Jump to content
SteveW

Simple Machines Forum (Smf) 1.1.13 Released

Recommended Posts

SMF has released version 1.1.13, and SMF 2.0 RC5, and a security patch for SMF 2.0 RC4.

 

The announcement is at http://www.simplemachines.org/community/index.php?topic=421547.0

 

I haven't done this upgrade yet, and find it more confusing than normal. Even though the release includes 1.1.13, the provided information and discussion seem overly focused on the 2.0 branch.

 

The announcement post doesn't have links to the usual files that you can review to see what changes are being made, but there is a web page list of the file edits at [go to http://custom.simplemachines.org/upgrades/ Click the SMF 1.1.12 to SMF 1.1.13 link (but not the Download link next to it)].

 

It seems to me (I could be mistaken) that there are more reports of upgrade problems than normal in the 1.x support board at http://www.simplemachines.org/community/index.php?board=9.0.

 

----

 

Simultaneously, there seems to be a sizable botnet (?) attack currently going on against SMF forum sites. That topic is also being discussed in the support board linked above.

 

Two symptoms of the attack:

 

1. Users are unable to remain logged in.

2. Your forum error log shows hundreds or thousands of "password incorrect" errors.

 

Robots are harvesting SMF usernames from forum posts. Then, brute force password attacks are launched, from a very large number of IP addresses, against those user accounts.

 

The reason the legitimate users can't stay logged in is that after a certain number of failed login attempts on their account, SMF invalidates all the outstanding login cookies for that user. The currently announced upgrade is said to alleviate the login problem, but it can't stop the attacks. It only makes it possible for the legitimate users to remain logged in themselves.

 

The defense against brute force password attacks is for all users to use long random passwords that can't be brute-forced.

 

It also helps if users use a screen name (display name) that is different from their login name. That way, the name that they log in with doesn't appear on their forum posts. Any illegitimate login attempts will be using the wrong login name.

 

There is much talk about banning the IP addresses that are doing the attacks, but that is not such a good idea because there are so many. If you're affected by this, it's better to examine your logs for the common elements of these login attempts, and ban (in .htaccess) by those common characteristics (other than IP). A careful examination will reveal that the illegitimate login attempts can be distinguished from legitimate ones.

Edited by SteveW

Share this post


Link to post
Share on other sites

 

The defense against brute force password attacks is for all users to use long random passwords that can't be brute-forced.

 

 

That's unrealistic and not really necessary, besides even complex passwords can be guessed given sufficient time and computing power. There are other things you could do, like tarpitting (i.e. slowing down responses to the requesting host, consuming their resources), staggered-period lockouts, captchas after several unsuccessful attempts or other random things that only a human could handle. Everything else gets blocked or black-holed...

Share this post


Link to post
Share on other sites

In spite of my misgivings this time, the upgrade on my forum seems to have gone as smoothly as it always has before. I don't have any official "mods" installed, just an index.template.php that I customized myself, and that wasn't one of the files affected by the upgrade.

 

That's unrealistic and not really necessary,

I agree that requiring forum users to conform to password rules (or username guidelines as I suggested was desirable) is unrealistic and that most forum admins, including myself, wouldn't bother, to avoid user confusion or annoyance. On the other hand, any SMF forum admin could use those measures to protect their own account, since an admin's account is the one you really don't want compromised.

 

I consider long random passwords necessary, but if someone insists on using a weak password and using the same one at a forum and Facebook and Twitter and their online bank, that's their problem, not mine.

 

It's easy to create a password strong enough that it can't be guessed over the internet within any reasonable time (like 1000 years).

 

slow responses

lockouts,

captchas

 

I agree, all good ideas. SMF uses a pretty good CAPTCHA on the registration form. I haven't had any bot registrations that I know of. Adding it elsewhere such as the post submission form would require custom coding, as would the slow response and lockout strategies. Unless there's an SMF mod for them. I don't know.

 

This current "attack" really doesn't seem that effective. The request rate I've seen is slow (1 per 4 minutes), which isn't going to guess anybody's password unless it's "123456" or "password". The SMF admins most concerned about the attack are probably seeing much higher request rates, such that their users can't stay logged in, and it fills up SMF error logs.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×