The log of the 'Protector' module on one of my sites is filling up with entries.

I have found some very basic documentation on the developer's site, but it fails to explain what entries like:

URI Spam
Dos
CRAWLER

actually mean in terms of a security risk.

I have asked this before, but can anyone *please* explain what these entries represent and how (or if) any action should be taken to deal with them.

This module has been around for ages and is promoted as a benefit, but without any explanation of what it does, I am beginning to doubt whether it does anything at all.

URI Spam means that someone (most likely a robot) is trying to make crap posts with tons of URLs in them to one of your modules. DoS means "denial of service," and that's when somebody hits your site with a frequency (or more likely deploys his botnet to hit your site with a frequency) that your webserver cannot respond. Thus, your webserver will deny the service, and your site won't be visible. A crawler is a robot that crawlers your site looking for email-addresses that can be spammed, and other information that's useful for the bad guys.

There're scores of places on the internet with better information on these things. The bottom line: Protector helps you get keep a check on some of these web creatures and misbehaviors, but the three things you mention don't really damage your site, or hack it open to use it for, say, distribution of malware or something. Those are just nuisances. Protector is important mainly for the real attacks that could compromise your site.

If you get a lot of, say, DoS notices from Protector, it may be that the settings are too restrictive for your particular site. I think there is a threshold of so many hits per second that triggers the DoS defense. Perhaps you need a higher threshold because you have, for instance, a chat module somewhere on the site. If there are many notices, try to find out whether there are many false positives (and users complaining). If there are no false positives, then be happy that Protector is doing a good job fending of some of these things.

The Protector modules does much more important work, such as sanitizing the addresses people request from your website so that there is no malicious code passed to the site through such an http request.

And never forget: Good as it is, even the Protector module can't really prevent that hackers get in should there be some serious security hole. So never feel too safe.

Many thx for that explanation Tobias.

I found the performance of sites improved when installing protector, I am running version 3.xx on my sites and it went from a 5 second to instant display as I had someone attempting to DOS my services, they didn't seem to have a powerful enough bot network.

Is there a site or any documentation specific to this modules settings and how tweaking them effects your site?

It seems like there are so many variables..

Thanks!

There is a very good document for it, right on the Protector download page at GIJOE's site.

http://xoops.peak.ne.jp/md/mydownloads/singlefile.php?lid=105&cid=1&easiestml_lang=xlang%3Aen

How do I install? I don't understand the readme. I'm not very experienced on anything but regular module installs.

Can't really tell you anything else than what's in the instructions, but there are essentially three things to be done now to install it. You need the define the Trustpath and upload the corresponding files there, you need to upload some files to the regular modules directory (where all the modules reside), and you need to patch the mainfile.php. So let's start with the uploads:

1. Trust path: If you have the regular linux server, your website is most likely hosted in a directory called public_html or htdocs. Those are per system settings accessible by the wide world. So the idea with the trust path is to put most of the files that are important for the operation of your site, but which the world doesn't have to see ("see" means that there's a potential for tampering), in a location where the server can work with them, but the world cannot find them. Hence the trust path, which is a modification of the normal XOOPS infrastructure the author of the XOOPS protector module has introduced. It is quite astute. So the idea is that you create a directory which is NOT INSIDE your public_html or htdocs, but parallel to it. Create that directory and call it at your liking. Inside the directory, create another directory called "modules". Upload the entire directory called "protector" from xoops_trust_path/modules from the zip archive into it.

2. Upload the entire directory called "protector" from html/modules from the zip into the "modules" directory where you have all your regular XOOPS modules. It's probably a good idea at this juncture to go to your modules administration inside XOOPS and install the Protector module as you would install any other module. If it throws a lot of errors, try this again after the next step.

3. Now the patching of main.php: Ideally, it is write protected, so you have to change permissions to be able to edit/overwrite it. Locate the line in main.php that starts with: define('XOOPS_ROOT_PATH',... and insert another line next to it that reads:
Of course, you have to edit /path/to/your/... to your needs. It will start the same as the path declared as XOOPS_ROOT_PATH, but where XOOPS_ROOT_PATH will most likely end in htdocs or public_html, XOOPS_TRUST_PATH ends in whatever name you have given to that directory in the first step.
That was the first thing to take care of in mainfile.php. Now the pre-/post-check: Towards the end of mainfile.php, there should be a couple of lines that look something like this here (depending on the XOOPS version, it may vary a little):

You have to add a line before and one after this, so that, in the end, it looks like:

Then save mainfile.php in its original location, and write protect it.

That should be all. The author's instructions are the ones that count. Just recapping it because I see that the instructions can be a little confusing. Hope this helps.

Great post Tobias, you helped me out a lot. Thanks.

Well, the site's been running for a few months now and Protector certainly appears to be doing its job. My guess is that these examples from the log are attempts to obtain passwords?

Type = ISOCOM





Type = DIRTRAVERSAL



I also have several Type = DOS and a few Type = XMLRPC.

Should I ban the IPs for these entries, or is it best to just ignore them?