Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm)
Author Message
aaly
New Member
New Member



Joined: Jan 02, 2006
Posts: 20

PostPosted: Sun Jun 11, 2006 11:47 am Reply with quote

I thought i did the setup right couse i dont see any errors but then i recieved mails about hacker attacks and that the ip is banned but in the administration it says There are currently no IP addresses in the database, so what could be wrong i have no idea ??

Code:
Date & Time: 2006-06-11 13:52:51 CEST GMT +0200

Blocked IP: 66.77.136.
User ID: Anonymous (1)
Reason: Abuse-Harvest
String Match: libwww-perl
--------------------
User Agent: libwww-perl/5.69
Query String: .../modules.php?none
Get String: ...../modules.php
Post String: ..../modules.php
Forwarded For: none
Client IP: none
Remote Address: 66.77.136.
Remote Port: 37153
Request Method: GET
--------------------


That is a copy of one of the mail i receive from sentinel (my domain and ip adress of attacker commented out)
 
View user's profile Send private message
gregexp
The Mouse Is Extension Of Arm



Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol

PostPosted: Sun Jun 11, 2006 12:51 pm Reply with quote

Did all your tables make...do u have a nuke_nsnst_blocked_ips and do u have the harvester blocker configured to block the ips?

_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! 
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
aaly







PostPosted: Sun Jun 11, 2006 1:00 pm Reply with quote

darklord wrote:
Did all your tables make...do u have a nuke_nsnst_blocked_ips and do u have the harvester blocker configured to block the ips?


All the tables are installed including nuke_nsnst_blocked_ips, harvester blocker is set to block ip`s. Manually I can ad ip`s to the blocked list but sentinel wont do it automicly
 
gregexp







PostPosted: Sun Jun 11, 2006 1:02 pm Reply with quote

what version of sentinel are u using?
 
aaly







PostPosted: Sun Jun 11, 2006 1:07 pm Reply with quote

I just updated to the last one from 2.4.2pl6

Blocker is set to e-mal, block and default page is that right ?
 
gregexp







PostPosted: Sun Jun 11, 2006 2:21 pm Reply with quote

yes thats right...curious why sentinel does not put the ip in the database...u should see if errors are turned on in ur config.php and let us know if it displays an error.
 
fkelly
Former Moderator in Good Standing



Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Sun Jun 11, 2006 2:32 pm Reply with quote

Your settings for harvester look okay. Is it writing the IP to htaccess? If you block the IP manually does it write to htaccess? If you look in the blocked_ip table after blocking an IP manually is it in there?

If you do "display blocked IP's" from Sentinel does it list any. If you manually block one and do "display blocked IP's" does it list any? So many questions, I know, but we need the answers to narrow it down.
 
View user's profile Send private message Visit poster's website
aaly







PostPosted: Sun Jun 11, 2006 2:54 pm Reply with quote

Manualy the ip gets listed in sentinel administration, in .htaccess and in the database table nuke_nsnst_blocked_ips so i think manualy works.
 
gregexp







PostPosted: Sun Jun 11, 2006 3:00 pm Reply with quote

this is definitlet weird and not makin any sense did it display an error? at all..ban ur own ip...then see if it blocks u...and check ur tables to see if its listed...on RARE occasions ive seen when the database is laggin or servers gettin hit with a d-doss attack...sentintinel doesnt ban the ip properly...i have been told this is a way that hackers bypass sentinel...but if it writes to the .htaccess it will block them anyway.
 
aaly







PostPosted: Sun Jun 11, 2006 3:14 pm Reply with quote

my database was lagging today becouse of ip tracking in sentinel, i have a high frequent site since i turnde ip tracking off site responds normal again. I dont see any errors, manualy ban gets listed, automaticly i recive just the mail but seninel did not ban the user, there is no entry in the database and none in .htaccess
 
fkelly







PostPosted: Sun Jun 11, 2006 3:26 pm Reply with quote

I know it seems redundant but just to confirm:

- You are running Sentinel PL9 ... it says that at the top of your Sentinel screen.
- You got that email telling you about the harvest attack and you had your harvester settings set to block the ip's before that happened
- You can block the same IP's "manually" and it takes.

I'm just wondering now when you started with Sentinel and whether all the upgrades have gone okay. What was the first version you loaded? Has it been blocking IP's okay up to now or is this your first attempt at running it?

The Harvest attack is more of a nuisance than anything pernicious and maybe we should just wait a bit and see if it happens again and then post it here. I know the Sentinel folks are hard at work testing revisions now but it's a little hard to simulate something like this but it is certainly something to watch for, if Harvest attacks aren't being properly banned, and we'd appreciate it if you'd post anything further along that lines as well as just confirming the questions above.
 
aaly







PostPosted: Sun Jun 11, 2006 3:44 pm Reply with quote

My first version was 2.4.2pl6 i installed it a week ako first time since that time i recieved a couple of mails with Abuse-Harvest as a reason for banning but non of the listed ip`s in the mails are actually banned. They are not in the database and .htaccess file listed. As i told before i don`t see any errors and manualy banning works like a charm. Today I updated to 2.4.2pl9 but didn`t recieve any mails about attacks so I don`t now if it works now or not
 
aaly







PostPosted: Sun Jun 11, 2006 4:50 pm Reply with quote

I just recieved a new mali about Abuse-Harvest but this time the user is banned, seems that now sentinel works probably but I still dont now why it did`t work in version 2.4.2pl6. However my problem is now solved, thanks fkelly & darklord for your quick replys
 
fkelly







PostPosted: Sun Jun 11, 2006 5:36 pm Reply with quote

It has been a pleasure aaly. Keep us posted if the problem reoccurs. And keep checking those logs.
 
erald
New Member
New Member



Joined: Dec 13, 2004
Posts: 21

PostPosted: Fri Jun 23, 2006 12:20 pm Reply with quote

Hello,

I do have exactly the same problem with Arthor blocker. I do get an email but no writing into the database and htaccess.
The client gets the black page that he is blocked but can go back and just continue. Now he is registered as an administrator, might that be the problem?
 
View user's profile Send private message
gregexp







PostPosted: Fri Jun 23, 2006 8:03 pm Reply with quote

Yes that would be a problem.

Now just to confirm, You have your authors blocker set to e-mail, block and default page.
and also you have the path to .htacess set correctly for your .htaccess, and its chmoded to 666?

These are the things everyone should check.
 
erald







PostPosted: Sat Jun 24, 2006 2:36 am Reply with quote

darklord wrote:
Yes that would be a problem.

Now just to confirm, You have your authors blocker set to e-mail, block and default page.
and also you have the path to .htacess set correctly for your .htaccess, and its chmoded to 666?

These are the things everyone should check.


Yes everything is set.
In the meantime I found the problem. The fact you are logged in as administrator makes you will not be blocked. But somehow also the fact you have been previously logged in as administrator makes you are not getting blocked. However if you close the browser and restart it and not logged in or as normal user you will be blocked when testing an abuse.

It took some time for me to figure this out and even made me reinstalling everything and restarting the client PC. Then it works like a charm.
 
gregexp







PostPosted: Sat Jun 24, 2006 11:59 pm Reply with quote

ahh u tested a script while u had ur ip protected....doh

glad u found the issue.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm)

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©