Gallery Links
Users Online
· Guests Online: 14

· Members Online: 1
Juergen Peters

· Total Members: 4,337
· Newest Member: Maik Hausotte
Forum Threads
Theme Switcher
Switch to:
Last Seen Users
· Juergen PetersOnline
· John Carr00:08:04
· Tony Irwin00:48:51
· albrej01:42:38
· Ectemnius01:51:17
· ckazilas02:05:29
· libor02:13:10
· Leif Bloss C...02:18:36
· gdoer02:23:31
· binturong02:41:41
Latest Photo Additions
View Thread
Who is here? 1 guest(s)
 Print Thread
Sluggish site
Paul Beuk
#1 Print Post
Posted on 03-09-2019 14:57
User Avatar

Super Administrator

Location: Netherlands
Posts: 17272
Joined: 11.05.04

You have all been very nice not to nag me about the sluggishness fo the site in the recent period. I posted a short message about this in the shoutbox but will make a more formal post now.

The sluggishness is partly due to frequent attampts to hack the site. There are attempts to run code on the site or to upload or install rogue scripts first. Hackers try to run non-existing scripts or abuse existing scripts to gain access to the server. Especially when they try to abuse existing scripts it can lead to a heavy load on the server when it tries to execute them as genuine queries. Compare it to asking the finance department for a copy of invoice 876-7656-B15 while it does not exist. The finance department has no reason to assume it does not exist and soon everyone is searching for the original, at the same time dropping their regular work. That is when you have to wait and wait and wait for the department to resume their ordinary duties. [In the past the site was similarly slow when searchbots tried to index the site from garbled links.]

I have looked through the server's access log of the last 24 hours and have indentified more than 20 attempts to hack the server. One of these was a very serious attempt, lasting almost three mintes, several others were shorter script that were run to test the server for vulnerabilities. All the relevant IP's were blacklisted. IOn addition to these more that 20 IP's there were more that 50 probes to see if the site ran on one or other version of wordpress (which it does not). Luckily these probes were limited to just one or two requests that were not satisfactorily answered and the probes stopped.

While wading through the log I stumbled accross some strange page requests which I assume for now have to to with attempts to spam the site. These requests used the same method as described above ('the copy of the non-existing invoice method'Wink and I expect that those requests also slowed the site down quite frequently. The culprit's IP's were also blacklisted.

I will scan the log frequently now, especially when I notice the site is sluggish. Hopefully I can keep the inconvenience cause by these rogue visitors limited.
Paul

- - - -

Paul Beuk on https://diptera.info
 
https://diptera.info
eklans
#2 Print Post
Posted on 03-09-2019 15:38
Member

Location: Franconia, Germany
Posts: 206
Joined: 11.11.18

Hi Paul, thanks for the information.
I know these problems and I commiserate with you!

Greetings Eric
 
johnes81
#3 Print Post
Posted on 03-09-2019 17:19
User Avatar

Member

Location: Berlin, Germany
Posts: 1878
Joined: 15.10.16

I've noticed the load at times. I often wonder if someone is trying to brute force accounts. i don't know which forum software is used and it shouldn't be discussed here. Usually, forum software is well-coded but often has vulnerabilities. Updating software is best to close known vulnerabilities. Server-side protection is of utmost importance including load-balancing.

I use randomly generated csrf tokens with all of my post data. I'm building a website which is nearly complete. I don't know why forum developers do not implement csrf more often. I use a main index file and all other requests are ignored. Too bad forum developers aren't keeping up with security designs.

John and Nini. Naturalists not experts.
 
pierred
#4 Print Post
Posted on 14-09-2019 21:50
User Avatar

Member

Location: Paris (France)
Posts: 1292
Joined: 21.04.05

Thanks for the information, Paul.
We all face such attempts, more or less sophisticated.
In my experience, looking at the logs is useful and necessary, in particular at the SQL error logs (which show how the attacker attempts to gain access).
Pierre Duhem
 
John Carr
#5 Print Post
Posted on 26-09-2019 22:45
User Avatar

Member

Location: Massachusetts, USA
Posts: 7306
Joined: 22.10.10

Unfortunately many hacking attempts come from botnets and the next one will be from an IP address you have never seen.
 
http://www.flickr.com/photos/31715949@N00
johnes81
#6 Print Post
Posted on 28-09-2019 16:00
User Avatar

Member

Location: Berlin, Germany
Posts: 1878
Joined: 15.10.16

I use csrf tokens with post forms but they require restrictive xss coding to work.
function code:


$salt = bin2hex(random_bytes(32));
$key = bin2hex(hash_hkdf('sha3-512', $secret, 0, $info."\0".$ttl, $salt));
$token = join('-', [$salt, $key, $ttl]);
return $token;


my original token lacked the joining method, which was corrected by a security expert.
the secret is stored as a session variable for reconstruction and validation of the token.
I also implement random names and values for form input controls including submit buttons.

rate limiting and load balancing is critical on the server.
a good host will do this automatically.
John and Nini. Naturalists not experts.
 
johnes81
#7 Print Post
Posted on 29-09-2019 17:18
User Avatar

Member

Location: Berlin, Germany
Posts: 1878
Joined: 15.10.16

I just noticed something interesting while viewing the index page: error reporting is not disabled. Errors should only be visible when a site is in development. Disable the errors to avoid free tips for script kiddies. Now i wonder if remote file inclusion is disabled too Frown
John and Nini. Naturalists not experts.
 
Jump to Forum:
Similar Threads
Thread Forum Replies Last Post
The Diptera site General queries 1 13-03-2013 22:05
Date and time
10 December 2019 01:48
Login
Username

Password



Not a member yet?
Click here to register.

Forgotten your password?
Request a new one here.
Temporary email?
Due to fact this site has functionality making use of your email address, any registration using a temporary email address will be rejected.

Paul
Donate
Please, help to make
Diptera.info
possible and enable
further improvements!
Latest Articles
Syrph the Net
Those who want to have access to the Syrph the Net database need to sign the
License Agreement -
Click to Download


Public files of Syrph the Net can be downloaded HERE

Last updated: 25.08.2011
Shoutbox
You must login to post a message.

04.12.19 10:23
Thx! TumbsUp

04.12.19 09:33
There are some internal issues withy their servers and they are working on it.

02.12.19 08:42
Anyone knows what happened with the Catalog of Fossil Diptera at the bishopmuseum.org webpage? Cannot access it Frown

01.11.19 22:46
Hi! may I ask, why the soldierfly banner (https://www.dipte
ra.info/images/sol
dierfly-banner.png
) is so big (4790x870 Pixels, 1, 4 M Cool? It always lasts minutes to load on a slow connection and costs a

18.09.19 20:06
Jewell699, you should post it in the forum, not submit it for the gallery.

15.09.19 20:41
Jewelm699 - did you upload it to a forum (which one?) or the gallery? I can't find it.

11.09.19 13:15
I’m hoping someone can identify the phoridae maggot or pupae I just uploaded.

28.08.19 14:29
Rafael p is legs and f1 is fore femur

26.08.19 17:13
If you experienced a very sluggish site recently, it may have been because someone tried to upload a maliciuous script by force. It appears to have failed. The visitor was blocked further access.

25.07.19 15:13
@Paul Beuk Thanks mate!! Best wishes!

Render time: 3.73 seconds | 142,988,253 unique visits