BuddyPress.org

@bp-help

good suggestions. thx. 2 of them r new to me, so other people may find them helpful also.

on our sites we r using::

Keith Graham’s most excellent ‘stop-spammer-registrations-plugin’ – https://wordpress.org/plugins/stop-spammer-registrations-plugin/

– has stopped over 53,000 spammers since feb this year! it uses external lookups on StopForumSpam, ProjectHoneyPot, BotScout, (Akismet, which we dont use), others – thus great collective benefit/advance warning of bad traffic. also traps brute force attacks (bad logins/registrations/comment posts, etc), etc. is simple enough to play nice with most plugins.

to try & keep as much load off the front-end of the server as possible, we also have set up:

linux iptables ( & ufw add on )- as the basis of all firewall stuff. also has our manually maintained blacklists & whitelists. various custom rule chains setup. takes a while to get your head around, but is essential.

linux fail2ban – essentially an add on to iptables, puts people in jail for bad behaviour – eg: brute force attacks against ssh, ftp, mail logins. we also have set up custom rules detecting bad activity against wp-login.php itself via fail2ban. am looking to do some more with this.

linux apache – mod-security2, libapache2-mod-evasive, libapache2-mod-antiloris, libapache2mod-spamhaus – which help protect against general bad behaviour, DDOS, blank header attacks, the infamous ‘Loris’ script (which we’ve experienced!), and bot-nets. still assessing how effective these r.

we have also had to tune apache on our VPS for resilience in the face of DDOS type attacks and heavy-handed brute force attacks.

some further good tips here: http://www.dannytsang.co.uk/index.php/apache-2-hardening-tips/ & elsewhere.

linux logwatch – reports various access stats (the good & the bad & the ugly) via email – very useful indeed for checking whther situation is under control (or not).

linux rkhunter – scans for rootkits on the server from time to time – just be sure – & particularly useful if u ever do get infected in hunting down the intruder’s code.

obviously we also have file system bolted down. (there is a good wp plugin to check permissions bolt-down, i forget what its called). we also spend a LONG time analysing logs etc.

anway, that takes care of many of the bad boys, but we r still left with the following problems to crack:

1) we have observed that many bad bots/scripts are exhibiting ‘learning behaviour’ (ie. heuristic) and r finding ways around fail2ban rules/jails, etc. in particular:

a) rotating IP addresses to match ‘ban counts’ – currently we have them wasting an IP address every 3-4 attempts, but they still seem to have an inexhaustable supply, else are spoofing extreamly well.

b) varying their retry period to match the length of jail sentence. (ie. they are not wasting their mips whilst in jail, just enough to detect when they are released,record it, and tune their future responses).

2) content scrapers, probes and bad-bots generally – these r wasting enormous resource on our servers. typically i would suggest such ‘bad traffic’ is responsible for over 50% of total server load (ie. not good at peak times on a busy site). additional problems we r facing here:

a) bad bots often spoof the agent string to pretend to be eg. google, bing, etc. the only way u can tell is by reverse lookup of ip address and try and match to one of well known range of ‘good bot’ addresses. but, despite fact that many ranges are well known, most of them are never actually published or confirmed, many are variable. i am not aware of any definitve list of ip addresses of good bots (though there is http://www.iplists.com/ whichis not bad, & http://www.webmasterworld.com/search_engine_spiders/ which is often helpful – these are very much ‘best efforts/as seen in the wild’ lists.). this problem worsens with the rise of social network agregation services, other (legitimate) content agregators, and personal content aggregating software on mobiles, tablets, etc.

idea: i am thinking of writing a script/plugin/rule to do smart lookup of ip against good bots list, & to automatically maintain that (collective) list. ideally, this is a service that someone like spamhause, or projecthoneypot should offer, since they already have the infrastructure. but, we’ll see. the script will detect traffic ‘purporting to be a SE bot, of any kind and to ban it via iptables if it isnt in the approved list/doesnt check out. the risk is in false positives and harming ones SEO. anyone any thought in this area?

b) probes & sniffers hunting out wp/bp forms, ajax ports, plugin files, forms, etc – in advance of main attack by penatration/spamming bots. typically always use swiftly rotated ip’s. many many variants out there. usually they have no luck on our sites, but that does not stop them trying in vast numbers (bot-nets, collectives? hives?) and harming out response times, etc.

idea: url obfuscation has been brought up on this forum before, particularly for eg: login, registration, admin url’s, etc. i am thinking of creating a plugin to dynamically hash encode links of choice using someething based on wp forms nonce system. not only useful for causing probes & hackers pain, but also to help thwart media thieves. obviously, scripters will soon respond by just snanning for link titles in html, so not bullet proof in any way, but they will at least be on 1-time request code, so causing them page reload every request & less sophisticted scripts will be totally wasting their own time.

anyway. these have been my thought so far. would love to hear experience/insights of others.

unfortuntely wordpress & buddypress sites in particular represent the richest of prizes for hackers, content scrapers, spammers, etc – & they r really on our case. furthermore, there is some BIG money involved, from porn to pharma to credit card fraud; that means some very smart programmers being paid excellent rates, to hack our systems, full time. add to that, the 10’s of millions of infected machines out there (often unknowingly) operating as botnet drones, trying to pernetrate our servers 24×7, steal our machine resources and steal our members personal data. it is a war of attrition.

all further experience, ideas welcome, here.

@bphelp thanks for your feedback, the site isn’t mine, just thought others might benefit

speaking of spam, what do you think of the sandbox idea I shared here?
https://buddypress.org/support/topic/idea-stopping-spammers-with-sandbox/

since you have the knowledge and experience writing plugins, can you comment on how feasible it is? could you write it?

It is on the menu bar at the top left under where it has the Home, About menu options.

Thanks

Thanks @BPHelp & @ubernaut

I have installed BP-Spamkiller though I haven’t made the community private. I’m still considering if that might be appropriate for me.

One issue I have is there is a link on my homepage to the ‘Spam-prevention’ page. I don’t think that should be there. Would this still work if I didn’t make that page public or I made it a sub-page of another page?

I have installed WangGuard too which seems to be working nicely.

There is a temporary issue at my host company 1and1 whereby ‘Access denied’ is displayed on my homepage. I mention this just in case you notice it. They assure me it will be resolved soon.

Thanks to you both for taking the time to respond.
http://www.whichinvestmenttrust.com

@ubernaut the scenario you outline is possible. that I can agree with. but I don’t think any reasonable person would respond by ‘leave never to return the interesting but apparently broken site’ if they didn’t immediately see their friend on the site.

to clarify, the (new) member would be shown and included in the membership directory – if there is one – but their activity would not be for a short time, say 1 day, assuming the admin are active and flag or approve users immediately upon the new user having some activity to flag or approve in the first place

@shanebp the very nature of the functionality is that it is *not* explained, the user doesn’t know they are in a sandbox! (like a user being ‘shadow banned’) otherwise the benefit that this would confer is totally erased.

please explain why would this result in a flurry of support submissions? the new user sees their own activity being reflected on the site, for what reason would they ask for help? they write, comment, etc and it is shown to them on the site as normal, so nothing is wrong as far as they are concerned. except it is only shown to them, not everyone (until the admin approves them and removes them from the sandbox)

having said that, I do appreciate your feedback and criticism, that is why I shared the idea in the first place, to get some reaction and ideas so we know if this is feasible and perhaps to improve upon the original idea

@bphelp thanks, I’ll take a look at that plugin but it lacks this specific functionality as you already mentioned

@shanebp how is this ‘too complicated’? I also like using the community to flag spam but that only finds spam after the fact, what if you could ID spammers *before*? wouldn’t that be even more valuable? or why not both?

Thanks for your help and your reply @BPhelp.

I think your suggested solution is perhaps a wee bit too technical for me. Is there a Pluggin that would suffice?

BP Spam killer is not available as a WP Pluggin. I’ve searched WP’s pluggins using many variants of the spelling/arranging of the term BP Spam killer.

I’m not at all clear of the implications of setting my BP community to private are.

I have attempted to learn more about all of your suggested solutions via the links and further Google searches but I haven’t succeeded in finding out enough information to leave me confident of proceeding.

I’m not sure enough of the terminology either. I think Slug might refer to a URL that has delved in to a website but I’m not sure.