Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.6.x
Author Message
meotoo
Hangin' Around


Joined: Aug 04, 2009
Posts: 36

PostPosted: Mon Nov 09, 2009 9:02 am Reply with quote

Hello Folks,

During yesterday i have been making a number of optimizations to my nuke's mainfile.php file, mostly regarding to speed up the page load time.

One of those changes was to remove the ipban.php include if NukeSentinel is used (as it is on my site)

The result?... This morning i've received 200 e-mails about "ppl" trying to send crap through Feedback module (those mails does not comes from NS, it's something i've added myself to catch spammers..)

And as such, it makes me guess the NukeSentinel's Anti-Flood protection does not work at all (it worked before thanks to ipban), or?...

before someone asks, yes... i have sentinel properly configured to protect against flood (EMail Admin & Default Page).


By looking at the ab_flood() function i have to say i mostly saw strange sentences, and some things i can't even get to understand...

first of all, it looks like on my .ftaccess file i always have *one entry* only, for example:

66.249.71.78 || 384040f314966e0c7867aa658147b29b || 1257775749 || PHPSESSID

and therefore, the $floodcount variable is always 1, which render the following code useless:

Code:


$floodopen = fopen($ab_config['ftaccess_path'], "w");
  foreach($floodarray as $floodwrite){
    //if(!strstr($floodwrite, $floodarray[$floodcount-10]))
    if ($floodcount-10>=0) if(!strstr($floodwrite, $floodarray[$floodcount-10]))
    fputs($floodopen, $floodwrite);
  }


Well... the code isn't really useless... it purges/clear the .ftaccess file on each visit (!?!)

What i don't understand is what it is for the $floodcount-10 usage, since it's always -9 here and therefore if($floodcount-10>=0) is always FALSE. Furthermore, by the same reason, explode(' || ', $floodarray[$floodcount-3]); will always return nothing and block_ip($blocker_row); never reached therefore?????

Also note the .ftaccess file is opened two times but closed only once (and in wrong place), side effects from that? who knows from all those server configurations...

In the other hand, this function can be improved a lot to speed it up, mainly if the $floodcount-10 is really a way of doing things, most of the function code can be skipped if the result is empty..

I was about to modify/fix/improve that function to my understanding, but first i wanted to let you guys know about the issue as you're the current NukeSentinel maintainers, right?

What do you think? open to discussion...
 
View user's profile Send private message Visit poster's website
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6793
Location: Ha Noi, Viet Nam

PostPosted: Mon Nov 09, 2009 9:43 am Reply with quote

Check the configuration again Smile
It won't block it if it isn't set to block it and your setting is at 'Email Admin & Default Page' - does it have the option 'Email, Block & Default page' ??
 
View user's profile Send private message Send e-mail
meotoo
PostPosted: Mon Nov 09, 2009 9:50 am Reply with quote

ops... feeling embarrassed here... Wink

You're right, i didn't had the '& Block' statement set as well.

However, note i didn't received any email with a Flood abuse report, and since I use 'Email Admin' i should have received a lot of emails coming from NS if Anti-Flood would work ok, don't you think?
 
jakec
Site Admin


Joined: Feb 06, 2006
Posts: 3048
Location: United Kingdom

PostPosted: Mon Nov 09, 2009 11:29 am Reply with quote

It depends how quickly the page views are occuring. Check the Flood Delay settings under General Settings in the Administration menu.

Are you using RN?

If you are then I would be surprised if it was a bot because of the captcha.

I think the default setting is 2 seconds and therefore if it is a human they are probably not posting quick enough to trigger the Flood blocker.
 
View user's profile Send private message
meotoo
PostPosted: Mon Nov 09, 2009 12:10 pm Reply with quote

Quote:
Are you using RN?


No.

Flood Delay set to 2 seconds here.

Quote:
If you are then I would be surprised if it was a bot because of the captcha.


It does not matter, because a captcha (or any other protection) does not forbid bots at all from sending/submitting forms.

Quote:
...not posting quick enough to trigger the Flood blocker.


Seriously, do you think the flood blocker can be triggered/achieved, considering the .ftaccess file is cleared with each visit?

hmm, i must be missing something...or just i can't understand how this thing work or it's supposed to work... (?)

hmmm...(4 minutes later) well... may i get it... may the flood blocker is triggered when a bot sends several http requests in such a way that all of them makes a collision into ab_flood(), specifically at the $floodappend = fopen($ab_config['ftaccess_path'], "a"); step - is that what you mean? i found this quite random but of course it can happen..
 
jakec
PostPosted: Mon Nov 09, 2009 1:36 pm Reply with quote

meotoo wrote:
It does not matter, because a captcha (or any other protection) does not forbid bots at all from sending/submitting forms.


I'm sorry I have to disagree, I bet if you were using the feedback module with a captcha you would not have a problem.
 
Guardian2003
PostPosted: Mon Nov 09, 2009 1:39 pm Reply with quote

I have never looked at this functionality within NS to be honest as I use RN and have never had the problem you describe (except when I originally used phpNuke).

To be perfectly honest, I don't think the flood blocker is supposed to impose a series of permanent bans, just slow down the attack a bit - attacks like that should really be dealt with at server level.

The right CAPTCHA, if implemented correctly does stop the sort of behavior you describe with regard to automated form submission. If the form is being targeted by automated bots, you could just as easily change the form input variables, or even use the module from RN and just comment out the CAPTCHA code (it's commented within the file).

Sorry I can't help you any more on that this one.
 
meotoo
PostPosted: Mon Nov 09, 2009 2:27 pm Reply with quote

jakec wrote:
I'm sorry I have to disagree, I bet if you were using the feedback module with a captcha you would not have a problem.

Guardian2003 wrote:
The right CAPTCHA, if implemented correctly does stop the sort of behavior you describe


no offense, but... are both you kidding?? Wink

I'm quite sure about what i said, again: a captcha DOES NOT forbid bots from SENDING forms(*)

hmm, i guess both you didn't understand me, and therefore i have to apologize by my bad english... it's not my mother language and sometimes i do not found the right words...

(*) OF COURSE a captcha forbids the form from being processed, but it does not forbid bots from actually sending it, as i said. - anyway this is becoming OFFTOPIC.


Guardian2003 wrote:
Sorry I can't help you any more on that this one.


No problem! I do not want to waste your time, there are more RN admins Smile

Who is the actual NS Maintainer? just Raven?

BTW, reading this (your last) post i get a little confused, I'm reporting some bugs and/or security flaw (to my understanding) within NukeSentinel - it has nothing to do with RN, plain php-nuke, or whatever CMS I use, this is offtopic as well.

Confused
 
meotoo
PostPosted: Mon Nov 09, 2009 2:39 pm Reply with quote

both you may misunderstood this point:

Quote:
This morning i've received 200 e-mails about "ppl" trying to send crap through Feedback module (those mails does not comes from NS, it's something i've added myself to catch spammers..)



The emails i've received AREN'T Feedback submissions.

ARE reports from a protection i've added myself to the Feedback module.

can we go back to topic, please? Wink
 
Guardian2003
PostPosted: Mon Nov 09, 2009 2:45 pm Reply with quote

Your concerns and your comments are not off topic at all. I was just saying that I don't personally know enough about the Flood blocker to be able to give you an answer or a direction to go in, there are others here who might be able to.
 
meotoo
PostPosted: Mon Nov 09, 2009 2:54 pm Reply with quote

hmm, i think i got misunderstood again..sorry..

I mean talking about CAPTCHA, or RN, on this topic/thread is OFFTOPIC.

Of course what i say is not offtopic at all Mr. Green Wink
 
hicuxunicorniobestbuildpc
Life Cycles Becoming CPU Cycles


Joined: Aug 13, 2009
Posts: 967
Location: Netherland

PostPosted: Mon Nov 09, 2009 4:05 pm Reply with quote

Can you post your mailfile.php meotoo. I did somes changes too and added a very simple code which load the site litttle faster than normal. I think you should play a little bit with NS and then you can see if it is working or not. In my opinion it is working pretty good.
 
View user's profile Send private message Visit poster's website
meotoo
PostPosted: Mon Nov 09, 2009 4:54 pm Reply with quote

unicornio wrote:
Can you post your mailfile.php meotoo. I did somes changes too and added a very simple code which load the site litttle faster than normal. I think you should play a little bit with NS and then you can see if it is working or not. In my opinion it is working pretty good.


Hello bestbuildpc..

Please ignore me..

Thank you..
 
Palbin
Site Admin


Joined: Mar 30, 2006
Posts: 2583
Location: Pittsburgh, Pennsylvania

PostPosted: Mon Nov 09, 2009 5:55 pm Reply with quote

meotoo wrote:
hmmm...(4 minutes later) well... may i get it... may the flood blocker is triggered when a bot sends several http requests in such a way that all of them makes a collision into ab_flood(), specifically at the $floodappend = fopen($ab_config['ftaccess_path'], "a"); step - is that what you mean? i found this quite random but of course it can happen..


That is the point of a flood.

You will only be added to the file multiple times if this code is true
Code:


  if($_SESSION["NSNST_Flood"] > time() - $ab_config['flood_delay']){
    $floodappend = fopen($ab_config['ftaccess_path'], "a");
    fwrite($floodappend, $nsnst_const['remote_ip']." || $_sessid || $currtime || $_sessnm\n");
  }


Just because this bit of code is may be false (not always) does not matter:
Code:


  foreach($floodarray as $floodwrite){
    //if(!strstr($floodwrite, $floodarray[$floodcount-10]))
    if ($floodcount-10>=0) if(!strstr($floodwrite, $floodarray[$floodcount-10]))
    fputs($floodopen, $floodwrite);
  }


The above code does not affect the below code at all since $floodcount is determined before the above.
Code:


if ($floodcount >= 4) {
  $p1 = explode(' || ', $floodarray[$floodcount-1]);
  $p2 = explode(' || ', $floodarray[$floodcount-3]);
  if($p1["2"] - $p2["2"] <= $ab_config['flood_delay']) {
    if($p1["1"] != $p2["1"]) {
      if($p1["0"] == $p2["0"]) {
        if($nsnst_const['remote_ip'] == $p1["0"] && $p2["0"]) {
          block_ip($blocker_row);
        }
      }
    }
  }
}


To demonstrate if you have four of the same entries in ftaccess:
Code:


66.249.71.78 || 384040f314966e0c7867aa658147b29b || 1257775749 || PHPSESSID
66.249.71.78 || 384040f314966e0c7867aa658147b29b || 1257775749 || PHPSESSID
66.249.71.78 || 384040f314966e0c7867aa658147b29b || 1257775749 || PHPSESSID
66.249.71.78 || 384040f314966e0c7867aa658147b29b || 1257775749 || PHPSESSID


FALSE
Code:


 if ($floodcount-10>=0) if(!s........


TRUE
Code:


if ($floodcount >= 4) { ......


meotoo wrote:

Also note the .ftaccess file is opened two times but closed only once (and in wrong place), side effects from that? who knows from all those server configurations..


It is opened with a different parameter and you only close it once.

meotoo wrote:

In the other hand, this function can be improved a lot to speed it up, mainly if the $floodcount-10 is really a way of doing things, most of the function code can be skipped if the result is empty..


The bulk of this function is skipped if the result is 0.

meotoo wrote:
Quote:
If you are then I would be surprised if it was a bot because of the captcha.


It does not matter, because a captcha (or any other protection) does not forbid bots at all from sending/submitting forms.

You are correct that a CAPTCHA will not stop a bot from sending data to the server. No php coding can physically stop a user/bot from sending data to the server, but it does stop the data from being processed. If you are worried about bandwidth etc being wasted from the "flood" the flood blocker will block that.

_________________
"Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." — Brian W. Kernighan. 
View user's profile Send private message
meotoo
PostPosted: Mon Nov 09, 2009 6:54 pm Reply with quote

Quote:
That is the point of a flood.


wow... and such collision is guarantee to be reached in a safely way?... because i always had in mind the way IPBan's Anti-Flood is doing it, and it's why i saw that NS's code strange.. i still have wonders/doubts.. for example, what about if such collision is achieved from several different IPs? they will be written randomly to .ftaccess which makes the following code doubtfully valid, i guess:

Code:


$p1 = explode(' || ', $floodarray[$floodcount-1]);
  $p2 = explode(' || ', $floodarray[$floodcount-3]);
  if($p1["2"] - $p2["2"] <= $ab_config['flood_delay']) {
    if($p1["1"] != $p2["1"]) {
      if($p1["0"] == $p2["0"]) {
        if($nsnst_const['remote_ip'] == $p1["0"] && $p2["0"]) {
          block_ip($blocker_row);
        }
      }
    }
  }



Quote:
if ($floodcount >= 4) { ......


ouch... i didn't have that sentence on my NS 2.6.01 install..

Quote:
It is opened with a different parameter and you only close it once.


aha, do you mean the filehandle is intentionally left open to let the collision happen? interesting...

...Then, i guess my "fixed function" is broken.. this is what i'm using actually:

Quote:

function ab_flood($blocker_row) {
global $ab_config, $nsnst_const;
$floodarray = file($ab_config['ftaccess_path']);
$floodcount = count($floodarray);
if($floodcount > 9) {
$floodopen = fopen($ab_config['ftaccess_path'], "w");
foreach($floodarray as $floodwrite) {
if(!strstr($floodwrite, $floodarray[$floodcount-10]))
fputs($floodopen, $floodwrite);
}
fclose($floodopen);
}
if($floodcount > 2) {
$p1 = explode(' || ', $floodarray[$floodcount-1]);
$p2 = explode(' || ', $floodarray[$floodcount-3]);
if(($p1["0"] == $p2["0"]) AND ($p1["1"] != $p2["1"])
AND (($p1["2"] - $p2["2"]) <= $ab_config['flood_delay'])
AND ($nsnst_const['remote_ip'] == $p1["0"] && $p2["0"])) {
block_ip($blocker_row);
}
}
if($_SESSION["NSNST_Flood"] > time() - $ab_config['flood_delay']) {
$floodappend = fopen($ab_config['ftaccess_path'], "a");
$_sessid = session_id();
$_sessnm = session_name();
$currtime = time();
fwrite($floodappend, $nsnst_const['remote_ip']." || $_sessid || $currtime || $_sessnm\n");
fclose($floodappend);
}
}


I think the if($floodcount > 9) { is needed, but i'll move the fopen outside, or may isn't needed? (it is ok as is?)

at least i'll move fclose($floodopen); where it was before, at function's bottom. and i'll remove fclose($floodappend); then, if it's what is needed to the collision to happen.. Confused

Well, thanks a lot Palbin for your great advices.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.6.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©