20th Nov 2008
Security Questions
I am most impressed w/Vbulletin's features and relative cheapness.
I wondered if someone could take the time to answer some serious security concerns I need addressing before buying a licence given some rather bad experiences w/other such boards.
(1) Is it possible to ban particular ISPs rather than just IPs? From bitter experience I know that banning IPs alone is totally ineffective. IPs are rarely static and can easily be spoofed, making IP banning pointless. If the board itself does not come with these feature, can I write an additional script to do so?
(2) Is it possible to prevent a banned user even from viewing the board in the fist place?
(3) Does the script provide me with the ability to see if attempts at hacks are being made (some kind of hacklog) and see, for example, if private forums are being breached and by who (ie. storing the IPs).
(4) Is it possible to record the IP which at which a membership was registered and the IP from which posts are made? This way it is possible to detect malicious users more easily. For example, a banned user can get someone else to register for them at an unbanned IP and then use a different IP to post from.
(5) I want a board which is totally secure. If I find that the board has been breached will Vbulletin remedy the situation or else refund me?
I thank you in advance for taking the time to answer my questions.
Yours sincerely,
George
Fighting "abuse" is a combination of factors and features that you implement. IMHO, it never resolves around a single feature or procedure. Certainly I agree that the IP issue is germaine to this issue and very critical but other factors will help to further reduce abuse but never eliminate it.
1> Moderate all registrations and make them wait. They can't immediately return after they are banned
2> New members can be restricted to posting in a given forum and not other forums
3> Ban free email and or free domains
4> Keep notes in each member record with a custom field that only the Admin sees
4> Display IPs in the threads
5> Train your team to move abusive posts to your private forum so you reduce the 15 minutes of fame deal
6> Strip the "sig" from abusers
7> Encourage and reward your community to help you with an easy to use and CC Report Abuse Form. Pear pressure is very powerfull
8> Clearly state your rules and exactly what you will do. Please don't be bashfull :)
My thoughts aren't for everyone and you may already do this so please excuse me. I just wanted to make sure that we looked at the total picture and all the tools that are available.
I can tell you without the least bit of hesitation that their is no better product on planet earth or even mars with respect to fighting abuse + all the other cool stuff.
Your "hack log" hack is at:
http://www.vbulletin.org/forum/showthread.php?s=&threadid=32707
HTH
IP addresses are compared against your ban list when a new member tries to register. Going by this your trusted forumites should not be affected by any IP bans you create.
a NS look up is not going to do any good because all you will get is their "domain" registratin information. AOL will alwasy give you their "headquarters' address. I could log in from Hawaii on AOL< but grab an IP that is actually hosted in Alabama. That's just how their systems work.
How will an nslookup work for banning? That's what Im failing ot understand.
Ban the ip addresses or the entire block. You dont need to know who is hosting it unless you want to make a complaint against the user.
excuse my ignorance but what's all this lookup business?
I maintain that banning ISPs would definately help. cos many malicious user are on tiny local ISPs which u could ban quite easily w/o affecting other users. I have had the malicious user in question thrown off AOL for his conduct so such an ISP banning system WOULD work
NSLOOKUP is a Unix command which may work with WinMe, Win9x and Win2k, WinThis, Losethat, etc. It stands for "Name Service". Basically all those funny "152.163.213.189" numbers are hard to remember, but domain name service (DNS) servers can apply an alphanumeric name to it.
So http://www.ibm.com can just be reached at http://129.42.17.99 for example.
Let's say an abuser on AOL had the address "152.163.213.189". Drop to a command prompt and type "NSLOOKUP 152.163.213.189" and you will see something along these lines:
Name: spider-tj034.proxy.aol.com
Address: 152.163.213.189
Aha! So the bugger is on a proxy server. Though it leads me to wonder what spider-tj034 stands for.
Some people are legitimately "road warriors" and have just a yahoo email account. Discriminating them just to keep potential abusers out may mean losing potential good contributors to the online community you're building.
I hope my suggestion isn't encountering resistance simply because the concept was poorly presented. I've also rethought it a little. So here's the pseudo code or process:
1. User registers account, and posts
2. Vbulletin checks to see if user's IP address falls under a "abuser IP range" or "abuser domain".
3.a. If the answer to (2) is yes, then Vbulletin checks to see if the user has been indicated by the admin as a "trustable user" *despite* being on an abuser domain. If the user is, then he is allowed to post.
3.b. If the answer to (2) is no, then post-approval by Moderator is enacted, and VBulletin explains to the poster that he is on an "abuser domain" and post-approval is necessary, so please wait for your post to become public.
And then...
4. Admin or Moderator reviews the new post. If the posts in fact are okay, Admin or Moderator can flag the poster on the abuser domain as a "trustable user".
It's a very simple procedure, but it truly, truly alleviates a lot of the hassle of us admin types. I would ask the VBulletin Development Team to strongly consider this.
The purpose of this pseudo code is so that the forum does not make it hard for *every* single user signing on, but it adds a small layer of security for *only* abuser domains. However, it does not arbitrarily punish everyone on the abuser domain, but allows trustable users on abuser domains to be unrestricted.
Please consider this.
What if the forum system bans the proxy server - sure, this bans a lot more innocent users - HOWEVER, it allows trusted registered users that you manually indicate are trusted? This is similar to a Router statement "DENY ALL but PERMIT so-and-so."
Since user ID registrationis automatic, deleting an abuser's ID or changing his password merely means he'll log back on under a different ID and harass users. However, add a layer of logic to protect the whole community, as follows:
1. User is posting
2. Is the User's IP address within a site-ban range? (e.g. 142.34.*.*)
3. If so, is the user ID on the list of "trusted" community members?
4. If (3) is "Yes" then allow the user to post. If "No" then shoot off a default e-mail explaining that there is an abuser on the same network as the user, and that a Moderator will look into the situation more closely; in the meantime, please feel free to operate in a "read-only" mode.
Would you consider that as a solution?
Adrain,
Can u do that on Vbulletin?
Not that I'm aware of. My "trusted forumites" list on a particular ban range idea is something I'm suggesting to the fine development team of VBulletin to implement. I am awaiting their response! :)
Ie. all the innocents that have IPs: 234.234.XXX
For example, if a malicious user is an AOL, u can only get rid of him by banning all AOL'ers, which isn't very helpful!
What you want has to be done manually. And I for one would not want this feature in any version of Vbulletin to be made automated. That means more "resources" must be used just to inquire about one person.
You can currently set restrictions to users by plugging them into user groups. If they are "new" then put them into a user group that allows only viewing and replying to threads, but they can't post until their post count is up to a number you specifiy. Then you can move them over to a group that allows complete access. If you're so concerned over people then it definitely should not be automated. Or restrict their viewings of certain forums.
I use the software, yes, but I also had the experience of "participating" in forums that used the software before I purchased it. The forum I spoke of existed long before i made my purchase of vbulletin, and the number of members grew because it turned to moderated signups. Didn't bother the users or new signups one bit. No one has complained about their system yet.
New signups can only view "begginers" forums since they are new to the community, and when they have enough postings, they are upgraded to full member status. ACtually they look forward to that, which makes them visit more often so they can increase their post counts.
Its how you moderate and admin the board that brings the people. Manual moderation is the only way to have peace of mind.
Can u do that on Vbulletin?
Having admins ban entire IP address ranges is *not* desirable because it bans too many innocents. Forcing admins to apply registration-level restrictions is *not* desirable either because it is growth-inhibitive to the online communities they are trying to develop.
So I propose a solution that marries the strengths of both approaches:
Instead of sitebanning that AOL proxy server in question, and instead of restricting all users on your own forum in the registration process, you basically specify that any user coming in at, say, 213.132.*.* are not prohibited to post, but their posts must go through post-approval.
Now post approval is a manual process but after a few postings if a Moderator thinks a user can be trusted to have his posts appear automatically, the Moderator flags something in the user's profile to the effect "always trust this user to post". Hence, even though you want to screen out an abuser on a particular AOL proxy server, you will be able to not restrict a *good* user who has been checked out.
Again, think of how a router can "deny all but permit certain addresses. We're basically doing "pause all posts but permit those who have proven themselves.
So my question: Can VBulletin do this? If not, can this be a feature that will be coded into the next release?
If you ban based on "a.b.c.*" that means "d" comprises a possible range of 254 addresses. Banning "a.b.*.*" means that "c.d." comprises a possible range of 65536.
(The Formula is 2^x minus 2, where "x" equals the number of bits represented by the octets. Each octet is 8 bits.)
An ISP may have more than one address range. They may have 121.42.*.* and 121.43.*.* all the way up to 121.46.*.* in this example. Let's say the abuser logs on at 121.42.1.1 and you ban 121.42.*.* - technically, you banned him. But if the ISP's DHCP server grants him 121.43.1.1 then he'll evade the ban. That means you'll have to ban 121.42.* AND 121.43.*, but just in case, ban the others! However, as you said, this bans many innocents. Each siteban covering two octets, you ban over 65k worth of addresses.
Hence my suggestion is that if someone is posting from an "evil" site, you have to take the users on a case-by-case basis and watch them more carefully. It's not a fullproof situation but it adds a little more inconvenience to the abuser to ward him off. Loyal forumites who have proven themselves have their user ID's on your "trusted forumite" list for that particular ban range, and they won't be affected. Newcomers on that ban range will be notified, observed to see if it's the abuser or not, then put on the "trusted forumite" list for that ban range. That's my suggestion. Does it make sense?
Aha! So the bugger is on a proxy server. Though it leads me to wonder what spider-tj034 stands for.
Its the name of the proxy
the one i use at work is called opushi so its attached to any outgoing email or functions done through that server (opushi.proxy.domain.com)
Who's On line lets Admins/Super Mods see the IPs of members and guests.
The Admin of vB let's you see all the IPs a member ever used + a lookup and do a fast search to see if other members use the same ISP :) This is a powerfull tool :)
The IP of each poster may be displayed in the post so that other members can see it.
HTH
I personally have had EXACTLY those probs on the board I use at present. To block the malicious user I have to ban innocents too. It has caused no end of aggravation for all concerned. The malicious user in question is loving it and continually finding ways around the IP block.
Other than that I too and very impressed with Vbullein. Maybe we should both withhold our cash until they change it :)
For example we have established that if their IP is 234.234.123
u can ban say 234.234 but that will ban innocents and banning like 234.234.1 will do the same/may not ban the intended malicious user cos IPs aren't static
excuse my ignorance but what's all this lookup business?
I maintain that banning ISPs would definately help. cos many malicious user are on tiny local ISPs which u could ban quite easily w/o affecting other users. I have had the malicious user in question thrown off AOL for his conduct so such an ISP banning system WOULD work
Do any other boards offer this?
basically banning doesn't really work if your malicious attacker is dedicated enuf.
Unfortunately not currently in vBulletin.
One thing I would very much like to see but do not see any software doing this is to go beyond just numeric IP address lookup. Sure, we can ban 234.212.*.* or whatever, or we can even use a subnet mask. But what about doing an NSlookup on someone who is posting, and factoring a slight additional layer of intelligence there?
Being only able to ban by numeric IP is highly restrictive. Let me give you an example. If you ban an abuser who uses AOL, and ban using the first 3 octets, the abuser reconnects, gets a new dynamic IP address from DHCP and bypasses your ban because their DHCP range covers the last two octets. But if you ban the first 2 octets to be more comprehensive, you end up banning so many innocent users - including those who live geographically nowhere near the abuser, even those in different States and counties!
The NSLookup information is valuable because it gives you an idea of the geographical range the abuser is connecting from. Banning based on a text string e.g. *rochester.ny* would help tremendously - that's how they do it on IRC.
Just a humble suggestion. I praise vBulletin's team for being innovative and I trust that they'll take this under serious consideration - or implement something better than what I've typed here!
Well if u log the posters IP then u can use a program like visualroute to trace that persons ISP and then ban the ISP.
I know ppl who have created their own scripts that allow this.
I can't write an entire board, but I could do perhaps add a script to it, modifying it. Is there no way to do this then?
As far as "restrictions" (ie moderate new signups)
IT doesn't create an "anti-community" feeling.
the board I frequent grew 3 times the number of users in the last three months than in the last year and half its been running. Because they went to "moderation" of new signups.
But AOL isn't the only problem.
There are some who try to terrorize bulletin board sites from public library terminals, etc.
All I'm saying is that it would be *nice* to be able to do a ban by first doing an NSLOOKUP, capturing that information, comparing it against a text filter, and be done with it.
Thx for your reply.
The ability to see at a glance all IPs a user has used as well as checking if other users are on those IPs (ie. user more than one username) sounds very useful indeed.
Would it be possible for me tho to write some sort of additional script to ban partic ISPs and integrate it?
Thx a lot for your help!
2) Yes. You can move users to a group of banned users and disallow that group from doing anything including view the forums.
3) No there is no hacklog. You would need to rely on your webserver's logs for that.
4) The IP a user uses when registering is recorded. I am unsure if that is saved indefinitely, but I know that the IP that a user uses to post is also recorded.
5) We cannot offer any refunds due to the visible source nature of the product. If you come across any security problems and notify us of them we will endeavor to fix them as soon as possible and release a fix to all registered members.
Posted by wktd under toyotataa.com |
