You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 288 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - Mailing webmaster on attacks [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
jank
Nuke Soldier
Nuke Soldier


Joined: Apr 30, 2003
Posts: 23


PostPosted: Tue May 06, 2003 11:24 am Reply with quoteBack to top

Hi,

After a short 'discussion' on how to react on nuke attacks whitout blocking
whole countries because of a few monkeys i looked at the phpnuke code
to see if there could be another method.

I found out that is so easy (with only a few lines of code) to send the
admin a message instead of the showing the 'I don't like you' message.
Or both, it doesn't matter. The function is called from those places in the code where normaly the message would appear.

The message could contain the used method and the IP address of the attacker. From there is up to the admin what to do with this information but more important is that the admin is aware of the attacks. Ok, there are IDS's and loganalysers but i'm sure that many nukers don't use them (or look at them frequently). So an attack could go on and on until they succeed whitout the knowledge of the admin. Since i've create a 'mailAdmin' function it's real simple from here to call this function from where ever necessary in the nuke code (or
blocks/modules).

Any how, what do you cracks think of this? I know that this all depends
on the way nuke handles attacks and it's useless for new methods (until
the next security fix) but at least it's something to start with i think.
Another method could be to send a message and adding the IP adres to
a .htaccess (or a iptable rule in linux, or add the ip adres to /etc/hosts.deny) altough i think this opens more exploits then stopping
them.

So could this be something?

Jan
Find all posts by jankView user's profileSend private messageVisit poster's website
sixonetonoffun
Major
Major


Joined: Jan 13, 2003
Posts: 892


PostPosted: Tue May 06, 2003 12:35 pm Reply with quoteBack to top

I think writing to a log file or database would be better then filling up the inbox with messages.

Blocking the givin addy is a great idea and as you point out there are many ways to accomplish that. The NSS files in the downloads section is a pretty good example of how to do this automatically. Say when access to admin.php is attempted. I've used that part of it to log snoops. I disabled (didn't include) the actual banning just bans them from accessing admin.php a second time now not the whole site. And limited access to admin.php to my ISP's IP block ruling out the rest of the internet. Better yet if your the only admin and have a static IP.

Not rock solid protection but another thing people can try without having to have access to the firewall or other systems files.

Currently there are only 3 IPs in my log of people who accessed admin.php but no doubt they clearly got the message.

_________________
www.netflake.com
www.glowoptics.com
Find all posts by sixonetonoffunView user's profileSend private message
jank
Nuke Soldier
Nuke Soldier


Joined: Apr 30, 2003
Posts: 23


PostPosted: Tue May 06, 2003 12:55 pm Reply with quoteBack to top

I don't like the idea that 'nuke' starts writing to a file. I think it's better
to leave that part to Apache/PHP IMHO. A better methode would be
writing to a database. But then again, everybody reads mail but only a
few (relative) have the discipline to check a table. Perhaps a nice option
would be to show those attacks in the admin part.

I will certainly check those NSS file to see how this is done. Thanks
for the tip!

Jan
Find all posts by jankView user's profileSend private messageVisit poster's website
rasputin
Sergeant
Sergeant


Joined: May 30, 2003
Posts: 88


PostPosted: Mon Jun 02, 2003 6:13 pm Reply with quoteBack to top

Not to be critical, but if you run your site on your own box (i.e. Linux based) most of the distribution come with iptables as default since 2.4 kernel. Use iptables build in functions to create custome block lists Smile this way you can kill attackers before they even get to you site Smile I know sometime it might seems like overkill but damn ! my site was accessible on net for 4 days and I got scanned by script -kiddies about hundred times ... good thing most of them came from about 20 ip addies Smile Another funny thing: those idiots don't even bother to find out what OS you're using! Looking through the logs I found that most of the huck attempts were trying to exploit old IIS volnurability .... and that is on my Linux box Smile))) Who produces thouse idiots ?!
Find all posts by rasputinView user's profileSend private messageVisit poster's website
Raven
General
General


Joined: Mar 22, 2003
Posts: 5233

Location: USA

PostPosted: Mon Jun 02, 2003 6:24 pm Reply with quoteBack to top

Rasputin,

I've been wanting to do this but haven't had time to look into it close enough. Let's say I have an IP (200.105.122.98 or whatever) that I want to block from my site entirely. I want to add this rule but I want to leave intact whatever is there right now. What's the simplest way to do that?

_________________
Those who hear not the music think the dancers mad.
Raven Web Hosting|My Scripts & Stuff
Find all posts by RavenView user's profileSend private messageVisit poster's website
beebar
Private
Private


Joined: Apr 07, 2003
Posts: 45


PostPosted: Tue Jun 03, 2003 10:13 am Reply with quoteBack to top

Raven check out a neat app called firewall builder, it is a nice GUI to IPTables, IPChains and a few others. Here is a nice tutorial

http://www.giac.org/practical/GSEC/James_Coffey_GSEC.pdf

You can then write any rules you like for your server.

Also you can check out Firestarter

http://firestarter.sourceforge.net/
Find all posts by beebarView user's profileSend private message
Raven
General
General


Joined: Mar 22, 2003
Posts: 5233

Location: USA

PostPosted: Tue Jun 03, 2003 10:31 am Reply with quoteBack to top

Thanks!

_________________
Those who hear not the music think the dancers mad.
Raven Web Hosting|My Scripts & Stuff
Find all posts by RavenView user's profileSend private messageVisit poster's website
rasputin
Sergeant
Sergeant


Joined: May 30, 2003
Posts: 88


PostPosted: Thu Jun 05, 2003 7:33 pm Reply with quoteBack to top

Raven,
Sorry it took me so long to reply. Here is the link to exelent firewall script that has very good comments inside itself and very easily modified for a single box: http://www.sentry.net/~obsid/IPTables/rc.scripts.dir/current/
Find all posts by rasputinView user's profileSend private messageVisit poster's website
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.231 Seconds - 346 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::