QUICK NEWS

{NEW} - A new css video is up.

{OLD} - New video courtesy of Skhilled, Thanks for posting it up.

Video of the moment:


Internal Links

SMF Sites

Quick Info

Security Measures for a 2.1 Forum ?

Started by LandyVlad, Oct 06, 2021, 10:29 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

LandyVlad

So far the main security mods I use on 2.0 aren't available for 2.1 (related thread)

The obvious first security measure is proper use of the security questions.

I have that covered - what other options would people suggest?


How in SMF 2.1 could I achieve the following:


  • New member has to post to a welcome forum before anywhere else, and it has to be approved to then allow them ongoing access without moderator approval of posts.
  • ReCaptcha required for say first 5 posts.
  • Adding a Honeypot
  • Server / host side measures which prevent spammers before they even arrive at the forum / registration.

Thanks
Please do not PM me with questions on astrophysics or theology.  You will get better and faster responses by asking homeless people in the street. Thank you.

Hatshepsut

I use only: user registration with one question, Admin approval for new members, and ReCaptcha for first 5 posts.

LandyVlad

And that's working well for you?

Can you run through how you set up the admin approval for new members please?
Please do not PM me with questions on astrophysics or theology.  You will get better and faster responses by asking homeless people in the street. Thank you.

Hatshepsut

#3
Quote from: LandyVlad on Oct 07, 2021, 02:36 AMAnd that's working well for you?

Yes, I have two forums  - old and new, with the same name. The last registered spam-bots were in 2011  :vcool
Since 2011, we have several human spammers only.

Quote from: LandyVlad on Oct 07, 2021, 02:36 AMCan you run through how you set up the admin approval for new members please?

Admin panel => Members => Registration => Settings

The first option is:

'Method of registration employed for new members'

Select "Admin Approval" from the drop-down menu

When new member is registered, you will receive a notification.
In admin panel, you will see new member with their e-mail and IP- addresses.
When I see users' IP from China, India or Pakistan, I reject them.

Skhilled

For many years, I've set the new user membergroup so that their permissions can't pm anyone except admins, they can't post links or sigs, etc. They must make 5 posts then they will automatically be put into the "regular user" (my version of it) group. If I see they are a real person asking for help, etc. then I'll manually put them into the "regular user" group.

Neša

I have a few block lists enabled on the server in csf, one of them is the stopforumspam.com 24 hour list. It is updated daily and will get a big chunk of spammers.
I only have test forums setup at the moment but in the past we didn't have any big issues with spammers using that method.

Skhilled

Here's a few other things I've added to my site that's I've forgot to mention:

How to Avoid Spambots, etc:

https://www.projecthoneypot.org/how_to_avoid_spambots.php

Disposable Email Addresses. Added these to your ban email addresses in one ban setting. ;)

https://www.docskillz.com/docs/index.php?topic=710.0

Bigguy

Nice list. I might have to add it here. :rgton
"It's the American dream....cause ya have to be asleep to believe it." - George Carlin

LandyVlad

Yeah I think the most common of all of thoses these days is *@yandex.com
I know banking that particular one on my forum killed 9/10 of ones that got through and almost all teh rest were captured by 'stop spammer mod'


Quote from: Skhilled on Oct 15, 2021, 10:05 AMDisposable Email Addresses. Added these to your ban email addresses in one ban setting. ;)
https://www.docskillz.com/docs/index.php?topic=710.0

So adding bulk separated by commas - for 2.1 are file code changes still required or does 2.1 natively support lists with commas?
If not native in 2.1 I think a mod to do this would be awesome !
Please do not PM me with questions on astrophysics or theology.  You will get better and faster responses by asking homeless people in the street. Thank you.

LandyVlad

Quote from: Neša on Oct 15, 2021, 07:14 AMI have a few block lists enabled on the server in csf, one of them is the stopforumspam.com 24 hour list.

How do you mean set up on the server? You mean outside/independent of SMF?

I googled csf - ConfigServer Security & Firewall   https://configserver.com/cp/csf.html
seems to be for linux servers. No idea whether the hosting I have is windows or linux, possibly the former.
 
Please do not PM me with questions on astrophysics or theology.  You will get better and faster responses by asking homeless people in the street. Thank you.

lesmond

#10
Quote from: LandyVlad on Oct 15, 2021, 08:27 PMNo idea whether the hosting I have is windows or linux, possibly the former.

To find out what server your on, go to your cpanel and click 'server information' on the right.

You cannot view this attachment.

Having said that, you will not be able to access CSF unless you run your own server/VPS, I doubt that your hosting will add any of those email blocks  :dontknow

The only person who got all his work done by Friday was Robinson Crusoe

Skhilled

#11
Quote from: LandyVlad on Oct 15, 2021, 08:21 PMSo adding bulk separated by commas - for 2.1 are file code changes still required or does 2.1 natively support lists with commas?
If not native in 2.1 I think a mod to do this would be awesome !

I just tested this in RC4 and it will not let you separate them by commas. :( I think you have to enter them one by one...not surprised.

However, you should be able to enter them in cPanel to block them from sending you email.

LandyVlad

Quote from: lesmond on Oct 16, 2021, 04:14 AMHaving said that, you will not be able to access CSF unless you run your own server/VPS, I doubt that your hosting will add any of those email blocks  :dontknow

I don't run own server or VPS. Its a hosted thing. I had a look through control panel and there doesn't seem to be any options for it... :(
Please do not PM me with questions on astrophysics or theology.  You will get better and faster responses by asking homeless people in the street. Thank you.

Skhilled

#13
You can add them in Global Email Filters for all of your sites under that account or Email filters for just that account.

Neša

Yes sorry CSF is a firewall for servers, you could deny the IP addresses in .htaccess I think the IP Deny function of cpanel just puts deny [ip address] in that file. You can test it by copying an IP address then viewing the file in file manager.

It wont be as efficient as an iptables/csf block but it is better than nothing. Stopforum has a mod for the older SMF forum.
http://custom.simplemachines.org/mods/index.php?mod=1547 someone might be able to pick up the code and modify it to work with the new forum.


pulgoki

Quote from: Skhilled on Oct 16, 2021, 07:21 AMI just tested this in RC4 and it will not let you separate them by commas. :( I think you have to enter them one by one...not surprised.

If this kind of post isn't allowed, sorry - remove it please. 

I joined today because I read this thread. I've been looking for a way to add these myself.  I wrote a sql query that will add all of them at once.  It can be edited to add more. The formatting is there.

You have to change it to fit your database prefix and ban group.  The table smf***_ban_items edit the *** to match your database. the '1' just happens to be my ban group as I only have a single group. The first spammer joined my server today using a yandex email address.

INSERT INTO `smf***_ban_items`(`id_ban_group`, `email_address`)
VALUES
('1', '%@sogetthis.com'),
('1', '%@10minutemail.com'),
('1', '%@110mail.net'),
('1', '%@123people.com'),
('1', '%@126.com'),
('1', '%@163.com'),
('1', '%@1dl.us'),
('1', '%@2prong.com'),
('1', '%@anonymbox.com'),
('1', '%@bk.ru'),
('1', '%@bugmenot.com'),
('1', '%@deadaddress.com'),
('1', '%@discard.email'),
('1', '%@discardmail.com'),
('1', '%@dispostable.com'),
('1', '%@dodgit.com'),
('1', '%@e4ward.com'),
('1', '%@emailias.com'),
('1', '%@emailko.in'),
('1', '%@emailthe.com'),
('1', '%@email-unlimited.com'),
('1', '%@fakeinbox.com'),
('1', '%@filzmail.com'),
('1', '%@getairmail.com'),
('1', '%@gishpuppy.com'),
('1', '%@goemailgo.com'),
('1', '%@guerrillamail.*'),
('1', '%@hushmail.*'),
('1', '%@incognitomail.com'),
('1', '%@laposte.net'),
('1', '%@list.ru'),
('1', '%@mailcatch.com'),
('1', '%@maildrop.cc'),
('1', '%@mailex.org'),
('1', '%@mailinator.*'),
('1', '%@meltmail.com'),
('1', '%@mini.burmails.com'),
('1', '%@mintemail.com'),
('1', '%@nowmymail.com'),
('1', '%@o2.pl'),
('1', '%@ovi.com'),
('1', '%@qq.com'),
('1', '%@sneakemail.com'),
('1', '%@sogetthis.com'),
('1', '%@spamex.com'),
('1', '%@spamfree24.org'),
('1', '%@spamgourmet.com'),
('1', '%@techcrunch.com'),
('1', '%@tempemail.com'),
('1', '%@temp-mail.org'),
('1', '%@tipforus.us'),
('1', '%@trash-mail.com'),
('1', '%@trashmymail.com'),
('1', '%@urx7.com'),
('1', '%@whyspam.me'),
('1', '%@yandex.com'),
('1', '%@yopmail.com'),
('1', '%@xyzfree.net'),
('1', '%@zoemail.com')

Bigguy

I don't have any objection to this post. it's ok. :)
"It's the American dream....cause ya have to be asleep to believe it." - George Carlin

Skhilled

Nice! I'm surprised I didn't think of that! LMAO

pulgoki

I figured if nothing else, I found the info on your site.  I took the time to format it to import in. This should save someone the trouble of having to do it.

I need to learn how to use regex :D 

Skhilled

After surfing the net for for over 35 years you'd assume I'd be a guru by now...NOT! LMAO

I do know some php and css but am no pro at either. I started to get into regex awhile back but have been too busy to get back into it. I found this to help me:

https://regex101.com/

LandyVlad

Well with 2.1.0 now released I'm revisiting this.

I do have a live forum (but very new) running 2.1RC4 and its just using questions, and there haven't been any problems so far. But its very new.
Please do not PM me with questions on astrophysics or theology.  You will get better and faster responses by asking homeless people in the street. Thank you.

Skhilled

I'm going to install it soon on a test forum and kick the tires to see how it goes. I've got a LOT of themes to update over at CZ now. ::)

Skhilled

I installed it and tried to set the time but screwed it up and thought something was wrong! LOL I knew I was tired and had a bad headache and should've just laid down for a nap first. LOL