Security Questions

Hi, I am currently running 2.2.0 and was just wondering if my log entries from the link below are normal?
 
 
My site has been constantly under attack from the start compliments of google and the welcome mat keywords "Powered by Elgg" to locate it.
 
Now it seems that they have found a way to validate their own accounts with two instances in the past couple of days.
 
Any help would be appreciated, thanks.
  • The image shows an excerpt of the Elgg system event log. The entries in this log refer to activity on the site by members that results in database entries. It looks perfectly alright.

    Do you suspect your site is under attack due to this system event log? In this case your assumption is wrong. As the Elgg system log keeps track of the normal site activity there are of course log entries right from the start.

    For possible invalid activity you would have to look into the webserver access and/or error logs instead. But you can't avoid that sooner or later bots and crawlers will visit your site as it's on the Internet after all.

    As long as you haven't turned off registering of accounts in the advanced site settings you also can't totally prevent (spam) bots and people at least trying to register an account on your site. By default, Elgg validates accounts by email and this validation process is basically open to everyone.

    You should use the Spam Login Filter plugin in any case (https://elgg.org/plugins/774755) to reduce registration of unwelcome accounts at least. Though you won't get a 100% success rate with this plugin or any other method. The point is to reduce the amount of unwanted account. In the long run you can likely reduce the unwanted accounts also by reporting any spammer to the StopForumSpam site with the Spam Login Filter plugin when deleting these accounts. Some other plugins in addition to Spam Login Filter are also available here on the site that might help more in certain situations than in others. I think it helps a lot to remove any unwanted / spam posting as soon as possible and without any exception to show that it's not worth the effort to even try spamming. In my opinion it also helps to NOT allow registering accounts with any 3rd party account credentials (Twitter, Facebook, Google). Allowing this is most likely miused by spammers in the first place as they have less trouble getting their account validated (and I think anyone interested for valid reason will not stop registering an account just because they need to enter their account data manually).

  • Thanks for the reply.

    The primary reason that I am reaching out for help is that just recently the bots/spammers/crawlers have found a way to validate their own accounts.  I have had about 4 cases, in the past 72 hours or so.

    So potentially a new exploit in either my configuration or the software.

    The Spam Login Filter plugin appears to not support past 2.0, do you think that it will work on 2.2.0?

    Also currently running:

    http:blacklist set at 1 with 16 spammers being blocked and 2 getting through in about 10 hours.

    Elgg Recaptcha doesn't seem to work with 2.2.0 as it won't allow any registrations.

  • Bots were smart enough to bypass email validation since the dawn of time. Elgg community site suffers from a lot of spam attempts, many of which are successful, but we still manage to keep it down. See here which plugins are used on the community site (we run Elgg 2.3.0): https://github.com/Elgg/www.elgg.org/blob/master/composer.json#L5

  • Spam Login FIlter should work up to Elgg 2.3. It's used on the Community site here after all. The same with the recaptcha plugin. It's also used here on the site. Make sure you use the latest available version. As I don't use it myself I can't tell if there might be some plugin setting wrong resulting in the registrations to fail. Or you might have another plugin installed that causes the recaptcha plugin to fail.

  • It is not email validation that they are bypassing, they are validating their own pending accounts waiting for administrator approval.

    http:blacklist blocked 7, six registered and 3 self validated in 24 hours.

  • Core does not provide any administrator approval workflow, so you should check with whatever plugin you are using - it might just have holes in it.

  • Is it really "they" who are bypassing the admin approval? Or are you using any plugin or plugins that allow for registering accounts with 3rd party credentials (Twitter, Facebook, Google, etc.) like the bundled Twitter API plugin as an example?

    The problem might be that accounts registered with account data from other sites are automatically registered bypassing any validation requirement by email or admin. For example the bundled Twitter API plugin allows to register an account with Twitter username+password alone. Providing an email address is optional. Therefore, these accounts are activated automatically because validation by email with the bundled User Validation by Email plugin wouldn't work anyway without an email address.

    The User Validation by Admin plugin is directly derived from the bundled User Validation by Email plugin. And therefore the "Sign on with Twitter" accounts are likely still activated automatically without being able to decide about that as admin. Other 3rd party plugins that allow to sign in with Facebook/Google and other 3rd party account data might also activate any of these accounts automatically.

    So, if you want to be sure that you have full control about account activation, don't use any 3rd party plugins that bypass the admin approval. If you ask me it just isn't worth the trouble to allow people to register accounts with 3rd party credentials. It's just the spammers who welcome this option very much because it makes it so much easier for them (and Twitter and other sites just don't care about any misuse of accounts on other sites).

    The Blacklist plugin and also the Spam Login Filter plugin will NEVER have a 100% success rate! They both rely on checking the data entered on account registration with a list of credentials formerly used by spammers. If the data hasn't been used before or hasn't been reported (with Spam Login Filter) the plugins won't block the account registration. Nevertheless, the number of spam accounts registered will get reduced and if you report any spammers back to StopForumSpam with the Spam Login Filter plugin when deleting these accounts (and not just delete them) they same data can't be used in the future again. So, you can make it much harder for the spammers to get into your site and the sites of others (and if more people would use Spam Login Filter and report back the spammers it might work even better to block them). The Blacklist plugin has no report function unfortunately. The blacklist used by it is also not made of data primarily from forum-like sites or Elgg sites. So, the success rate in blocking might be lower than with Spam Login Filter. But using both plugins in parallel might help to block more spammers as one list might already know a spammer while the other doesn't have an entry yet.

  • I AM NOT USING ANY 3rd PARTY ACCOUNT VALIDATION.

     

    Problem is solved though; ELGG UNINSTALL.

  • Why didn't I think of that solution before. Thanks for wasting everyone's time without bothering to explain yourself or learning how Elgg works

  • They r people who really don't know how elgg works .. The best Social Engine for free people don't know the value .. They should have gone through Dolphin CMS had there money drained & still never get support from any of the developer over there forget the support even if you have to use there forum to ask questions you need to be a premium member .. but in case of Elgg you get everything for free & PLUS you get support as well for free .. Elgg has gone through so many updates & i have never once faced the problem of Security or bypassing the validation.. I have found spammers validating & passing but never once found bypassing the validation.