how to protect php app (vbulletin) from hackers

Question

Our vBulletin system is under constant attack, raising cpu load and making the system very slow for legit users. The attack is a script type attack that is attempting to log in and/or create new login ids (mostly it is trying to create login ids in order to spam the site).

In vBulletin, we have black listed large ranges of ips, which has helped a lot, but the attacks continue.

Is there an automated way to protect the application or web server?

ideally, the protection would detect the pages accessed and automatically black list the ip.

Do you have administrative control/root access to the server on which your BB system resides ? — user9517, Jun 26 '13 at 06:16
@xeon latest version: Pretty close, but not at the latest latest. — Jonesome Reinstate Monica, Jun 27 '13 at 21:55

blau · Accepted Answer · 2013-06-27T06:37:31.507

4

Besides the above answers, you can use Bad Behavior which is an PHP-level filter based on several open BL and an own useagent BL. It has been already integrated with vBulletin.

edited Jun 27 '13 at 06:37

answered Jun 26 '13 at 14:53

blau

738
4
9

1

Bad Behavior is designed mostly to stop spam registrations and posts, though it does work fairly well for stopping some malicious attacks. I should know, I wrote it. :) – Michael Hampton Oct 06 '13 at 21:07

score 3 · Answer 2 · answered Jun 26 '13 at 06:11

Filtering normal traffic from hacks is difficult. How to do it depends on why the traffic is consuming excessive load on your service.

If it is a SYN flood, you could mitigate that with firewall rules that limit the number of connections a host can open. This is easy to do using iptables with the connlimit module.

You could consider using cloudflare or something like it, or your own reverse proxy, to take the load of processing obviously invalid requests off of your actual service.

If the DoS is the result of an exploit in vBulletin, you should address that with the application vendor and patch.

score 2 · Answer 3 · answered Jun 26 '13 at 08:42

Depending on the "signature" of the attack, you can use fail2ban to help you out as well. For example if they keep trying to login, vbulletin's 5 login attemps protection is not enough as the server will still serve content. By using fail2ban you may configure it so if someone is calling the login script more than e.g. 5 times in within 5', it will add a -j DROP iptable rule for that IP.

If this is a DDoS you may need to contact your provider and help you mitigate this.

Lastly, it is wise to htaccess your admincp directory and always check if there are plugins/products intalled that don't "add up".

If you specify what you mean by "under attack" you will probably get better answers.

score 1 · Answer 4 · answered Jun 26 '13 at 08:49

The answers above are for network level attacks mostly, I am assuming that you are talking application security. A nice drop-in solution is the following:

Use a WAF (Web Application Firewall). There are quite a few closed source/turnkey solution but depending on your web server you can use:

naxsi for Nginx - https://code.google.com/p/naxsi/
mod_security for Apache - http://www.modsecurity.org/

The usual requirements apply: keep your servers patched, monitor logs, etc.

You can find more information about WAFs in general in the excellent OWASP page: https://www.owasp.org/index.php/Web_Application_Firewall

score -1 · Answer 5 · answered Oct 06 '13 at 21:04

-1

You can use http://www.spambotsecurity.com/zbblock.php and http://sourceforge.net/projects/iosec/ These php scripts helped a lot for same problem on our forums.

answered Oct 06 '13 at 21:04

Madanoglu

1

how to protect php app (vbulletin) from hackers

5 Answers5