Topic: Forum Firewall

[butchas]

I am not sure if I can recommend CloudFlare for a high traffic site like yours at this time since it is still buggy.

CloudFlare needs to work out some bugs.  You can ask Big Guy, but my site was hit by several DOS attacks and was exceeding the bandwidth required.  Instead of banning me BigGuy stood behind me while I created Bad Behavior mod (exceeded), then CloudFlare Mod (exceeded) and finally Forum Firewall mod.  The latter solved my problem.   Do not get me wrong CloudFlare does some great things, drops bandwidth but as of today it still gives my site accidental errors.  Maybe next month?
 

[MattH41]

I'll keep an eye on it. Bandwidth isn't an issue for me at this time (I'm using 50-75GB per month), but I don't mind keeping the bad guys away!

I'll keep you posted on how Forum Firewall works out for me.

[butchas]

WOW!!!  The most I ever saw was 10GB!

Please run it for a few days with "Logging" enabled before you turn on "Block Violations" just to make sure you do not block your regular members.

Plus if you run SMF 2.x please take a look at the Schedule Tasks and ask questions.
 

[MattH41]

I've been looking for about 48 hours and my logs is full of bad cookie messages...

Is this normal?

[butchas]

Not really.  Can I see some examples of the messages you are getting.
 

[MattH41]

I took a screen shot of the log.

If you look through the 600+ entries in it you'll see big chunks of the cookie errors for various legitimate members IPs.

[butchas]

Humm...  The XSS inspection does not like "KonaFlashBase".  I do not see it in your cookies when I log onto your site.  Do you know what it is?

Some other people have used weird things in their cookies.  If this is legit I suggest you change:
|base
to
|<base

and

|flash
to
|<flash

in your "XSS Events" list.

[MattH41]

KonaFlashBase looks like a leftover from when I tried Kontera In-Text Advertising.. But I haven't used it on my site since like June/July.

[butchas]

There is the possibility that somewhere Kontera is still adding information to your members cookies.  It just may be in your cookies too.  If you can find it delete it.

[MattH41]

I don't know how they would add to the cookies from my site. Their scripts are no longer included anywhere in the site. (In fact, the entire site has been reinstalled since then..)

[butchas]

Could they have old cookies?

[MattH41]

If they are always saying logged in, that's a possibility.

Question though. If I start blocking violations, would all of those users with old cookies be blocked?

[butchas]

Yes, unless you make the changes I suggested in reply number 36 above.  I would try that, note the changes for later and give it a day before I block to make sure it settles down.

I saw you did have an legit attack in your image caught by the ip check.

[butchas]

You could always ask them to delete their cookies to get rid of that old content.

[MattH41]

I could also just change the cookie name to force everyone to get a new one.

I'll have to weight that against all of the whining I'll get from users that can't remember their passwords and can't figure out how to request it be e-mailed to them.