Topic: Forum Firewall

[butchas]

After over six months of development, through testing and three weeks waiting for approval at SMF I grow tired of waiting...  They are ignoring me, maybe they do not like my mod?  So I will post it here...   

Forum Firewall

* protection against bad people doing bad things *

Written by:                   butchas
Testing by:                    Lou69, snoopy_virtual and Wizzlefits
Current mod version:  1.0.6
Compatibility:               SMF 1.1.10-13, SMF 2.0RC3-RC5
Supported languages: 
Hack Attempts:             Please share in the support thread so we can all be safe
Translations:                Translations are accepted

Forum Firewall offers 13 tests for the forum operator that protect against unwanted visitors.  Forum Firewall is written as a supplement to existing site protection methods and should not be the only line of protection.  An ideal protection scheme is as follows:

• Proxy Firewall.
• Htaccess protection such as blocking nasty ip addresses, CrawlProtect and GeoIP.
• Forum Firewall (this mod).
• Bad Behavior mod.
• Project Honeypot.
• Stop Spammer.

The above protection will not stop a determined attacker but it just may send them looking for easier targets.


Some features in this modification:

• Compatible with CloudFlare and other Proxys.
• Log and/ or block violations.
• DOS Protection to lower bandwidth with cool off & email notification.
• Admin Spoofing Protection.
• IP Address Spoofing Protection.
• Port Spoofing Protection.
• Anti-spoofing cache.
• Cross Site Scripting (XSS) Protection.
• SQL Injection Protection.
• Proxy Bypass Prevention.
• Limited Country Code blocking.
• Automatic scan of image files.
• Provides spanish warning if it is detected in header (thanks snoopy_virtual).

SMF 1.x version does not have:  Auto trimming of the visitor log and automatic scan of image files.

It is recommended that you do not enable "Block Violations" until after you operated the mod for several days and you are fully confident that there are no infractions in the visitor logs that can deny you or your top members access.

Version History

1.0.0 --  October 24, 2010
1.0.1 --  January 16, 2011 - Fixed admin screen not showing.
1.0.2 - January 23, 2011 - Added some suggestions by Arantor & PhobosK.  Fixed Undefined variable: result & forumfirewall_data found by busterone.


** edited after 31 downloads**
December 24, 2010 - update fixed minor bugs in cache check & whitelist
** edited after 43 downloads**
January 08, 2011 - update copyright to current year, improved database storage, 1.1.x page tab fix
***  edited after after 47 uploads **
Rev 1.0.1 --  January 16, 2011
Rev 1.0.1 --  January 23, 2011
Rev 1.0.6 --  February 20, 2011


Support has been moved to SMF Helper.

[bigguy]

Wow man, this looks like a huge mod. SMF isn't answering you at all eh. Very sorry to hear that. I might give this a shot on my other site and see what it does. I don't have really any need for it right because I am not getting attacked. It seems like a very handy mod to have installed though for sure. Probably could have helped out on SMFH the time we got attacked.

[butchas]

I think they are afraid to release it even though there are many others like it for other forums and content management software.   

I was out of work for a while and I was bored so this mod is BIG and thorough.

Funny thing is that most people think they are not getting attacked when they are...   I recommend running just the IP check and DOS protection as the minimum.

[bigguy]

I'll give it a shot on my other forum to test it out.

[butchas]

The mod is totally user configurable.  It will either log or ban the visitor.  You can select only the tests you want based on your personal paranoia level.  Plus you can edit the test details to handle new or perceived threats without having to wait for a new version of the mod.
 

[bigguy]

I have it installed now on another forum that I am playing with. No errors and it all seems to be running fine. It also installed on the core theme and minerva with no problems. Nice work.

[butchas]

Thank you.  You may want to check out those help icons.   

[william777]

butchas, I hope you are gainfully employed now.
I will try it when I set up my new site.

[bigguy]

Here's a question for you. In this screenshot, does it mean the firewall has banned google.

[butchas]

william777, Thank you!  Never know in todays market but, I hope I am gainfully employed too!   

Big Guy, that will only block visitors if the "Block Violations" option is selected.  When you see the word "Repeated" that means that the visitor has committed a repeated violation before the "Cache Duration" has expired.

Besides checking for DOS attacks the cache duration cuts back on bandwidth by immediately blocking and/ or logging a visitor has committed a violation and returned during the cache duration.  If you actually selected to ban the visitor then the software will try to exit SMF when He/ She is banned so nothing short of a refresh screen, a reload of the command or a bad bot will come back immediately.  This slows down the bad visitor.
 

[bigguy]

So if "Block Violations" is not selected then google and other bots are safe.

[butchas]

More clarification...

Blocking is not the same as banning.  If selected the program will block bad visitors and log each block.  However, only when "DOS Attacks" is enabled and "Longterm Ban" is selected will a visitor actually be banned based on your input.

Basically the program works the same as Bad Behavior (blocks access based on incorrect bot programming) , where it will selectively block the visitor and repeat the block based on the cache duration.  After the cache expires the visitor will be re-tested.

It is up to the web-master to review the log and issue bans based on what the visitor has done.  Honestly, I have found this a waste of time since most bad people use multiple IP addresses when they try mess with your site.  So if you actually ban an IP address it could be a waste since the next time the visitor will simply use another IP address.  Therefore, I prefer spot blocking.  Besides if the visitor has a nasty reputation of doing bad things he will be on the project honeypot list and should be blocked there...
 

[bigguy]

Thanks for explainin that to me. OK I think I got things set the way I want but will watch for things in the up and coming days. Not really a whole lot of visitors to this site right now except bots. It's just nice to make sure that it will work with them and not against them.

[butchas]

So if "Block Violations" is not selected then google and other bots are safe.

There are two schools of thought there.  When I first created the program I added the "User-Agent Whitelist".  This included "Google|msn|MSN", later yahoo.  But after several moths of running the program I discovered that if I set my robots text file and went to "http://www.google.com/support/webmasters/" and correctly submitted the hit rate that the real bots were not affected.

After doing the above and close consideration I found that most of the google bans I had were actually bad bots pretending to be google.

Actual Google access (any any other good bot) to my site was never compromised and they continue to visit me daily even though they are not on the whitelist.  Since then my hit rate for the google website has expired, I stopped seeing google bans and google visits my site several times a day.  I no longer see the fake google bots.
 

[Scratching My Head]

May I ask a question? It won't go through the parser, and I like to check the edits
a mod will make to themes before I install it.

Can you tell me the modifications FF makes to Custom Themes/Themes?
I just like to know in advance.

All other things being equal, thanks so much for developing this.