Elxis CMS Forum
Support => Security => Topic started by: MG01 on December 02, 2015, 15:49:50
-
Hi all,
in last two week i am getting lots of bots user registration requests!
My users account registration is enabled and manual activation.
Is there some better "captcha like" form protection?
Thanks and best regards,
MG
-
In Elxis 4.x??? And they manage to register??? Use Elxis defender to block these requests.
-
Yes, on Elxis 4!
Can you help me with defender settings?
-
You must inspect server logs to find out how they manage to register and then block them.
-
Report after checking the site.
All registrations were from a specific IP range (from Ukraine) which I blocked in Elxis Defender. Also they used specific email domains which I excluded from registration in Elxis configuration.
How to ban/block IPs in Elxis Defender
Open custom rules file:
includes/libraries/elxis/defender/custom.php
For each IP you want to ban add an entry like that (exact match):
array('match', 'address', 'xxx.xxx.xxx.xxx', 'Access denied'),
Where "xxx.xxx.xxx.xxx" the IP you want to block.
If you want to block all IPs starting from "xxx.xxx.xxx" add an "lmatch" rule like this (left match):
array('lmatch', 'address', 'xxx.xxx.xxx', 'Access denied'),
You can block any level, for example:
array('lmatch', 'address', '999.55', 'Access denied'), This will block all IPs starting from "999.55"
You can even block an IP range like that:
array('iprange', 'address', '999.55.243.0', '999.55.243.255', 'Access denied'),
Make sure the Defender's C (Custom) rules are enabled in Elxis configuration.
-
Hi there,
here the same problem.
Today I got an eMail from my provider:
Check your scripts .
We find various spammers and registration mails in the mail server queue ( see example below )
Also a noticeable increase in page views since one week
Mail headers View basic headers
Received from localhost (localhost [127.0.0.1]) by mail.fc-host48.de (Postfix) with ESMTP id 3C3F75400AC for <ihakufuqn@rtotlmail.com>; Wed, 13 Jan 2016 21:20:18 +0100 (CET)
Received from mail.fc-host48.de ([127.0.0.1]) by localhost (fc-host48.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VUYboKqZMk9u for <ihakufuqn@rtotlmail.com>; Wed, 13 Jan 2016 21:20:18 +0100 (CET)
Received by mail.fc-host48.de (Postfix, from userid 2018) id 2DBA95400AD; Wed, 13 Jan 2016 21:20:18 +0100 (CET)
To ahodelsaku uyigiebatate <ihakufuqn@rtotlmail.com>
Subject Danke für Ihre Registrierung
X-PHP-Originating-Script 2018:SimpleMailInvoker.php
Message-ID <5f52d3a07490f3124d96bc22f2d18f66@montepreso.de>
Date Wed, 13 Jan 2016 20:20:18 +0000
From MySide <elxis@myadress.de>
MIME-Version 1.0
Content-Type text/plain; charset=UTF-8
Content-Transfer-Encoding quoted-printable
X-Priority 3 (Normal)
X-Mailer Elxis
I got the Registrations requests in may eMail, they are from different IP-ranges and point to different URIs
- I changed the sendMail from php to SMTP
- Safety-Level is set to HIGH
- Defender G and C is activated
Is this enough to block them?
Why do they attack the ELXIS-Side? With the same web-adress I didn't get attacks before
I provide an eMail-example too
Elxis Defender blocked an attack to your site!
Reference code: SEC-DEFG-0225
Elxis Defender report
Signatures: general
Match method: rmatch
Haystack: requesturi
Pattern match: /administrator/index.php
Reason: Common CMS scan
Requested URI: /administrator/index.php
IP address: 198.57.180.16
Hostname: prolinux2.barrieweb.net
User agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Date (UTC): 2016-01-19 10:59:29
Site URL: http://xxx.de
Thanks in advance for you reply with
many greetings from Germany
Hans
-
Hi Hans. If it was a bot most probably Defender would have detected it. Unfortunately we can't block registration by humans. But I have good news for you. I re-write Elxis defender for Elxis 4.4 and I have implemented an IP blocking system in which the blocked IPs list gets updated automatically once or twice per day. The blocked IPs list contains the most active spammers and this will limit a lot the spam registration on your site regardless their origin. I have this system almost ready and I want to test it in action before Elxis 4.4 release. If you wish I can send you the new Elxis defender and tell me if things got better.
Setting Security level to HIGH will not help you in this. The only real affect it has is that force enables all defender filters. So you actually use "GCIAPF" filters and not just GC.
Can you post me some of the IP addresses of those registered lately?
-
Whow....
Thanks for your fast reply, datahell!!
- Set the sec-level back to normal as recommended.
- Set the defender filters to GCIAPF as recommended.
Unfortunately I deleted the registrationsmails I got :(
So I'll send you the content of the defender_ban.php; not sure if this helps.
Dateiname: defender_ban.php
Zuletzt bearbeitet: 19. Januar 2016 11:59 Uhr
Abwehr Bannungen
# IP Blo Referenz Code Datum
1 81.177.49.139 1 SEC-DEFG-0198 So 10. Januar 2016 05:51 Uhr
2 77.75.78.160 1 SEC-DEFG-0130 Mo 11. Januar 2016 01:40 Uhr
3 68.180.228.118 1 SEC-DEFG-0130 Mo 11. Januar 2016 23:38 Uhr
4 77.75.76.166 1 SEC-DEFG-0130 Mi 13. Januar 2016 08:38 Uhr
5 136.243.151.102 1 SEC-DEFG-0130 Do 14. Januar 2016 14:50 Uhr
6 77.75.79.17 1 SEC-DEFG-0130 So 17. Januar 2016 01:51 Uhr
7 195.154.194.111 1 SEC-DEFG-0197 So 17. Januar 2016 16:46 Uhr
8 5.9.73.227 1 SEC-DEFG-0130 Mo 18. Januar 2016 13:45 Uhr
9 177.19.39.170 1 SEC-DEFG-0185 Mo 18. Januar 2016 16:57 Uhr
10 178.24.113.152 2 SEC-DEFG-0130 Di 19. Januar 2016 04:41 Uhr
11 198.57.180.16 1 SEC-DEFG-0225 Di 19. Januar 2016 11:59 Uhr
Since yesterday I switched off user registration, so I did not get any new requests; should I enable this again for test purposes?
You can send the new defender if you finished it; I'll test it.
If you need Admin-access to the side - let me know
And again: Dankeschoen (means Thank you very much)
Regards
Hans
-
This list doesn't help. If they are bots inorder to block them I must see how they manage to login and the only way to see that is by inspecting your apache access log file. I have thought of something else: Usually these users after registration they dont validate their emails so they can't actually login. What about if I implemented a feature that would auto-delete such accounts after X days?
Procedure
- Bot/human registers in site. But he doesn't validate his email account so the account remains blocked.
- After X (configurable) days Elxis auto-deletes the user account that haven't valiated their email.
The above idea will not solve you the registration problem but will help you kep the site clean from such accounts.
-
Good Morning, datahell (the early bird catches the worm ;))
Thanks for your reply.
This list doesn't help. If they are bots inorder to block them I must see how they manage to login and the only way to see that is by inspecting your apache access log file.
thought, that this list doesn't help
Should I try to get this apache access log from my Hoster?
I have thought of something else: Usually these users after registration they dont validate their emails so they can't actually login. What about if I implemented a feature that would auto-delete such accounts after X days?
Procedure
- Bot/human registers in site. But he doesn't validate his email account so the account remains blocked.
- After X (configurable) days Elxis auto-deletes the user account that haven't valiated their email.
The above idea will not solve you the registration problem but will help you kep the site clean from such accounts.
Sounds very good...
They aren't really registered, since I blocked the self-account-activation.
The ammount of eMail-traffic will be still there, if the regRequest is triggered by a bot.
BTW: Is it possible, that those bots searching explicit for ELXIS-CMS???
Regards form out of the snow
-
jfyi...
my hoster will not handover the apache access log..
-
I uploaded a patch for the Elxis 4.4 Defender (https://forum.elxis.org/index.php?topic=8567). The new defender blocks bad IPs so it might help you with the spammers too.