ZB BLOCK CHANGELOG
0.4.9 Beta 05/28/11 - "Jaguar"
Feature: Multiple new time formats. Choose inside of zbblock.ini .
Feature: Time offset... For those people who can't stand being locked to server
time. Value is in hours differnt from server time. Warning: Does not
change the displayed offset due to the fact it recomputes on the Unix
Epoch value.
Feature: Regular Expression Match (Kudos to Tom Parkison). Use with care to make
sure nothing will be executed.
Feature: Ajax Opt-Out system. By declaring in zbblock.ini that your site does
not use AJAX, you can increase your injection resistance in POST many
times what an AJAX site is compatible with. AJAX is very sloppy and
allows script written on the client to be executed on the server, which
is a hack waiting to happen. As most systems pass .xml through the php
interpreter also, AJAX cannot be declared safe... and neither can
Ajax's command injections normally be overlooked by ZB Block. Please
IF YOU DO NOT USE AJAX, OPT OUT IN ZBBLOCK.INI FOR MORE PROTECTION!
Feature: On multiple 503s sent to banned host, you can choose to send them a
redirect to their localhost (127.0.0.1), with a reported length of -1
bytes. Actual size is about 1/2 of a 503 response.
Feature: Permanent ban immunity for known good crawlers.
Feature: IP Permanent Bans Database split into 2 files. One is IPs only, for
speed of access by the script. The other is IPs and Hostnames, for
easier checking of permanent bans accidentally levied against innocent
mistakes.
Feature: Header Switch for Reverse Proxy Service. If you sit behind cloudflare,
or some other host with a reverse proxy, you can define the header
value your ZB Block should use to determine the originating IP. USE
WITH CAUTION, AS IF YOUR SITE IS DIRECTLY ACCESSIBLE BY IP, A CLIENT
COULD TAMPER WITH THIS DATA. Recommend a custom signature to ban
any native IP ( using $_SERVER['REMOTE_ADDR'] ) that does not come from
your reverse proxy's ranges.
Change: 403 page slightly friendlier, with more prominent trouble-ticket e-mail
link.
Change: File writes now done in burst mode to reduce overlapping log writes
caused by DoS hammering.
Change: Reasons why block must be punctuated in the signature now. This allows
for cleaner use of the search functions without leaving a trail of
breadcrumbs (ie: "reason 1 . . . reason 2")
Change: User agent now stored in a variable for more consistent updating.
Change: Wrong whitelist password will now report a miss. However, now it will
increment a counter towards baning. No need to be secretive anymore.
Bugfix: Post data truncated at 4MB to avoid memory use conflict with file
uploading.
Bugfix: All filenames now use lower-case to avoid problems with hosts run by
strange geeks who cannot understand that a single bit change does not
mean the end of the world for the Linux operating system. There is a
difference between nerds and geeks... geeks go out of their way to be
incompatible with society, as their intellect does not cause this
automatically.
Bugfix: s2b ( Human readable to binary ) changed to be case insensitive.
Bugfix: Unset now used instead of $tring nulling ("").
Bugfix: Filewrites now flushed before close... for the most part.
Bugfix: IP database now prepends IPs with a space to avoid substring collisions.
Bugfix: $zbregcheck now globaled to allow for hiccup in variable sharing (some
systems).
0.4.8 Beta 08/24/10 - "Cougar"
Bugfix: Now compresses spaces and other garbage characters to avoid obfuscation
of command detections.
The fix is through the use of 6 new variables in the script and in the
signatures these variables are: $querydecsws, $fromhostsws,
$lcuseragentsws, $lcrequesturisws, $rawpostsws, and $lcpostsws. These
variables are exactly the same as their non "sws" extended counterparts,
except these strip all whitespace, and non-normal ASCII out.
Why do this, because in php "echo('something');"
is equivalent to "echo ('something');"
or even "echo ( 'something' );"!
The old system, if it was looking for "echo(" would have only triggered
on the first instance. Now, thanks to the new "sws" variables, this
gross oversight has been remedied.
"sws" by the way means "Strip WhiteSpace".
0.4.7 Beta 07/12/10 - "Panther"
Feature: Silent blocking with response replaced by a page forward... Unless
permenantly banned. If so, the connection will be killed without
result. The far end user will see "Connection Closed by Remote Host".
(NOTICE: This is very user unfriendly.)
Feature: StopFourmSpam.com positive results are cached by appending
bannedips.csv with the new bad IPs.
Feature: Registration, and Confirmation attempt throttles. Hard on bots, easy on
humans and remote databases. Fault count + 3 times per hour allowed.
(6 registration and confirmation attempts by default. Fault count 3 + 3
more registration or confirmation pageloads. Should be enough. Will
make a standalone ini variable in future version).
Feature: CIDR Range blocking. Now you don't have to figure the IPs out when
blocking according to an ASN listing on a website.
Just use this format...
$ax = $ax + (cidrblock($address,"/","CIDR Block"));
So for instance to block your own LAN range (don't do it!)...
$ax = $ax + (cidrblock($address,"192.168.0.0/24","CIDR Block LAN"));
Feature: More potent and accurate filtering of POST data to allow the detection
of variable tampering. Also found a new, accurate way to compress
escaped escapes to unmask character obfuscation.
Feature: Settable e-mail address (optional, default=off) in ZB Block .ini
designed to allow blocked users to send in a "trouble report" with the
fault details, through a specially crafted mailto: link. This is
advisable if you have a disposable e-mail address, like
"blocked@yourdomain.tld" as no doubt scrapers will harvest the e-mail
address. If not activated, nothing about it is shown.
Feature: Dated auto-changing killed_log.txt file based on php date() function.
This allows you to pre-pend the killed_log.txt filename, with a dating
system of your choice. More information in the zbblock.ini file.
0.4.6 Beta 02/16/10 - "Bearcat"
Feature: User-Agent String! Now identifies to remote databases as
"ZB_Block_0.4.x"
Feature: Human to Boolean operations now using more compatible || instead of OR.
Speed up: Only check IPs once if un-resolvable to name. If name doesn't resolve
ad IP to NOLOOKUP.CSV and check this first next time. Should lead to
signifigant speed-ups for users on unnamed IPs.
Speed up: If a violation of general security rules occurs during registration
confirmation, or login, the remote database checks are skipped.
Feature: Now bad IP catching for registration/login identifies if it came from
your local bannedips.csv, or the remote SFS database.
Feature: Record number of violation now shared with the client to speed
debugging of bad catches by site owner.
Bug Fix: Non "$zb" headed variables now unset at end of execution to fix
variable collisions with some rare scripts.
0.4.5 Beta 11/20/09 - "Jedi Potato" - Feel the power of the fork. 3---
Feature: Now can use local copy of StopForumSpam.com's bannedips.csv
Feature: Staged Registration Checker
1. If IP is not found in local bannedips.csv then...
2. Then check live StopForumSpam.com database. If not found there...
3. Then check live hosts-file.net database. If not found there...
4. Then check TOR project.
If found at any stage before 4, the rest of the checks are skipped to
speed things up, and save load on other databases.
Feature: Compatibility Layer File. This file is for touchy signatures that are
incompatible with some scripts/fourms/blogs/cmses out there. The
the weakest (but still strong) version ships with ZB Block. For more
strength, download the one that fits your package from the ZB Block
download page. Feel free to request new compatibilty layer files if you
need one.
Feature: Ignore Remote Databases IF IP=127.0.0.1 OR IP=192.168.0.0 for
registration. All other blocks still active. This is part of the
compatibility layer file so additions/deletions are kept.
Feature: New HTTP header returns to alert admins of compromised servers that
they are being abused by robots/hackers. The new fields are...
1. Warning: 199 :80
2. Abuse:
These are output along with the 403 errors, but skipped once the
attacker falls into 503 hell. Not supported by many servers, but still
a good way if adopted as per RFC 2616 (Warning: 199) and my own "human
readable" idea (Abuse: , as Warning: 199 is in such rare use that most
admins might be confused), to alert the innocent.
Change: Default behavior is now to write killed_log.txt to a human readable
area, as it causes no security risk, and helps for rapid debugging of
problems reported by users.
Change: Signature files now model numbered internally in comments.
Change: Appendix added to manual on how to handle compatibility.inc
Bugfix: Due to some servers not having adequate php execution times, most of the
pauses have been removed. You can turn them back up after install in the
.ini to suit your taste.
0.4.4 Beta 08/25/09 - Bugfix+ version
Bugfix: Turned off that annoying super debug mode that snuck in, in the last
version.
Bugfix: Bad signature in last installer changed.
Feature: Added PHP-Nuke registration checker capability.
Experiment: Included the 0.0.1 version of ZB Log. Which can be used in much the
same way ZB Block is, but for currently non existing files that
hackers are getting 404s on now, to probe and record what they are
trying to do. FOR EXPERTS ONLY! MAY CAUSE RETRIBUTION IF USED.
It will generate a log like ZB Block but everyone gets a 403 for
blindly poking around in your site. Uses the ZB Block signatures
to "mark" attacks that are allready known. If you see something new
report it in ZB Block's forums so we can add it to signatures.
0.4.3 Beta 08/23/09
Bugfix: Undefined variable $zbregcheck now defined in any case.
Feature: ZB Block now has a manual! Should make use a lot easier!
Feature: ZB Block has a password setting in the .ini file, which is important
for the whitelist feature, and the future control panel.
Feature: 3 layer Detection/Banning/Whitelist Database. The first layer,
Detection, records violations made by IPs. This is then scanned for
X entries (.ini setting), if found, the ip and hostname is added to the
banning database, which switches ZB Block behavior to displaying a 503:
Service Temporarily Unavailable, with a 1 day timeout for that IP only.
Of course this is actually a permanent ban, but most bots ignore 403s
and other permanent ban types.
The 3rd local database is the Whitelist, this will make your current IP
immune from a permanent ban, but still subject to inspection. You can
set this by going to any protected page and adding ?wlpw= to the URL.
Also, there is daily housekeeping on the databases. The detection data-
base is purged. The permanent banning database has any accidental
duplicate lines removed, which can happen on rapid-fire hammering by
bots.
Feature: Adjustable (.ini file) timeout on remote database access.
Feature/Change: Adjustable (.ini file) registration timer trap. Slows down bad
bots.
0.4.2 Beta 07/29/09
Feature: Hosts-File.net (hpHosts) Blacklist Registration/Login Blocker!
(ini setting / Default: on) Check to see if IP of attempt to
register is associated with a known forum/comment spammer, or
hostile attacker. Allows read-only access. Primary Function:
Stops Spam.
Feature: StopForumSpam.com Blacklist Registration/Login Blocker!
(ini setting / Default: on) Check to see if IP of attempt to
register is associated with a known forum/comment spammer.
Allows read-only access. Primary Function: Stops Spam.
Feature: TOR Network Registration/Login Blocker! (ini setting / default: on)
Block registration or login from the TOR anonymity network. Allows
read-only access. Primary Function: Stops Spam.
Feature: TOR Network Access Blocker! (ini setting / default: off) Block all
access to protected files from the TOR anonymity network. Primary
function: Stops Hacks
0.4.1 Beta 07/05/09
(a lot can change in a couple days when things work right)
Feature: MORE FLEXIBILITY! Now ZB Block loads configuration from a real
live zbblock.ini config file stored in the vault!
Feature: Debug Mode (ini setting). You can now easily find out why a request
was blocked by turning this on and resending the request yourself.
it will show you what search algorithm, and which pattern caused
the hit. Leave off to deter skript kiddies (default off)
Feature: Adjustable Snooze (ini setting). You can now choose either a long,
short, or no snooze at all on an attack detection. Setting is in
seconds. (default 25 seconds)
Feature: Turn on and off registration timer-trap (ini setting-default on).
Feature: Turn on and off killed_log.TXT logging, and choose if it is stored
in the main zbblock (unprotected), vault, or another subdirectory
(ini setting-Default: On, vault/).
Feature: Turn on and off killed_log.CSV logging, and choose if it is stored
in the main zbblock (unprotected), vault, or another subdirectory
(ini setting-Default: Off, vault/).
Feature: Super-Debug mode. Uncomment 2 lines near the top of the script to
expose any and all errors occuring.
Bugfix: Thanks to Super-Debug, all former non-fatal but annoying errors have
been finally fixed.
0.4.0 Beta 07/04/09 (Independence Day)
Feature: Comma Seperated Values (.CSV) output of logs.
Feature: New detection algorithm minmatch, can sniff more accurately for
nested attacks, as it checks to see if occurences of a string
have gone over the maximum allowed in a request.
Bugfix: Removed troublesome $loaded and $loaded2 variables, as these were
never used, and tend to not be standard across platforms/servers.
0.3.1 Beta 04/07/09
Bugfix: Installer would generate errors trying to delete old installer
files, on new install. Checks for old files before attempting
delete.
0.3.0 Beta 04/05/09
Feature: Now has an installer! Just load zbblock/setup.php in your
browser, follow instructions. YAY! :D
Security Fix: Post data removed from log. Possible password exposure.
Security Fix: Filename removed from log. Possible path structure exposure.
Change: "Forwarding Hell" deprecated and removed. ZB Block is about
security, not revenge.
Change: Anti-Flooding pause extended to 25 seconds.
Change: Code cleaned for efficiency.
0.2.0 Beta 02/25/09
New site, new semi-major version!
BugFix: Now can be run several times on the same page, due to accidental
includes and such, without throwing an error. Will quickly skip
over itself if it has run before.
Feature: Deeper Detections. Now strips the query string down to the base
elements. No more cloaking with %## !
Feature/Change: Now throws an authentic 403 with a descriptive error
message by default, rather than forwarding hell. Still
has a wait to slow some robots down.
0.1.8 Beta 01/07/09
Sorry, didn't mean to release a new update so soon! Necessary because
signature file has added "stuff" in it. Next update of program
(bar hotfixes) will be in Feb. (It's beginning to eat my life!)
Feature: Added ability to check user agent (though I doubt the utility of
this due to cloaking).
((NOTE: Turned out to be quite handy by version 0.4.0!))
Feature: Added ability to check POST data (though I doubt the utility of
this due to most skiddy scripts don't use POST).
Feature: Added serial # counter, stored in vault.
Change : Changed several checks of $_SERVER['HOME'] to a single check that
can be replaced by a static value, in the case of some odd server
packages that alter $_SERVER['HOME']. Now stored in
$path_to_httproot . Will eventually be loaded from a semi permanent
config file.
0.1.7 Beta 12/28/08
Feature: Added score ouptut in case of multiple matches.
Feature: Now lists all reasons for blocking each attack.
Feature: Placed signatures in locked /vault/ (with .htaccess and .htpasswd)
Feature: Added custom signature file in /vault/ so you need not put back in
your custom blocks each time you update main signatures.
0.1.6 Beta 11/28/2008
Feature: Added detection of $_SERVER['PATH_INFO'] . Allows for smarter
detection of (evil) remote file includes. Also allows for rejection
of client on sites that have no use for path_info.
0.1.5 Beta 11/22/08
Feature: Added promised IP range blocking, which signifigantly shrank the
signature file, and speeded processing.
0.1.2 thru 0.1.4
Inhouse experiments and other dead-ends.
0.1.1 Beta 11/12/08
Feature: Added reason for blocking to output file.
Speedup: Tightened some variable reading code. (Read system variables once,
string to lower from them)
Removed: Redundant String Length function in inmatch.
0.1.0 Beta 11/08/08
First Public Beta