Page Index Toggle Pages: 1 2 [3]  Send TopicPrint
Very Hot Topic (More than 25 Replies) Error log (Read 13422 times)
xnoddyx
Global Moderator
*****
Offline


I Love YaBB!

Posts: 31
Location: UK:Scotland/Livingston
Joined: Feb 18th, 2014
Gender: Male
Re: Error log
Reply #9 - Oct 4th, 2014 at 3:16pm
Print Post  
Dandello wrote on Oct 4th, 2014 at 2:43pm:
but pretty suspicious considering things that have been found in the code and removed.

?  it isn't that again is it i was hoping it wasn't like that so it is looking like that then  Angry   @#*$%&*~#@*$%#@#~  excuse my French.
  

as bill and ted say be excellent to each other
(More to come)
Back to top
GTalkFacebookYouTube  
IP Logged
 
Dandello
Forum Administrator
*****
Offline


I love YaBB 2.7!

Posts: 1759
Location: The Land of YaBB
Joined: Feb 12th, 2014
Gender: Female
Re: Error log
Reply #8 - Oct 4th, 2014 at 2:43pm
Print Post  
@Bill, we're not talking about keeping spambots from registering - we're talking about keeping them from attacking other portions of YaBB by inserting query stings Guardian doesn't catch (assuming it's turned on) and inundating the server with multiple errors per second. (And yes - PER SECOND!)  Every single error one of these b@stards throws gets written to the errorlog - which, despite outside appearances, is not a simple process. 

We're talking about attacks aimed specifically at how YaBB's error logging and errorlog viewing is performed. And what they are trying to do is create a sting that will execute FROM THE ERRORLOG WHEN VIEWED! And if that fails, put enough garbage into the errorlog file that the viewer fails, the novice admin gets frustrated and goes to another forum software while bad-mouthing YaBB.
Edited:
And when I say specifically aimed at YaBB, I mean it - JonB checks things when these attacks happen on YaBBForum and the attacks always originate from the same locale - a spot where at least one disgruntled former YaBB dev person resides. Not exactly a smoking gun, but pretty suspicious considering things that have been found in the code and removed.
  

Perfection is not possible. Excellence, however, is excellent.
Back to top
WWW  
IP Logged
 
Bill Myers
New Member
*
Offline


Using YaBB since 2002

Posts: 46
Location: Los Angeles, CA
Joined: Feb 13th, 2014
Gender: Male
Re: Error log
Reply #7 - Oct 4th, 2014 at 2:11pm
Print Post  
Monni wrote on Oct 4th, 2014 at 7:44am:
For .htaccess getting too long ...

Does this have to be an issue if spam-bots are no longer able to register, and spam-bot automation becomes moot because The Guardian™ is doing its job by blocking malicious scripts?

I ask because a 2.4 YaBB forum I operate is inundated by spam-bots, and yet, they're never a bother for me because the forum continues to operate flawlessly. I emptied the IP ban list years ago, which continues to remain empty, the forum enjoys open registration without approvals, and guest posting is allowed.

It seems to me that if an admin sets their forum's security settings accordingly, an error log can simply be read for info, and for amusement, and they can stop being concerned about spam-bot automation in whatever way those spam-bots try to be malicious. 
  

Morning, noon, or night, have a great one!
Back to top
IP Logged
 
Dandello
Forum Administrator
*****
Offline


I love YaBB 2.7!

Posts: 1759
Location: The Land of YaBB
Joined: Feb 12th, 2014
Gender: Female
Re: Error log
Reply #6 - Oct 4th, 2014 at 2:07pm
Print Post  
I think a future solution may be to figure out a way to 'time ban' IPs in the .htaccess - timestamp them and set a time limit after which they get removed. What's been observed is that the non-legitimate bots rotate through IP addresses. 


  

Perfection is not possible. Excellence, however, is excellent.
Back to top
WWW  
IP Logged
 
Monni
Senior Member
****
Offline


Min izāmō

Posts: 413
Location: Kaarina, Finland
Joined: Jul 16th, 2014
Gender: Male
Re: Error log
Reply #5 - Oct 4th, 2014 at 7:44am
Print Post  
For .htaccess getting too long, the only viable solution is to deny address blocks instead of single addresses if there is more than few malicious attempts coming from same IP block but different IP... This has to be weighed carefully as some IP blocks cover quite large areas. This will work for crawlers and trojans trying to mass harvest non-existing or private pages, but fails on IP blocks that contain mainly cache or proxy servers.
  
Back to top
IP Logged
 
Dandello
Forum Administrator
*****
Offline


I love YaBB 2.7!

Posts: 1759
Location: The Land of YaBB
Joined: Feb 12th, 2014
Gender: Female
Re: Error log
Reply #4 - Oct 3rd, 2014 at 9:41pm
Print Post  
We're currently testing a "three-strikes you're out" auto-ban function for 'guest' IPs throwing repeated errors in a very short time. This is an idea JonB and I have talked about  - especially in light of the DOS attacks that have been aimed at YaBBForum.com.

These aren't things caught by Guardian as we're looking at the same IP throwing errors in an inhumanly short time.. 
  

Perfection is not possible. Excellence, however, is excellent.
Back to top
WWW  
IP Logged
 
xnoddyx
Global Moderator
*****
Offline


I Love YaBB!

Posts: 31
Location: UK:Scotland/Livingston
Joined: Feb 18th, 2014
Gender: Male
Re: Error log
Reply #3 - Sep 18th, 2014 at 4:29pm
Print Post  
Dandello wrote on Sep 17th, 2014 at 6:28pm:
The current fix is to simply replace all the pointy brackets with html entities (with some work arounds for bold and breaks). That prevents bogus strings from messing up the html in the ErrorLog viewer.

We also need a 'block IP in .htaccess' for those not using the .htaccess function in Guardian. (Some of us don't like the automatic blocking function in Guardian.) 

yer as .htaccess can get big fast with automatic blocking on.
  

as bill and ted say be excellent to each other
(More to come)
Back to top
GTalkFacebookYouTube  
IP Logged
 
Dandello
Forum Administrator
*****
Offline


I love YaBB 2.7!

Posts: 1759
Location: The Land of YaBB
Joined: Feb 12th, 2014
Gender: Female
Re: Error log
Reply #2 - Sep 17th, 2014 at 6:28pm
Print Post  
The current fix is to simply replace all the pointy brackets with html entities (with some work arounds for bold and breaks). That prevents bogus strings from messing up the html in the ErrorLog viewer.

We also need a 'block IP in .htaccess' for those not using the .htaccess function in Guardian. (Some of us don't like the automatic blocking function in Guardian.)
  

Perfection is not possible. Excellence, however, is excellent.
Back to top
WWW  
IP Logged
 
Monni
Senior Member
****
Offline


Min izāmō

Posts: 413
Location: Kaarina, Finland
Joined: Jul 16th, 2014
Gender: Male
Re: Error log
Reply #1 - Sep 17th, 2014 at 3:53pm
Print Post  
Aww... It's nice the error logging gets more safer after the first fix I suggested Wink
  
Back to top
IP Logged
 
Dandello
Forum Administrator
*****
Offline


I love YaBB 2.7!

Posts: 1759
Location: The Land of YaBB
Joined: Feb 12th, 2014
Gender: Female
Error log
Sep 17th, 2014 at 3:37pm
Print Post  
Certain strings saved in the errorlog.txt can cause serious issues in showing the error log.
These strings are the result of attempts to locate/access various server programs.

Since these attempts threw errors, the miscreants failed in getting to those files - BUT the saved error string itself can create problems when being looked at in the error log.
I'm working on preventative measures.
  

Perfection is not possible. Excellence, however, is excellent.
Back to top
WWW  
IP Logged
 
Page Index Toggle Pages: 1 2 [3] 
Send TopicPrint