Bad Behavior2 Plugin
Bad Behavior was written by and is maintained by Michael Hampton at http://bad-behavior.ioerror.us/.
Bad Behavior has been integrated into glFusion by the glFusion development team to take advantage of the great features that Bad Behavior brings, specifically:
Bad Behavior complements other link spam solutions by acting as a gatekeeper, preventing spammers from ever delivering their junk, and in many cases, from ever reading your site in the first place. This keeps your site’s load down, makes your site logs cleaner, and can help prevent denial of service conditions caused by spammers. (quoted from http://bad-behavior.ioerror.us/)
Bad Behavior can use of the Project Honey Pot - HTTP Black List service, which will block known malicious sites. You will need to create an account and obtain a set of keys to configure below. It is highly recommended that you enable this feature in Bad Behavior.
The Bad Behavior configuration options are located under Command & Control → Spam / Bot Protect.
- BB2 Enabled
Set this to true to enable Bad Behavior 2 plugin protection.
- Enable Automatic Banning
If set to true, IPs will be automatically banned if they fail the CAPTCHA entry 5 times, or if a post fails the Cross Site Forgery Check. IPs will be banned for 24 hours.
- Strict Checking
Bad Behavior operates in two blocking modes: normal and strict. When strict mode is enabled, some additional checks for buggy software which have been spam sources are enabled, but occasional legitimate users using the same software (usually corporate or government users using very old software) may be blocked as well. It is up to you whether you want to have the government reading your blog, or keep away more spammers.
- Verbose Logging
Turning on verbose mode causes all HTTP requests to be logged. When verbose mode is off, only blocked requests and a few suspicious (but permitted) requests are logged. Verbose mode is off by default. Using verbose mode is not recommended as it can significantly slow down your site; it exists to capture data from live spammers which are not being blocked.
- Logging Enabled
You can disable logging entirely, but this is not recommended since it may cause additional spam to get through.
- HTTP BlackList Key
Bad Behavior is capable of using data from the http:BL service provided by Project Honey Pot to screen requests. This is purely optional; however if you wish to use it, you must sign up for the service and obtain an API key. To disable http:BL use, remove the API key from your settings.
- http:BL Threat Level
This number provides a measure of how suspicious an IP address is, based on activity observed at Project Honey Pot. Bad Behavior will block requests with a threat level equal or higher to this setting. Project Honey Pot has more information on this parameter.
- http:BL Maximum Age
This is the number of days since suspicious activity was last observed from an IP address by Project Honey Pot. Bad Behavior will block requests with a maximum age equal to or less than this setting. Project Honey Pot (http://www.projecthoneypot.org/threat_info.php) has more information on this parameter.
- Allow Offsite Forms
Bad Behavior normally prevents your site from receiving data posted from forms on other web sites. This prevents spammers from, e.g., using a Google cached version of your web site to send you spam. However, some web applications such as OpenID require that your site be able to receive form data in this way.
- EU Cookie
Enable this option to alter Bad Behavior's cookie handling to conform to 2012 EU cookie regulations.
Users in the Bad Behavior2 Admin group can search the Bad Behavior2 logs. Simply go to glFusion's search page and enter your search terms. Select “Bad Behavior2” from the “Type” drop-down menu if you only want to perform a search on the Bad Behavior2 logs.
The search function will search for IP addresses and it also searches through the entire HTTP request that the offender used to access the site.
Whitelisting IP Addresses
You can add whitelist entries to Bad Behavior to allow a specific IP address or blocks of IP addresses by adding them to public_html/bad_behavior2/bad-behavior/whitelist.inc.php.
Blacklisting / Blocking IP Ranges
There may be times where you want to block a range of IP addresses. For example, at glFusion.org, we receive hundreds of requests per day from a specific hosting provider, all calling users.php (to login) with invalid data. As these are identified, we block the range of IPs from the specific host.
To implement IP range blocks (also known as IP CIDRs). Classless Inter Domain Routing (CIDR) - was adopted to help ease the load imposed on internet and large network backbone routers by the increasing size of routing tables. CIDR is a notation to identify a block of consecutive IP addresses.
For example, the range of IPs
192.168.1.0 - 192.168.1.255 is represented as a CIDR address as
192.168.1.0/24 - this one CIDR notation covers 254 individual IP addresses. Many times it is helpful to use one of the online CIDR calculators, such as http://www.subnet-calculator.com/cidr.php to understand how to represent a range of IP addresses correctly.
To block CIDR ranges, you must create the
bb2_ip_ban.php file in the private/data/ directory of your website. There is a sample file provided,
bb2_ip_ban.php.sample that you can rename to
bb2_ip_ban.php. Once you have created the
bb2_ip_ban.php file, you now edit it to enter the IP CIDRs you wish to block. The format must be like this:
$bb2_blacklist_cidrs = array(
'22.214.171.124/19', // quadranet
'126.96.36.199/19', // quadranet
'188.8.131.52/17', // quadranet
Each CIDR is enclosed in a single quote and separated by a comma. The // comment is optional but a good practice to document why you are blocking a specific range.
Once the file has been saved, the Bad Behavior2 plugin will immediately start using it to evaluate each page request and block any IP ranges you have specified.
Please be very careful that you follow the file format correctly - any typos or missing quotes or commas will prevent your site from loading.