scribblet

Hi and hope this is the right thread...

I had to close my first forum due to trolls and possible hack attempts. I did check out the IPs but the site I used said 'not proxy'.... it was wrong, how can you tell if a new registration is using a proxie?

thanks

__________________
Come in and check us out,
http://www.friendshipgarden.easyfreeforum.com/index,eff,16140.html

Resonate

The widespread abuse of proxies started years ago with a program called Wingate. Before Windows had Internet connection sharing built in, people with a home network needed a way to route all their machines’ Internet traffic through a single dialup. Wingate served this purpose, but unfortunately it shipped with an insecure default configuration. Basically anyone could connect to your Wingate server and telnet back out to another machine on another port. The company that wrote the software eventually closed the hole, but the original versions were widely deployed and infrequently upgraded.

Turning to the modern day, we see a second trend in proxy use. Web traffic has grown at a phenomenal rate over the past 7 years. Companies and ISPs often turn to caching proxy servers to reduce the tremendous load on their networks. In order to satisfy the demands of their content-hungry users, these proxy servers are often configured to proxy any port, with little regard to security. If there are no access controls blocking connections from outside the network, it makes it possible to anonymously portscan the entire TCP port range of other outside systems. Even worse, some proxies will allow you to connect in reverse; to machines on a company’s internal network. This flaw has been thoroughly exploited in companies such as WorldCom, Excite@Home and others.


Unsecured proxies currently are the most significant conduit of junk email, best known as SPAM. This is a particularly vexing problem, because open proxies, unlike open mail relays, hide the origin of the spam, making it impossible to trace. Proxies can also be installed by online criminals, in order to eavesdrop upon the dataflow between the client machine and the web. All accessed pages, and also, all forms submitted (including passwords), can be captured, analysed and used by the proxy operator. Other possible uses for proxy servers is being able to vote more than once in sites that allow only one vote per IP address. Switching proxies (or using proxies that change their IP address in every request) would allow them to artificially inflate any given rating at those sites.


Is it possible to detect proxy servers? Most proxies will add headers to HTTP connections in order to let the server know the user is behind a proxy. This fact can be exploited by the server to spot people hiding behind them and stop them. Recently, there has appeared a myriad of so-called “elite” proxies or “high-anonimity” proxy servers that completely hide the client’s IP and do not send any special headers, making them look as any other website. In this case, webmasters need to develop better countermeasures in other to spot them, such as the use of proxy server blacklists.


What follows is a short PHP script that makes use of 2 PHP classes (XIP and Defensive Attack), two excellent examples of how to detect and ban users hiding behind open proxy servers.

<?php
require_once(’class.php4.DefensiveAttack.php’);
//Create object
$def_attack = new DefensiveAttack(’my.sitename.com’);
//Set my IP address
$def_attack->SetMyIpAddress(’SERVER_IP’);
require(’class.XIP.php’);
$XIP=new XIP();
$ip =$XIP->IP[’client’]; // Find the IP received by the server
$blacklist=implode(”, file(”blacklist.txt”)); // Load blacklist from the filesystem (a list of IP addresses)
if ($XIP->CheckNet($blacklist, $XIP->IP[’client’])) die(”Blacklisted Proxy DETECTED<br>”) ;
// Check IP for Known open proxies. Uses SPAMCOP services to detect well-known spammers’ IP addresses
$handle = @fopen(”http://www.spamcop.net/w3m?action=checkblock&ip=$ip”, “rb”);
stream_set_timeout($handle,$timeout);
$contents = ”;
while (!feof($handle))
{
$contents .= @fread($handle, 8192);
}
fclose($handle);
if ( preg_match(”/$ip\s*listed in \w*\.spamcop\.net/”,$contents) )
{
die(’IP Listed in Spamcop!’);
}
if ($XIP->Proxy[’detected’])
{
die(”Proxy DETECTED<br>”) ;
}
//Looking for proxy. Uses the other class.
if ($def_attack->IsUseProxy())
{
die(”You are using proxy<br>”);
}
//Check referer if I do not want direct access to my site.
if (false === $def_attack->CheckReferer())
{
die (”Access deny. Direct access not allowed<br>”);
}
?>

These methods are only just a few of the possibilities but they should serve as a starting for webmasters wanting to protect their sites. As malicious users devise ever smarter tools to circumvent server security, site owners must stay on their toes and develop new, better countermeasures. One thing to remember is that proxy lists change every hour, so if you choose to use blacklists, you should renew them frequently (2-3 times a day).

Honestly my friend i ask you why bother, you can block proxies but as i mentioned you face new ones within an hour, i simply suggest finding a better more secure web host.



Hope this helps...

__________________

scribblet

Thanks for all that info. My first forum was on IPBfree, it's a very popular one.
As far as security goes, they didn't get in to the ACP panel but tried, security would be in how good your password is - right?

The invader is well known on a number of forums, and has been banned on most of them, she apparantly has a genuine mental illness. She is adept at using proxies and re-registering with different aliases, and getting around bans, so security per se really isn't the issue. It's how to stop people from registering using a proxy. So far she hasn't found the new one, and lets hope she's not reading this.

What I really need to know is how to plug in the IP number and have the site tell me if it is a proxy...

many thanks for your input.

__________________
Come in and check us out,
http://www.friendshipgarden.easyfreeforum.com/index,eff,16140.html

irrdev

I am curious to know, but might now proxy banning be enabled through .htaccess? I know that this method is proven against spam robots which don't identify themselves.

__________________

Resonate

You may well ban her IP but using a proxy re-directed over the globe she will be able to gain access again, just make sure you cover your back strong passwords mixed case & numbers along with latest securitty updates. That is the strongest force against her you possibly have.

__________________