Topic: ZBBlock 0.7.0 Released - PHP Site Protection Software.

[ConligWX]

Hi guys.

I know some of you guys use ZBBlock on your sites to get rid of the unwanted bots etc. thought I'd just let you all know a new version has been released.

the newer version adds some important new features:

Code: [Select]

Optional Apache-Style Access Logger
Reset Counter on Killed_Log Cycle
Wordpress Compatibility Flag
Region and Country Blocks
Bot-Browser Detection (BOBUAM module)
Isolated Error Log
More info here: https://www.zb-block.net/zbf/showthread.php?t=429

this also includes an updated wordpress honeypot for bots trying to log in using /wp-login.php and /wp-config.php even if you dont have wordpress installed.

[Ian.]

Thanks Simon, all up and running now

[broadstairs]

I just tried that link with two different browsers but neither accessed the site for me. Pretty useless really. No explanation as to why it redirects to 127.0.0.1.

Stuart

Actually make that 3 now well now 4 on two systems - ridiculous Cant even access chatteris.bix as well. Now the mail your script created got bounced so I am unable to report it!

[ConligWX]

If it's just an web browser agent out of date it would throw up a 403 page of why.  since you are redirected to 503 thats is classed as:

Code: [Select]

; *** Heavy Hit
; Instantly ban (503) any IP that has a "score" of more than x many points. Designed to detect
; multi-method hacks, and extreme egregiousness.
;
; values: (All positive numbers valid, these are guidelines.)
;   0 = off
;   3 = Tight but relatively safe setting.
;   5 = Generous and very safe.
;   7 = Instantly ban only the worst hacks.
; Default: heavy_hit = 3
heavy_hit = 3

Code: [Select]

; *** 503 switch to redirect Count
; How many times an IP can trigger a 503 before the script just tells the attacker that the site
; has moved to 127.0.0.1 and dies the connection. Even less spendy on bytes.
;
; values:
; 0      Turn off
; 3      Allow 3 503s then send them to themselves.
; default: die_503 = 0
die_503 = 3
not my words by zblocks.  try hitting my website:

https://www.conligwx.org  then i can see why it has blocked.

Sent from my GM1913 using Tapatalk

[broadstairs]

I get the 403 from your site as well. My UA says firefox 74 on linux x86-64, nothing wrong with that.

Code: [Select]

Record #: 103
Time: Mon, 11 May 2020 10:06:26 UTC
Host / ISP: host-xx-2-171-150.as43234.net
Geohost: xx.2.171.150.EU.GB.13285.opaltelecom-as (xx.2.0.0/15)
IP Address: xx.2.171.150
Post:
Query:
Stripped Query:
Referer:
User Agent: Mozilla/5.0(X11;Linux x86_64,rv:45.0) Gecko/20200101 Firefox/74.0
Reconstructed URL: http:// www.conligwx.org /

I just mangled the IP btw.

Stuart

[ConligWX]

Why blocked: Malformed UA (BOTB-30/FF). Malformed UA (BOTB-31/MZ). 

UA is user Agent.

User Agent: Mozilla/5.0(X11;Linux x86_64,rv:45.0) Gecko/20200101 Firefox/74.0

this line appears to me malformed and not correct. it has been modified.  A genuine user will not change this UA string. bot browsers are known to use unknown or malformed UAs, so it is either flagged, or in this case blocked.

So, zbblock is doing what it is intended to do.  block malicous UAs and block IPs based on its CIDRAM and Blocklists settings.

[broadstairs]

I just changed the UA string slightly and it now works. I'm sure this is being far too picky because folks often mess with the UA and a minor error can easily creep in and does not mean its a bot trying to crawl the site. There are so many ways validly to code a UA string it is almost impossible to catch them all. However the script site still re-directs me!

Stuart

[ConligWX]

There are so many ways validly to code a UA string it is almost impossible to catch them all. However the script site still re-directs me!

Stuart

indeed, thats why there are more than one why to catch them out using zbblock its not all about UA's since last night I have had 107 IPs blocked by bots/malicous IPs and regions that I have blocked. they are unwanted visitors by me, so I use zbblock. it wont stop them all but a good majority of them.

If a genuine user gets blocked they will be shown a webpage with why they are blocked and can then contact the owner of the site, if you change your UA string "because you want to or can" then expect to be blocked and treated as a potential treat. Hiding behind false information is what hackers and bots do.

if you get blocked as a "genuine" user there is an explaination. Your UA string has been modified - "Genuine users hiding something - why????? or the other reason an out of date UA string, when a user has a very old OS and his web browser cannot be updated any longer.

[broadstairs]

While I also try to stop unwanted bots etc from my web site I dont want to accidentally stop genuine users which is what is seeming to happen with this script. My site has never been hacked or used anywhere near its bandwidth, and I'm sure my host site is very well run. I do use a method of catching bots and dont see many in the stats.

I am more concerned about folks copying stuff like images etc and using them without permission or attribution which has happened on a number of occasions and I've even had commercial organisation have to shred brochures because they didn't ask and I refused permission because of that.

Stuart