SteveW Posted February 14, 2011 Share Posted February 14, 2011 (edited) SMF has released version 1.1.13, and SMF 2.0 RC5, and a security patch for SMF 2.0 RC4. The announcement is at http://www.simplemachines.org/community/index.php?topic=421547.0 I haven't done this upgrade yet, and find it more confusing than normal. Even though the release includes 1.1.13, the provided information and discussion seem overly focused on the 2.0 branch. The announcement post doesn't have links to the usual files that you can review to see what changes are being made, but there is a web page list of the file edits at [go to http://custom.simplemachines.org/upgrades/ Click the SMF 1.1.12 to SMF 1.1.13 link (but not the Download link next to it)]. It seems to me (I could be mistaken) that there are more reports of upgrade problems than normal in the 1.x support board at http://www.simplemachines.org/community/index.php?board=9.0. ---- Simultaneously, there seems to be a sizable botnet (?) attack currently going on against SMF forum sites. That topic is also being discussed in the support board linked above. Two symptoms of the attack: 1. Users are unable to remain logged in. 2. Your forum error log shows hundreds or thousands of "password incorrect" errors. Robots are harvesting SMF usernames from forum posts. Then, brute force password attacks are launched, from a very large number of IP addresses, against those user accounts. The reason the legitimate users can't stay logged in is that after a certain number of failed login attempts on their account, SMF invalidates all the outstanding login cookies for that user. The currently announced upgrade is said to alleviate the login problem, but it can't stop the attacks. It only makes it possible for the legitimate users to remain logged in themselves. The defense against brute force password attacks is for all users to use long random passwords that can't be brute-forced. It also helps if users use a screen name (display name) that is different from their login name. That way, the name that they log in with doesn't appear on their forum posts. Any illegitimate login attempts will be using the wrong login name. There is much talk about banning the IP addresses that are doing the attacks, but that is not such a good idea because there are so many. If you're affected by this, it's better to examine your logs for the common elements of these login attempts, and ban (in .htaccess) by those common characteristics (other than IP). A careful examination will reveal that the illegitimate login attempts can be distinguished from legitimate ones. Edited February 14, 2011 by SteveW Quote Link to comment Share on other sites More sharing options...
TCH-Thomas Posted February 14, 2011 Share Posted February 14, 2011 Thanks for the info, Steve. Quote Link to comment Share on other sites More sharing options...
TCH-Bruce Posted February 14, 2011 Share Posted February 14, 2011 Thanks Steve Quote Link to comment Share on other sites More sharing options...
Dirk Posted February 15, 2011 Share Posted February 15, 2011 The defense against brute force password attacks is for all users to use long random passwords that can't be brute-forced. That's unrealistic and not really necessary, besides even complex passwords can be guessed given sufficient time and computing power. There are other things you could do, like tarpitting (i.e. slowing down responses to the requesting host, consuming their resources), staggered-period lockouts, captchas after several unsuccessful attempts or other random things that only a human could handle. Everything else gets blocked or black-holed... Quote Link to comment Share on other sites More sharing options...
SteveW Posted February 15, 2011 Author Share Posted February 15, 2011 In spite of my misgivings this time, the upgrade on my forum seems to have gone as smoothly as it always has before. I don't have any official "mods" installed, just an index.template.php that I customized myself, and that wasn't one of the files affected by the upgrade. That's unrealistic and not really necessary, I agree that requiring forum users to conform to password rules (or username guidelines as I suggested was desirable) is unrealistic and that most forum admins, including myself, wouldn't bother, to avoid user confusion or annoyance. On the other hand, any SMF forum admin could use those measures to protect their own account, since an admin's account is the one you really don't want compromised. I consider long random passwords necessary, but if someone insists on using a weak password and using the same one at a forum and Facebook and Twitter and their online bank, that's their problem, not mine. It's easy to create a password strong enough that it can't be guessed over the internet within any reasonable time (like 1000 years). slow responseslockouts, captchas I agree, all good ideas. SMF uses a pretty good CAPTCHA on the registration form. I haven't had any bot registrations that I know of. Adding it elsewhere such as the post submission form would require custom coding, as would the slow response and lockout strategies. Unless there's an SMF mod for them. I don't know. This current "attack" really doesn't seem that effective. The request rate I've seen is slow (1 per 4 minutes), which isn't going to guess anybody's password unless it's "123456" or "password". The SMF admins most concerned about the attack are probably seeing much higher request rates, such that their users can't stay logged in, and it fills up SMF error logs. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.