1
Peekay
Protector... what on earth does it all mean?
  • 2008/4/15 0:03

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


The log of the 'Protector' module on one of my sites is filling up with entries.

I have found some very basic documentation on the developer's site, but it fails to explain what entries like:

URI Spam
Dos
CRAWLER

actually mean in terms of a security risk.

I have asked this before, but can anyone *please* explain what these entries represent and how (or if) any action should be taken to deal with them.

This module has been around for ages and is promoted as a benefit, but without any explanation of what it does, I am beginning to doubt whether it does anything at all.
A thread is for life. Not just for Christmas.

2
Tobias
Re: Protector... what on earth does it all mean?
  • 2008/4/15 23:56

  • Tobias

  • Not too shy to talk

  • Posts: 172

  • Since: 2005/9/13


URI Spam means that someone (most likely a robot) is trying to make crap posts with tons of URLs in them to one of your modules. DoS means "denial of service," and that's when somebody hits your site with a frequency (or more likely deploys his botnet to hit your site with a frequency) that your webserver cannot respond. Thus, your webserver will deny the service, and your site won't be visible. A crawler is a robot that crawlers your site looking for email-addresses that can be spammed, and other information that's useful for the bad guys.

There're scores of places on the internet with better information on these things. The bottom line: Protector helps you get keep a check on some of these web creatures and misbehaviors, but the three things you mention don't really damage your site, or hack it open to use it for, say, distribution of malware or something. Those are just nuisances. Protector is important mainly for the real attacks that could compromise your site.

If you get a lot of, say, DoS notices from Protector, it may be that the settings are too restrictive for your particular site. I think there is a threshold of so many hits per second that triggers the DoS defense. Perhaps you need a higher threshold because you have, for instance, a chat module somewhere on the site. If there are many notices, try to find out whether there are many false positives (and users complaining). If there are no false positives, then be happy that Protector is doing a good job fending of some of these things.

The Protector modules does much more important work, such as sanitizing the addresses people request from your website so that there is no malicious code passed to the site through such an http request.

And never forget: Good as it is, even the Protector module can't really prevent that hackers get in should there be some serious security hole. So never feel too safe.

3
Peekay
Re: Protector... what on earth does it all mean?
  • 2008/4/21 20:58

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


Many thx for that explanation Tobias.
A thread is for life. Not just for Christmas.

4
wishcraft
Re: Protector... what on earth does it all mean?

I found the performance of sites improved when installing protector, I am running version 3.xx on my sites and it went from a 5 second to instant display as I had someone attempting to DOS my services, they didn't seem to have a powerful enough bot network.
Resized Image
http://www.ohloh.net/accounts/226400

Follow, Like & Read:-

twitter.com/RegaltyFamily
github.com/Chronolabs-Cooperative
facebook.com/DrAntonyRoberts

5
DobePhat
Re: Protector... what on earth does it all mean?
  • 2008/4/23 15:12

  • DobePhat

  • Friend of XOOPS

  • Posts: 656

  • Since: 2003/4/15


Is there a site or any documentation specific to this modules settings and how tweaking them effects your site?

It seems like there are so many variables..

Thanks!

6
avtx30
Re: Protector... what on earth does it all mean?
  • 2008/4/23 15:58

  • avtx30

  • Not too shy to talk

  • Posts: 181

  • Since: 2006/10/12


There is a very good document for it, right on the Protector download page at GIJOE's site.

http://xoops.peak.ne.jp/md/mydownloads/singlefile.php?lid=105&cid=1&easiestml_lang=xlang%3Aen

7
mjz55
Re: Protector... what on earth does it all mean?
  • 2008/4/24 1:48

  • mjz55

  • Quite a regular

  • Posts: 298

  • Since: 2007/1/18


How do I install? I don't understand the readme. I'm not very experienced on anything but regular module installs.

8
Tobias
Re: Protector... what on earth does it all mean?
  • 2008/4/24 7:01

  • Tobias

  • Not too shy to talk

  • Posts: 172

  • Since: 2005/9/13


Can't really tell you anything else than what's in the instructions, but there are essentially three things to be done now to install it. You need the define the Trustpath and upload the corresponding files there, you need to upload some files to the regular modules directory (where all the modules reside), and you need to patch the mainfile.php. So let's start with the uploads:

1. Trust path: If you have the regular linux server, your website is most likely hosted in a directory called public_html or htdocs. Those are per system settings accessible by the wide world. So the idea with the trust path is to put most of the files that are important for the operation of your site, but which the world doesn't have to see ("see" means that there's a potential for tampering), in a location where the server can work with them, but the world cannot find them. Hence the trust path, which is a modification of the normal XOOPS infrastructure the author of the XOOPS protector module has introduced. It is quite astute. So the idea is that you create a directory which is NOT INSIDE your public_html or htdocs, but parallel to it. Create that directory and call it at your liking. Inside the directory, create another directory called "modules". Upload the entire directory called "protector" from xoops_trust_path/modules from the zip archive into it.

2. Upload the entire directory called "protector" from html/modules from the zip into the "modules" directory where you have all your regular XOOPS modules. It's probably a good idea at this juncture to go to your modules administration inside XOOPS and install the Protector module as you would install any other module. If it throws a lot of errors, try this again after the next step.

3. Now the patching of main.php: Ideally, it is write protected, so you have to change permissions to be able to edit/overwrite it. Locate the line in main.php that starts with: define('XOOPS_ROOT_PATH',... and insert another line next to it that reads:
define('XOOPS_TRUST_PATH','/path/to/your/trust-path');
Of course, you have to edit /path/to/your/... to your needs. It will start the same as the path declared as XOOPS_ROOT_PATH, but where XOOPS_ROOT_PATH will most likely end in htdocs or public_html, XOOPS_TRUST_PATH ends in whatever name you have given to that directory in the first step.
That was the first thing to take care of in mainfile.php. Now the pre-/post-check: Towards the end of mainfile.php, there should be a couple of lines that look something like this here (depending on the XOOPS version, it may vary a little):
if (!isset($xoopsOption['nocommon']) && XOOPS_ROOT_PATH != '' ) {
        include 
XOOPS_ROOT_PATH."/include/common.php";
    }

You have to add a line before and one after this, so that, in the end, it looks like:
include XOOPS_TRUST_PATH.'/modules/protector/include/precheck.inc.php' ;
    if (!isset(
$xoopsOption['nocommon']) && XOOPS_ROOT_PATH != '' ) {
        include 
XOOPS_ROOT_PATH."/include/common.php";
    }
    include 
XOOPS_TRUST_PATH.'/modules/protector/include/postcheck.inc.php' ;

Then save mainfile.php in its original location, and write protect it.

That should be all. The author's instructions are the ones that count. Just recapping it because I see that the instructions can be a little confusing. Hope this helps.

9
Kainaij
Re: Protector... what on earth does it all mean?
  • 2008/4/29 16:06

  • Kainaij

  • Quite a regular

  • Posts: 256

  • Since: 2004/10/5


Great post Tobias, you helped me out a lot. Thanks.

10
Peekay
Re: Protector... what on earth does it all mean?
  • 2008/10/3 17:31

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


Well, the site's been running for a few months now and Protector certainly appears to be doing its job. My guess is that these examples from the log are attempts to obtain passwords?

Type = ISOCOM

Isolated comment-in found. (999/**/union/**/select 000,concat(uname,0x3a,pass)/**/from/**/xoops_users/**/where/**/rank=7/*)


Isolated comment-in found. (99999 union select 0,concat(uname,0x3a,passfrom xoops_users where pass uid=1/*)


Type = DIRTRAVERSAL

Directory Traversal '../../../../../../../../../../../../etc/passwd' found.


I also have several Type = DOS and a few Type = XMLRPC.

Should I ban the IPs for these entries, or is it best to just ignore them?
A thread is for life. Not just for Christmas.

Login

Who's Online

1087 user(s) are online (144 user(s) are browsing Support Forums)


Members: 0


Guests: 1087


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Jul 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits