[BETA] Spam attack prevention script

A place for MOD Authors to post and receive feedback on MODs still in development. No MODs within this forum should be used within a live environment! No new topics are allowed in this forum.
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

IMPORTANT: MOD Development Forum rules

On February 1, 2009 this forum will be set to read only as part of retiring of phpBB2.
Post Reply
Taipo
Registered User
Posts: 174
Joined: Fri Jan 07, 2005 9:25 pm
Contact:

[BETA] Spam attack prevention script

Post by Taipo »

MOD Title: Spam attack prevention script
MOD Description: Designed to prevent non-standard browsers from being able to request or post data to your forums.
MOD Version: 0.1.0

MOD Download: http://www.aocafe.com/download.php?id=spam_kill.zip

Other Info: Based on the idea that many of the applications being used to autofill in registration forms, search fields and post operations are not web browsers. So by asking several questions of a web browser trying to access a webpage, it is possible to determine from the reply or lack of reply whether or not this is a standard web browser wanting to load a webpage.

Keeping in mind that one or two of these applications being used by spammers do in fact translate cookie data, or, are built on the ie object so therefore emulate ms internet explorer, it is therefore not good enough to just depend on cookie responses to determine what is allowed to access a webpage.

Future updates:
- add in ban timer code
- add in santitizing of inputs
- add in any other characteristics of a common web browser that spammer scripts will not interpret correctly
Last edited by Taipo on Mon Oct 16, 2006 9:25 am, edited 13 times in total.

who_cares
Registered User
Posts: 5106
Joined: Fri Jan 14, 2005 11:04 pm
Location: ATL
Contact:

Post by who_cares »

shouldn't the require go in common.php and use $phpEx?

Taipo
Registered User
Posts: 174
Joined: Fri Jan 07, 2005 9:25 pm
Contact:

Post by Taipo »

Is common.php included in every publically accessible script? If so then that would be the better place for it.

Editted: is common.php included at the beginning of every publically accessible script, thats the main thing. The point of this is to not allow any access to phpbb php code unless the browser passes the two tests.

who_cares
Registered User
Posts: 5106
Joined: Fri Jan 14, 2005 11:04 pm
Location: ATL
Contact:

Post by who_cares »

yeah, it's part of the phpbb header

Taipo
Registered User
Posts: 174
Joined: Fri Jan 07, 2005 9:25 pm
Contact:

Post by Taipo »

Ok Ive tested it here, seems to be running fine. Ill update the script. Thanks for that.

Taipo
Registered User
Posts: 174
Joined: Fri Jan 07, 2005 9:25 pm
Contact:

Post by Taipo »

Below is an idea which I will add eventually. The function will append IP addresses to your .htaccess banning their access to the website.

Code: Select all

$usehtaccess = 1; // 0 calls die() or 1 adds the IP to the .htaccess file

  function phpBBhtaccess($banip) {

    $filelocation = $_SERVER['DOCUMENT_ROOT'] . "/.htaccess";
    $limitend = "# End of phpBBSecurity Section\n";
    $newline = "deny from $banip\n";
    if (file_exists($filelocation)) {
      $mybans = file($filelocation);
      $lastline = "";
      if (in_array($newline,$mybans)) exit();
      if (in_array($limitend,$mybans)) {      
        $i = count($mybans)-1;
        while ($mybans[$i] != $limitend) {
          $lastline = array_pop($mybans) . $lastline;
          $i--;
        }
        $lastline = array_pop($mybans) . $lastline;
        $lastline = array_pop($mybans) . $lastline;
        $lastline = array_pop($mybans) . $lastline;
        array_push($mybans,$newline,$lastline);
      } else {
        array_push($mybans,"\n\n# phpBBSecurity Script\n","<Limit GET POST>\n","order allow,deny\n",$newline,"allow from all\n","</Limit>\n",$limitend);
      }
    } else {
      $mybans = array("# phpBBSecurity Script\n","<Limit GET POST>\n","order allow,deny\n",$newline,"allow from all\n","</Limit>\n",$limitend);
    }  
    $myfile = fopen($filelocation,"w");
    fwrite($myfile,implode($mybans,""));
    fclose($myfile);  
  } 

\\ Test criteria is the occurance of %2527 in the query string of a URL

if(stristr($_SERVER['QUERY_STRING'],'%2527'))

      switch($usehtaccess) {

	case (1):
	 phpBBhtaccess($_SERVER["REMOTE_ADDR"]); 
         exit();

	case (0):
	 die(); 

	default:
	 die();
  }
The next step is to write up the criteria which will trigger a ban of an IP address, keeping in mind that this is an auto ban so the criteria will have to determine specific attack attempts as the example given above..... ($_SERVER['QUERY_STRING'],'%2527')

Taipo
Registered User
Posts: 174
Joined: Fri Jan 07, 2005 9:25 pm
Contact:

Post by Taipo »

I am also working on a sanitisation section too which I know phpBB makes a fairly good attempt at but this will be for the super duper paranoidos, and it would probably have to have a switch to turn it on and off. Perhaps may eventuate in an admin section with some controls on what is turned on and what isn't.....

Taipo
Registered User
Posts: 174
Joined: Fri Jan 07, 2005 9:25 pm
Contact:

Post by Taipo »

Ok have updated the script with the new code. With one change:

Code: Select all

// then check to see if the browser has rejected the expired cookie - as it should do 
if((isset($_COOKIE[$phpbbtripwire])) OR 
   (!isset($_COOKIE[$phpbbsafe])) && (isset($_COOKIE[$phpbbtripwire]))) 
      switch($usehtcookies) { 

   case (1): 
    phpBBhtaccess($_SERVER["REMOTE_ADDR"]); 
         exit(); 

   case (0): 
    die(); 

   default: 
    die(); 
} 
?>
This may be a little hard core at first, but it basically will add an IP to your .htaccess file should the browser report the wrong cookies present. The expired cookie should not be present, and the valid cookie should be present.
Last edited by Taipo on Sun Oct 15, 2006 8:44 pm, edited 1 time in total.

User avatar
Ramon Fincken
Registered User
Posts: 4835
Joined: Thu Oct 14, 2004 1:04 am
Location: NL, The Netherlands Amsterdam area @GMT +1
Contact:

Post by Ramon Fincken »

:!: Never ever use a instant BAN - IP mod
Dutch quality fully managed WordPress hosting - ManagedWPHosting.nl

Before changing a file, some code or installing a MOD >> Make a backup first!

Do you like my mods? paypal me $1 :) forumsoftware[AT}creativepulses[DOT}nl [/size]
PhpBBantispam.com || Instant find your mod here

Taipo
Registered User
Posts: 174
Joined: Fri Jan 07, 2005 9:25 pm
Contact:

Post by Taipo »

As you can see due to using a case, it will be optional, but explain to me under what conditions would an expired cookie be returned? In my thinking there is NO reason at all, unless the browser viewing the page cannot understand cookies in the way all standard web browsers do.

Most HTTP header flood/attack tools/scripts do not have the ability to deal with cookies, and in the rare cases where they do, there is a chance they can be caught out with sending back all cookies including ones a standard browser would never do.

So back to your one liner point.....there is no reason why an expired cookie should be returned so therefore the 'option' is there to either call a page die, or add to .htaccess the point being.....to give forum administrators the option.

Taipo
Registered User
Posts: 174
Joined: Fri Jan 07, 2005 9:25 pm
Contact:

Post by Taipo »

Here is the latest code:

Code: Select all

<?php 

######################################
# Change these custom settings below

$phpbbkey = "phpbbsecure2007"; // change this to whatever you want 
$usehtcookiesban = 1;    // 0 calls die() or 1 adds the IP to the .htaccess file if an expired cookie is returned
$usehtsessban = 1;        // 0 calls die() or 1 adds the IP to the .htaccess file if an expired cookie is returned
$phpbbsecsessionpath = "; // Set the path to a folder outside of your web
######################################

if (eregi("phpbbsecurity\.php",$_SERVER["SCRIPT_NAME"])) {
exit();
}

ini_set("session.use_cookies","On");
ini_set("session.use_only_cookies","1");
ini_set("session.use_trans_sid","0");

// set up the hashes needed 
$phpbbsecurehash = MD5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] . $phpbbkey); 
$phpbbexpiredcookie = MD5($_SERVER["HTTP_USER_AGENT"] . $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . $_SERVER["PATH"]); 
$phpbbsafe = "phpbbSafeCookie_" . MD5($_SERVER["DOCUMENT_ROOT"] . $_SERVER["REMOTE_ADDR"] . $phpbbkey); 
$phpbbtripwire = "phpbbtripwire_" . md5(uniqid(time())); 
$phpbbmysessname = "phpbbmysess_" . md5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] . $phpbbkey);
$phpbbmysesshash = md5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_HOST"]);

 if ($phpbbsecsessionpath != "") {
    session_save_path($phpbbsecsessionpath);
 }

// set cookie domain name
 if (substr_count($_SERVER["SERVER_NAME"],".")>1) {
  $cookiedomain = eregi_replace("^[^\.]+\.",".",$_SERVER["SERVER_NAME"]);
 } else { 
 $cookiedomain = "." . $_SERVER["SERVER_NAME"]; 
 }

// first thing we do is check that the browser can return a legit cookie 
if ($_COOKIE[$phpbbsafe] !== $phpbbsecurehash) { 
  setcookie($phpbbsafe, $phpbbsecurehash);

  // next we send an expired cookie 
  setcookie($phpbbtripwire,md5(uniqid(time())),time()-9999999,"/",$cookiedomain);

  // reload 
  header("Location: http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]); 
  exit(); 
} 

// should get dropped
   session_name($phpbbmysessname);
   session_id($phpbbmysesshash);
   session_start();

// Setup Ban function

  function phpBBhtaccess($banip) {

    $filelocation = $_SERVER['DOCUMENT_ROOT'] . "/.htaccess";
    $limitend = "# End of phpBBSecurity Section\n";
    $newline = "deny from $banip\n";
    if (file_exists($filelocation)) {
      $mybans = file($filelocation);
      $lastline = "";
      if (in_array($newline,$mybans)) exit();
      if (in_array($limitend,$mybans)) {      
        $i = count($mybans)-1;
        while ($mybans[$i] != $limitend) {
          $lastline = array_pop($mybans) . $lastline;
          $i--;
        }
        $lastline = array_pop($mybans) . $lastline;
        $lastline = array_pop($mybans) . $lastline;
        $lastline = array_pop($mybans) . $lastline;
        array_push($mybans,$newline,$lastline);
      } else {
        array_push($mybans,"\n\n# phpBBSecurity Script\n","<Limit GET POST>\n","order allow,deny\n",$newline,"allow from all\n","</Limit>\n",$limitend);
      }
    } else {
      $mybans = array("# phpBBSecurity Script\n","<Limit GET POST>\n","order allow,deny\n",$newline,"allow from all\n","</Limit>\n",$limitend);
    }  
    $myfile = fopen($filelocation,"w");
    fwrite($myfile,implode($mybans,""));
    fclose($myfile);  
  } 

############################
# Set the criteria for instant
# page die or bans

// check to see if the browser has rejected the expired cookie - as it should do 
if((isset($_COOKIE[$phpbbtripwire])) OR
   (!isset($_COOKIE[$phpbbsafe])) && (isset($_COOKIE[$phpbbtripwire])))
      switch($usehtcookiesban) {

	case (1):
	 phpBBhtaccess($_SERVER["REMOTE_ADDR"]); 
         exit();

	case (0):
	 die("You must enable cookies"); 

	default:
	 die(); 
} 

if ((isset($_SESSION["phpbbmysessname"])) && (isset($_COOKIE[$_SESSION["phpbbmysessname"]])))
      switch($usehtsessban) {

	case (1):
	 phpBBhtaccess($_SERVER["REMOTE_ADDR"]); 
         exit();

	case (0):
	 die(); 

	default:
	 die(); 
} 
?>

Post Reply

Return to “[2.0.x] MODs in Development”