Register Members List Search Today's Posts Mark Forums Read

Reply
 
Article Options
Preventing Hacking/DDoS Attempts
iHatton
Join Date: Oct 2008
Posts: 57

by iHatton iHatton is offline 14 Aug 2009
Rating: (2 votes - 5.00 average)

This guide is copyrighted to Jordan from GFXield.com

This is my first guide, so if you think I am missing anything please don't hesitate to contact me, either by Private Message or replying to this thread.

Introduction
For many years, vBulletin owners have worried about hacking/ddos attempts to their forum. Many have not known what to do, while advanced vBulletin owners have taken a swift action to remove them. This guide is for those who do not know what to do, as I have seen many threads recently about this.
I have recently overcame a ddos attempt, and for me this was not an experience I would like to remember, especially after having my forum open only 2 days. Below, I will explain what hacking/ddosing is, and then explain how to prevent them or stop them if they occur.

Hacking
This is what owners are particularly worried about. Whether it be SQL Injection, brute forcing attempts, port scanning & spoofing, phishing or ransomware, all vBulletin owners will experience this at an early point. You may not even know what some of them are, but even if you dont, it is still something to overcome before actually experiencing it.
Quick note, some people thought that brute forcing a vBulletin account is impossible, we actually, it isn't. They can easily acquire some of the data by just signing up, as navigation around the forum (without vBSEO) will show them links they need etc.

Denial of Service attacks (ddos)
Originally Posted by Wikipedia
A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root name servers.
Unfortunately, this is what I experienced within my first 2 days of opening.

Now, I'm not saying it is this, but this is my theory. When you post your website in the vBulletin.org section where people review your website, these sites posted here are the priority targets for some. This is because they would be easier to take down, as because your new to the vBulletin world, they may think you have a crappy hosting site. Mine personally is One.com, and with unlimited bandwidth and the help of their support, I overcame this ddos attack on my forum within 10 hours. For most, it would last a few days at least.

So, how do I protect my forum?
Before we start anything, I would like to make sure you change your passwords at least once every two weeks. Jot them down somewhere on a piece of paper.

Firstly, I will tell you a few plugins to install onto your forum. These plugins have been personally tested by me, and I even tried to hack my own forum with some of them installed, and I couldn't do it! (The list will grow eventually, as new mods are released).

vBFirewall; http://www.vbulletin.org/forum/showt...ght=vBFirewall
This will protect you from the most common attacks, but not all of them. It will protect you from URL poisoning, Remote File Inclusion, SQL Injection, XSS and other kinds of attacks.

Track Guests Visiting; http://www.vbulletin.org/forum/showthread.php?t=201214
This will show you which guests are visiting your forum, their IP address and how many pages they have opened and to which pages were opened.

Defending from attacks, from in the inside.
By this, I mean your most important vBulletin file, .htaccess. This file can just about do anything for your forum, and it will help, especially when being ddossed.

The code below will protect you from the programs people use to hack your forum, whether it be SQL Injection, XSS or something you have never heard of.

Using your FTP client, download your .htaccess file onto your computer.
Then Right Click > Open with... > Notepad/Wordpad or whatever you use.

IMPORTANT: Make sure you backup your .htaccess before editing, just in case something goes wrong and your forum goes down.

Scroll to the bottom of your .htaccess and add the below code in;


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Then save. Go to your FTP, delete .htaccess and upload the new one. You MUST delete the .htaccess already on your server before uploading your new one, otherwise it will not overwrite it in some cases.
Before trying this, make sure you close your forum as user traffic can make it a bit harder, just in case something does go wrong.

And what if I am being ddossed?
If someone is really determined, no amount of IP blocking on the server-side will stop the DDoS. If the "pipe" to the server can be filled, IP blocking will not do much. Your best bet would be to contact your host in many circumstances.

If your being ddossed, you can use your newly acquired .htaccess knowledge in conjunction with your Track Guest Visitors mod.
After installing the mod, scroll to the bottom of your forum to see;
Total guests that have visited the forum in the last 24 hours: 15
You can click on that text, and up will come the IPs of guests, and how may pages they have loaded.

If you are being ddossed, it may look a little something like this;
08-14-2009, 09:12 PM Visitor Yes (50) index 66.249.xx.xxx Viewing Home Page
Of course, the IP address will be different. Where it says 'Yes (50), that is how many pages the ddosser has loaded. If you are experiencing a massive ddoss attack like I did, you will see a lot of IP addresses, each loading around 60-300 pages at once. You can tell this will dramatically slow your forum, or even crash it.

Now, to use this in conjunction with .htaccess? Well, it's simple, you ban the IP addresses with .htaccess, not with your forum banning options. But what if you have around 70 IP addresses, all ddossing you? Then in that case, the first two sections will be the same, the rest will be different. For example, it would be like this; (the below IPs are made up)
97.68.233.244
97.68.123.213
97.68.211.176

So instead of banning each and every IP address, you would ban a range. But banning every IP address one by one will still not stop them, banning a range would.

You would do this the following way. Go back into your .htaccess (where you would edit it), and add the following lines at the bottom;

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

The code above would ban the entire 97.68. range, therefore not allowing ddoss attack from any 97.68. IP address, banning them all at once. But in some cases, you will have various IP addresses. I had around 5 different types from 5 different ranges, mine looked like this;


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

The above will stop all users coming from 97.68 and the others. So if a users IP address was "97.68.233.211", and another users was "97.68.53.222", then they both would not be able to access the site.

NOTE: You do this through .htaccess and NOT the vBulletin banning, as if you do this through .htaccess it will stop them from entering your website completely. Doing it through vBulletin will still allow them to access your site, just not register. And for a ddoss attack to take place, they don't need to register anyway.

You can add as many IP addresses as you want, just by adding "deny from" on a new line, followed by the IP address. Now you may be thinking, "This will stop a lot of users coming on to my website". This just might do that, but allowing them to continue the ddoss attack will stop all users from coming onto your website. You simply unban the IP addresses after a few days, once you think the ddoss attack has worn off.

I hope you understand the above, and if you would like further assistance, simply contact me via PM.

Most ddoss attackers come from a huge server, where they have around 1000 computers. So banning the IP address range will stop them all from accessing.
For heads up, my ddoss attack came from the US, Florida from two separate locations, location right next door to each other so they would have different IP addresses.
You can follow my guide above and rid of the ddossers immediately, or you can wait it out, which I suggest you DON'T do.

Conclusion
I hope you have learnt a thing or two from my guide above, and if I have missed anything out, please contact me via this thread or Private Message. Both will be read as quick as each other. By reading the above, you learnt how to protect your forum from the most common and rare cases of hacking, and protected it against ddoss attacks.

Last edited by iHatton; 06 Apr 2010 at 18:05..
Views: 18040
Reply With Quote
Comments
  #2  
Old 16 Aug 2009, 12:28
kholusoft kholusoft is offline
 
Join Date: Mar 2009
Good article
Thanks iHatton
__________________
Personal Fitness
Reply With Quote
  #3  
Old 16 Aug 2009, 12:51
vB Tree vB Tree is offline
 
Join Date: Dec 2008
Real name: Alex
Great article, 5 stars. Defiantly a help to anyone in this situation. I've been lucky enough not be hit... yet.

Unfortunately I can't tag this thread so I've bookmarked it just in case.
Reply With Quote
  #4  
Old 16 Aug 2009, 13:10
nomoreturn's Avatar
nomoreturn nomoreturn is offline
 
Join Date: Apr 2009
Real name: mastdunya.com
I got This Error after uploading hattches file

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webmaster@*****.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.
Reply With Quote
  #5  
Old 16 Aug 2009, 15:47
valdet's Avatar
valdet valdet is offline
 
Join Date: Feb 2007
Real name: Valdet
Excellent article.

Thank you very much.
Reply With Quote
  #6  
Old 16 Aug 2009, 23:15
iHatton iHatton is offline
 
Join Date: Oct 2008
Originally Posted by nomoreturn@hotm View Post
I got This Error after uploading hattches file

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webmaster@*****.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.
Make sure you are copying & pasting the entire .htaccess code, and add it BELOW everything else. Save, then re-upload.

Thanks for everyone's comments, if you have any suggestions as to add anything or change anything, please say.
Reply With Quote
  #7  
Old 17 Aug 2009, 06:31
Hell Bomb's Avatar
Hell Bomb Hell Bomb is offline
 
Join Date: Jun 2009
Real name: Tom Thorton
Thx man very very nice 5 Stars. I have not yet had anyone ddos me and hopefully i never will.
Reply With Quote
  #8  
Old 17 Aug 2009, 19:52
w3rd511 w3rd511 is offline
 
Join Date: Apr 2009
I too have a 500 Internal Server Error when I put in the blacklist in .htaccess

I also have this in my .htaccess


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

* "http://www.mysite.com" is are placers for my actual site as well as "ipaddresshere". I did not want to post my site address. I also deleted my .htaccess and re-uploaded like your instructions said.

How would I use that blacklist with that in my .htaccess?

TIA
Reply With Quote
  #9  
Old 18 Aug 2009, 03:20
Faizan Faizan is offline
 
Join Date: Mar 2008
i really appricated d:
Reply With Quote
  #10  
Old 20 Aug 2009, 01:26
goxy63 goxy63 is offline
 
Join Date: Oct 2008
I too have a 500 Internal Server Error when I put in the blacklist in .htaccess

and only this in my .htaccess

htaccess within forums:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


htacess above forums within vba:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


Note that I have added full blacklist txt you mentioned above under mine
Also I have htaccess file on two instances cause I use VBA, error occured when I changed one within my forums while other one was intact
__________________
VB5-- WHO HAS VISITED TODAY(last 24h) PLEASE VOTE HERE
VB5--FIRST POST ON EVERY PAGE PLEASE VOTE HERE
Reply With Quote
  #11  
Old 21 Aug 2009, 01:18
MAORBARI MAORBARI is offline
 
Join Date: Sep 2008
it show me 500 error when i put the long code in .ht...
Reply With Quote
  #12  
Old 21 Aug 2009, 14:48
iHatton iHatton is offline
 
Join Date: Oct 2008
The above code should no longer give a 500 error, as all the \ were for some reason removed.

To fix your 500 error, please recopy the new blacklist listed.
Reply With Quote
  #13  
Old 24 Aug 2009, 16:16
James Birkett James Birkett is offline
 
Join Date: Jun 2009
I could be mistaken but you're putting the order "allow,deny" meaning allow should come first, then the deny's underneath.

It is an excellent tutorial though - definitely worth following.

On another note, vBFirewall still has issues I believe.. such as any word with 'script' in it gets blocked etc.
Reply With Quote
  #14  
Old 25 Aug 2009, 23:49
Stifler Stifler is offline
 
Join Date: Jan 2005
how do you block a browser that has an empty user agent string?
thx google

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Might want to add this to the list.. I'm currently having files constantly downloaded by this ddos'er and well this is what fixed it.
Reply With Quote
  #15  
Old 02 Sep 2009, 19:01
iHatton iHatton is offline
 
Join Date: Oct 2008
Originally Posted by James Birkett View Post
I could be mistaken but you're putting the order "allow,deny" meaning allow should come first, then the deny's underneath.

It is an excellent tutorial though - definitely worth following.

On another note, vBFirewall still has issues I believe.. such as any word with 'script' in it gets blocked etc.
You are right, vBFirewall does have some issues. An issue I recently experienced was it was not allowing me to access some parts of the forum, and registered it as a hacking attempt and was in the logfile. To fix it, I had to disable this.

Thanks to everyones comments.
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Article Options

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 07:14.

Layout Options | Width: Wide Color: