules/Forums/admin/index.php?
Get String: name=Shout_B ...//modules/Forums/admin/index.php?phpbb_root_path=http:
Post String: Not Available
Forwarded For: none
Client IP: none
Remote Address: 194.109.22.106
Remote Port: 4652
Request Method: GET


I really want to block these type of attacks. The issue I am having is that I enabled ‘Write to htaccess’ under all the ‘Blocker Settings’ and for some reason this is just not happening? If I manually add a Blocked IP I can see that the .htaccess has been amended. However, if I leave NukeSentinel to add IPs automatically it does not. The CHMOD of .htaccess is 666 as suggested in the HowToInstall section. Have I missed something here?


On a slightly different note browsing through the forums today I managed to find a post on stopping libwww-perl scripts by adding code to the TegoShortLinks section under .htaccess. The code I am trying as of today is below:

Code:


#libwww-perl
RewriteCond %{HTTP_USER_AGENT} ^libwww-perl
RewriteRule ^.*$ http://127.0.0.1 [R,L]


Hopefully this will cut a most of the libwww-perl script attacks before they even reach NukeSentinel. However I would still like NukeSentinel to be able to add blocked IP’s automatically.


Any advice would be greatly appreciated.


StalkS
 
View user's profile Send private message
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6793
Location: Ha Noi, Viet Nam

PostPosted: Tue Feb 03, 2009 5:21 am Reply with quote

Go to the NS administration area and look for the link to 'Blocker Configuration'.
From the list of blocker types select the appropriate one and make sure it is set to 'block'
 
View user's profile Send private message Send e-mail
StalkS
PostPosted: Tue Feb 03, 2009 5:25 am Reply with quote

Guardian Thanks for the reply. I'll give that a go now! I cannot believe it was so obvious!

UPDATE:
My issue was that it is actually under the 'Activate' section. Where you have the following options:

Off
Email Admin
Forward
Default Page
Email & Forward
Email & Default Page
Block & Forward
Block & Default Page
Email, Block & Forward
Email, Blockl & Default Page


I just had it on Email Admin Doh! I guess for some reason I thought by enabling 'write to .htaccess' that was enough. thanks for pointing out the blindingly obvious!

Regards


StalkS
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Tue Feb 03, 2009 10:14 pm Reply with quote

Yep, just to let you know, every site is under attack through such automated scripts. So what you're seeing is fairly low - I'm still averaging 400 an hour Smile

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
horrorcode
Involved
Involved


Joined: Jan 17, 2009
Posts: 272
Location: Missouri

PostPosted: Wed Feb 04, 2009 12:46 am Reply with quote

Good stuff here, I also get those emails, while mine are only in the 50-100 range per day. I had the same problem and now I feel a little dumber... 2 steps back and one step forwards, guess I had to learn somehow. Thanks for the info
 
View user's profile Send private message
StalkS
PostPosted: Wed Feb 04, 2009 5:50 am Reply with quote

evaders99 wrote:
Yep, just to let you know, every site is under attack through such automated scripts. So what you're seeing is fairly low - I'm still averaging 400 an hour Smile


Wow! Well I don't think I should even be complaining after hearing that amount!! Shocked

StalKS
 
evaders99
PostPosted: Wed Feb 04, 2009 8:10 pm Reply with quote

The more your site gets picked up by search engines, the easier it is for these scripts to keep using them to hit your site. Sadly you become a high target, even if you're not even running the ___ software that the vulnerability is for. It's no cost to them to scan a million websites looking for one vulnerable machine... they can scan billions of sites, get thousand of them vulnerable machines into their botnet, sell those boxes to scammers and hackers and get the cash.
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9456
Location: Arizona

PostPosted: Sun Feb 08, 2009 9:00 am Reply with quote

After installing mod_security, I am way down on attack vectors getting to my sites. Not sure, though, if a shared host will install this or not? RavenWebHosting does, however, as Raven makes security a given rather than an after thought. Wink

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
rickleigh
Worker
Worker


Joined: Jan 06, 2009
Posts: 183

PostPosted: Wed Apr 01, 2009 4:14 pm Reply with quote

Hi guys,

I want to make sure I'm understanding this correctly. When I installed NS, I to followed the How To Install. It says the following for block settings: Most have been preset but you should still review them all. So as of right now they are at the default settings. I have not received any emails or ip blocks in my .htaccess file.

So, am I understanding that if I want NS to do the work of banning and emailing me, I need to have the settings set to: Email Block & Default Page and have Write to htaccess turned on? If this is what I need to have my settings at, what has NS been doing for me at the default setting? Keep in mind that I have done everything to the letter in the how to other then not knowing how my blocker settings should be to make my site more secure. So I left them at default.

_________________
Thanks,
Rick Leigh 
View user's profile Send private message
Guardian2003
PostPosted: Wed Apr 01, 2009 4:28 pm Reply with quote

All you need to do is to to the Blocker settings configuration and review them.
Yes your assumption is correct, 'Email' means you will get an email, 'Block' means NS will perform a block operation. 'Default page' refers to the page the user see's when they are blocked.

NS blocks in two ways - by writing the data to the database and optionally writing to the htaccess file (if it is writable and that option is activated).
 
rickleigh
PostPosted: Wed Apr 01, 2009 5:35 pm Reply with quote

Guardian2003,

Thanks for the reply,

My concern is that even at the default setting being set to email me has not happened. I'm sure by now I should have had many attacks happening on my site. I can't be that lucky Smile

I'm just hoping that all my other setting are ok.
 
Guardian2003
PostPosted: Thu Apr 02, 2009 2:13 am Reply with quote

Why are you "just hoping that all my other settings are ok" - why not go and check them?
 
montego
PostPosted: Thu Apr 02, 2009 7:03 am Reply with quote

For a new domain just getting started, it could take awhile for the "google hackers" start finding you... Try adding a string to the String Blocker and have it set to just send an email only and then post something with that string in it. One sure fire way to make that happen is to try and set up a new user with a username or email address with that string in it.
 
dad7732
RavenNuke(tm) Development Team


Joined: Mar 18, 2007
Posts: 1242

PostPosted: Thu Apr 02, 2009 7:41 am Reply with quote

The latest on my support site is for users to register and THEN post their advertising ilk in the forums .. bah!! You can't win. I tried "admin approval" but that is just too time consuming to ferret out 100 new apps daily, 99 of which are the bandits. I am going to start a new thread with a suggestion.

Cheers
 
View user's profile Send private message
rickleigh
PostPosted: Thu Apr 02, 2009 8:05 am Reply with quote

Guardian2003 wrote:
Why are you "just hoping that all my other settings are ok" - why not go and check them?


Meaning that I have everything else set to how the HOW TO INSTALL guide has directed us to. So if there is a better way to setup the NS then how the guide has told us to setup the NS; I haven't found those settings yet.

I have changed the blocker settings and since then I have had a few blocks and emails sent for Harvest attacks.
 
dad7732
PostPosted: Thu Apr 02, 2009 8:20 am Reply with quote

That is why preferences are called just that, preferences. You start with default values and then make individual choices based on the amount and nature of traffic visiting your site. My support site experiences world-wide and huge traffic volumes. All of my "blockers" are set to ON and "block default page email admin". YMMV

And I also have a folder set up in my mail app where all blocker emails are filtered making it quite easy to evaluate.

Cheers
 
rickleigh
PostPosted: Mon Apr 06, 2009 7:39 am Reply with quote

Thanks for the information guys. I have it all set up and getting blocked IPs and emails from it now.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.6.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©