Author |
Message |
StalkS
Hangin' Around

Joined: Oct 04, 2003
Posts: 35
|
Posted:
Tue Feb 03, 2009 4:38 am |
|
I updated my site to the latest RavenNuke (v2.30.00 ) around three months ago and I have to say I am extremely pleased with the results. I have polished, professional looking/ functioning website. A real credit to the combined efforts by the phpnuke scene and all at RavenNuke. Thank you.
As with all projects There are a couple of things that are way above me and I would really appreciate some input from other sources. For this particular post I am experiencing a few strange issues with NukeSentinel v2.6.01.
Having rigorously followed the HowToInstall section from ravennuke I successfully enabled the ‘Admin Access Protection’ and the ‘Email Admin, Block, and redirect to Default Page’.
Now that : NukeSentinel is enabled I was surprised to see that the site is pretty much under attack from scripts on a daily basis - through the alert emails (I get anywhere between 5 – 25 a day). A common example of one is as follows:
Code:
Created By: NukeSentinel(tm) 2.6.01
Date & Time: 2009-02-03 08:08:59 UTC GMT +0000 Blocked IP: 194.109.22.106 User ID: Anonymous (1)
Reason: Abuse-Filter
--------------------
Referer: none
User Agent: libwww-perl/5.816
HTTP Host: www.********.com
Script Name: /html/modules.php
Query String: name=Shout_B ...//modules/Forums/admin/index.php?
Get String: name=Shout_B ...//modules/Forums/admin/index.php?phpbb_root_path=http:
Post String: Not Available
Forwarded For: none
Client IP: none
Remote Address: 194.109.22.106
Remote Port: 4652
Request Method: GET
|
I really want to block these type of attacks. The issue I am having is that I enabled ‘Write to htaccess’ under all the ‘Blocker Settings’ and for some reason this is just not happening? If I manually add a Blocked IP I can see that the .htaccess has been amended. However, if I leave NukeSentinel to add IPs automatically it does not. The CHMOD of .htaccess is 666 as suggested in the HowToInstall section. Have I missed something here?
On a slightly different note browsing through the forums today I managed to find a post on stopping libwww-perl scripts by adding code to the TegoShortLinks section under .htaccess. The code I am trying as of today is below:
Code:
#libwww-perl
RewriteCond %{HTTP_USER_AGENT} ^libwww-perl
RewriteRule ^.*$ http://127.0.0.1 [R,L]
|
Hopefully this will cut a most of the libwww-perl script attacks before they even reach NukeSentinel. However I would still like NukeSentinel to be able to add blocked IP’s automatically.
Any advice would be greatly appreciated.
StalkS |
|
|
|
 |
Guardian2003
Site Admin

Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam
|
Posted:
Tue Feb 03, 2009 5:21 am |
|
Go to the NS administration area and look for the link to 'Blocker Configuration'.
From the list of blocker types select the appropriate one and make sure it is set to 'block' |
|
|
|
 |
StalkS

|
Posted:
Tue Feb 03, 2009 5:25 am |
|
Guardian Thanks for the reply. I'll give that a go now! I cannot believe it was so obvious!
UPDATE:
My issue was that it is actually under the 'Activate' section. Where you have the following options:
Off
Email Admin
Forward
Default Page
Email & Forward
Email & Default Page
Block & Forward
Block & Default Page
Email, Block & Forward
Email, Blockl & Default Page
I just had it on Email Admin Doh! I guess for some reason I thought by enabling 'write to .htaccess' that was enough. thanks for pointing out the blindingly obvious!
Regards
StalkS |
|
|
|
 |
evaders99
Former Moderator in Good Standing

Joined: Apr 30, 2004
Posts: 3221
|
Posted:
Tue Feb 03, 2009 10:14 pm |
|
Yep, just to let you know, every site is under attack through such automated scripts. So what you're seeing is fairly low - I'm still averaging 400 an hour  |
_________________ - Only registered users can see links on this board! Get registered or login! -
Need help? Only registered users can see links on this board! Get registered or login! |
|
|
 |
horrorcode
Involved


Joined: Jan 17, 2009
Posts: 272
Location: Missouri
|
Posted:
Wed Feb 04, 2009 12:46 am |
|
Good stuff here, I also get those emails, while mine are only in the 50-100 range per day. I had the same problem and now I feel a little dumber... 2 steps back and one step forwards, guess I had to learn somehow. Thanks for the info |
|
|
|
 |
StalkS

|
Posted:
Wed Feb 04, 2009 5:50 am |
|
evaders99 wrote: | Yep, just to let you know, every site is under attack through such automated scripts. So what you're seeing is fairly low - I'm still averaging 400 an hour |
Wow! Well I don't think I should even be complaining after hearing that amount!!
StalKS |
|
|
|
 |
evaders99

|
Posted:
Wed Feb 04, 2009 8:10 pm |
|
The more your site gets picked up by search engines, the easier it is for these scripts to keep using them to hit your site. Sadly you become a high target, even if you're not even running the ___ software that the vulnerability is for. It's no cost to them to scan a million websites looking for one vulnerable machine... they can scan billions of sites, get thousand of them vulnerable machines into their botnet, sell those boxes to scammers and hackers and get the cash. |
|
|
|
 |
montego
Site Admin

Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
Posted:
Sun Feb 08, 2009 9:00 am |
|
After installing mod_security, I am way down on attack vectors getting to my sites. Not sure, though, if a shared host will install this or not? RavenWebHosting does, however, as Raven makes security a given rather than an after thought.  |
_________________ Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! |
|
|
 |
rickleigh
Worker


Joined: Jan 06, 2009
Posts: 183
|
Posted:
Wed Apr 01, 2009 4:14 pm |
|
Hi guys,
I want to make sure I'm understanding this correctly. When I installed NS, I to followed the How To Install. It says the following for block settings: Most have been preset but you should still review them all. So as of right now they are at the default settings. I have not received any emails or ip blocks in my .htaccess file.
So, am I understanding that if I want NS to do the work of banning and emailing me, I need to have the settings set to: Email Block & Default Page and have Write to htaccess turned on? If this is what I need to have my settings at, what has NS been doing for me at the default setting? Keep in mind that I have done everything to the letter in the how to other then not knowing how my blocker settings should be to make my site more secure. So I left them at default. |
_________________ Thanks,
Rick Leigh |
|
|
 |
Guardian2003

|
Posted:
Wed Apr 01, 2009 4:28 pm |
|
All you need to do is to to the Blocker settings configuration and review them.
Yes your assumption is correct, 'Email' means you will get an email, 'Block' means NS will perform a block operation. 'Default page' refers to the page the user see's when they are blocked.
NS blocks in two ways - by writing the data to the database and optionally writing to the htaccess file (if it is writable and that option is activated). |
|
|
|
 |
rickleigh

|
Posted:
Wed Apr 01, 2009 5:35 pm |
|
Guardian2003,
Thanks for the reply,
My concern is that even at the default setting being set to email me has not happened. I'm sure by now I should have had many attacks happening on my site. I can't be that lucky
I'm just hoping that all my other setting are ok. |
|
|
|
 |
Guardian2003

|
Posted:
Thu Apr 02, 2009 2:13 am |
|
Why are you "just hoping that all my other settings are ok" - why not go and check them? |
|
|
|
 |
montego

|
Posted:
Thu Apr 02, 2009 7:03 am |
|
For a new domain just getting started, it could take awhile for the "google hackers" start finding you... Try adding a string to the String Blocker and have it set to just send an email only and then post something with that string in it. One sure fire way to make that happen is to try and set up a new user with a username or email address with that string in it. |
|
|
|
 |
dad7732
RavenNuke(tm) Development Team

Joined: Mar 18, 2007
Posts: 1242
|
Posted:
Thu Apr 02, 2009 7:41 am |
|
The latest on my support site is for users to register and THEN post their advertising ilk in the forums .. bah!! You can't win. I tried "admin approval" but that is just too time consuming to ferret out 100 new apps daily, 99 of which are the bandits. I am going to start a new thread with a suggestion.
Cheers |
|
|
|
 |
rickleigh

|
Posted:
Thu Apr 02, 2009 8:05 am |
|
Guardian2003 wrote: | Why are you "just hoping that all my other settings are ok" - why not go and check them? |
Meaning that I have everything else set to how the HOW TO INSTALL guide has directed us to. So if there is a better way to setup the NS then how the guide has told us to setup the NS; I haven't found those settings yet.
I have changed the blocker settings and since then I have had a few blocks and emails sent for Harvest attacks. |
|
|
|
 |
dad7732

|
Posted:
Thu Apr 02, 2009 8:20 am |
|
That is why preferences are called just that, preferences. You start with default values and then make individual choices based on the amount and nature of traffic visiting your site. My support site experiences world-wide and huge traffic volumes. All of my "blockers" are set to ON and "block default page email admin". YMMV
And I also have a folder set up in my mail app where all blocker emails are filtered making it quite easy to evaluate.
Cheers |
|
|
|
 |
rickleigh

|
Posted:
Mon Apr 06, 2009 7:39 am |
|
Thanks for the information guys. I have it all set up and getting blocked IPs and emails from it now. |
|
|
|
 |
|