More Bad Behavior; Again

This time I’m going to go over the last little tid-bits so you can protect your sites and make sure the “bad” people stay away. For the most part anyway.

White Listing

You can white list IP addresses and user-agents. IP addresses can be white listed using ranges (in the CIDR format) or single IP by editing the file ‘whitelist.inc.php’. Open it up and edit the  below:

14
15
16
17
18
19
20
21
22

// Includes four examples of whitelisting by IP address and netblock.
$bb2_whitelist_ip_ranges = array(
	"64.191.203.34",	// Digg whitelisted as of 2.0.12
	"208.67.217.130",	// Digg whitelisted as of 2.0.12
	"10.0.0.0/8",
	"172.16.0.0/12",
	"192.168.0.0/16",
//	"127.0.0.1",
);

User-agents can be white listed in the same file but require an exact match to what you add to the array.

37
38
39

$bb2_whitelist_user_agents = array(
//	"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) It's me, let me in",
);

It’s important to use white listing conservatively. Extremely so. You don’t want to use white listing unless you positively, absolutely, have no other option.

Black Listing

There are two different ways to use black listing in Bad Behavior; manually adding entries to your black lists and using the http:BL feature.

To use Bad Behavior’s http:BL features you must have an http:BL Access Key. It’s a fairly simple process that requires registration with Project Honeypot. They’ll give you a BL Access Key and you place it in the settings array of ‘bad-behavior-generic.php’.

47
48
49
50
51
52
53
54
55
56

$bb2_settings_defaults = array(
	'log_table' => 'bb_logs',
	'display_stats' => true,
	'strict' => true,
	'verbose' => true,
	'logging' => true,
	'httpbl_key' => 'PLACE_YOUR_KEY_HERE',
	'httpbl_threat' => '25',
	'httpbl_maxage' => '30',
);

Once that’s done your install of Bad Behavior will use your local black lists as well as the http:BL lists.

On the other hand, you may encounter some rare cases where your site is being spammed by a new agent. In this case you might want to manually add entries to your local black lists.

The black lists are placed within ‘blacklist.inc.php’. It only accepts user-agents, probably because IP address blocking is essentially useless. You’ll need to edit 3 different areas of the script:

The first is for strings that occur at the beginning of the user-agent.

7
8
9
10
11
12

$bb2_spambots_0 = array(
	"<sc",			// XSS exploit attempts
	"8484 Boston Project",	// video poker/porn spam
	"adwords",		// referrer spam
	"autoemailspider",	// spam harvester
	//etc...

The next is for strings that occur anywhere within the user-agent string.

57
58
59
60
61

$bb2_spambots = array(
	"\r",			// A really dumb bot
	"; Widows ",		// misc comment/email spam
	"a href=",		// referrer spam
	//etc...

And, best of all, there’s also a regular expression (regex) array for the really difficult user-agents.

87
88
89
90
91
92
93
94

// These are regular expression matches.
$bb2_spambots_regex = array(
	"/^[A-Z]{10}$/",	// misc email spam
	"/^Mozilla...[05]$/i",	// fake user agent/email spam
	"/[bcdfghjklmnpqrstvwxz ]{8,}/",
//		"/(;\){1,2}$/",		// misc spammers/harvesters
//		"/MSIE.*Windows XP/",	// misc comment spam
);

It’s also possible to add your own blacklists into your Bad Behavior install. This is pretty helpful if you have multiple installs and are sane enough to recognize the absurdity in maintaining multiple lists. Just build a blacklist service and add the info to ‘blackhole.inc.php’.

Yeah, just build a blacklist server. Ummm… it’s easy?

Customizing the Template

Every time a request gets blocked the system doesn’t really know, 100%, that the request is bad; it just can’t. So, instead of just dying, Bad Behavior displays a page with instructions on how to “unblock” yourself usually by just clicking on a link.

Unfortunately, the page looks like ass.

Bad Behavior Blocked Screenshot

The idea, I’m sure, is that the page should have as small a footprint on the server as possible. One of the selling points is to lower bandwidth by blocking spam requests. No images, CSS or pretty allowed at all.

The flip side of this argument is that legitimate users who get this page will have an experience that’s lacking in, ahem, quality.

You can change the look of the page by editing ‘banned.inc.php’. It should be pretty self explanatory once you open the file what needs to be done.

If you want, you can also change the response messages. Those are stored in ‘responses.inc.php’.

Well, that about does it; there’s more to Bad Behavior but this series pretty well covered all the good parts.

This will be my last post on Bad Behavior; I swear.

More Bad Behavior

By default, if all you do is follow the instructions laid out in the first post you’ll have a working setup. For some of the cooler logging functionality you’re going to have to edit the included file ‘bad-behavior-generic.php’.

I’ve been feeling kind of down on Bad Behavior about this process for a few days now. It seemed kind of lame that they came up with such a great idea, wrote a really cool script but then killed the implementation. After working with the script for a couple days it’s starting to make some sense but not really enough to convince me it shouldn’t have been done.

To help others who’ve had this delima, I’ve compiled a list of steps to get Bad Behavior logging up and running.

Install Bad Behavior

The first thing you’re going to want to do is create a database and add the connection code to your version of ‘bad-behavior-generic.php’.

Here’s the SQL:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

CREATE TABLE IF NOT EXISTS `bb_logs` (
  `id` int(11) NOT NULL auto_increment,
  `ip` text NOT NULL,
  `date` datetime NOT NULL default '0000-00-00 00:00:00',
  `request_method` text NOT NULL,
  `request_uri` text NOT NULL,
  `server_protocol` text NOT NULL,
  `http_headers` text NOT NULL,
  `user_agent` text NOT NULL,
  `request_entity` text NOT NULL,
  `key` text NOT NULL,
  PRIMARY KEY  (`id`),
  KEY `ip` (`ip`(15)),
  KEY `user_agent` (`user_agent`(10))
)

For this simple demo I’m going to use the native php functions but it’s more than likely you’ll have a database class. I put the below directly past the comments above any function declaration:

33
34
35
36
37
38
39
40
41
42

$link = mysql_connect('localhost', 'user_name', 'password');
if (!$link) {
   die('Not connected : ' . mysql_error());
}
 
// make foo the current db
$db_selected = mysql_select_db('bad_behavior', $link);
if (!$db_selected) {
   die ('Can\'t use foo : ' . mysql_error());
}

Next, you need to populate the skeletal functions with their appropriate code:

60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100

// Return current time in the format preferred by your database.
function bb2_db_date() {
	return gmdate('Y-m-d H:i:s');	// Example is MySQL format
}
 
// Return affected rows from most recent query.
function bb2_db_affected_rows() {
	return mysql_affected_rows();
}
 
// Escape a string for database usage
function bb2_db_escape($string) {
	return mysql_real_escape_string($string);
}
 
// Return the number of rows in a particular query.
function bb2_db_num_rows($result) {
	if ($result !== FALSE)
		return mysql_num_rows($result);
	return 0;
}
 
// Run a query and return the results, if any.
// Should return FALSE if an error occurred.
// Bad Behavior will use the return value here in other callbacks.
function bb2_db_query($query) {
	return mysql_query($query);
}
 
// Return all rows in a particular query.
// Should contain an array of all rows generated by calling mysql_fetch_assoc()
// or equivalent and appending the result of each call to an array.
function bb2_db_rows($result) {
	return mysql_fetch_assoc();
}
 
// Return emergency contact email address.
function bb2_email() {
	// return "example@example.com";	// You need to change this.
	return "badbots@ioerror.us";	// You need to change this.
}

Then you’ll also need to place a call to close the database connection at the bottom of the script. Place the below on the very last line:

160

mysql_close();

Doing that will make sure you don’t have any rogue connections eating up your queue.

Once the above is complete you should have a fully setup and working install of Bad Behavior.

In case anyone has any issues with the above I’ve prepared a stand alone version of the script anyone can download bad-behavior-generic.

It should also be noted that incorporating a database into your Bad Bahavior installation ups the load on every request (which may be why it’s not in there by default). You just have to choose whether the need for logging out weighs the increased load. For me, it did.

There are a couple tactics for combating this sort of thing; some sites require registration to comment, some people manually delete the stuff and some sites use technology to help.

Bad Behavior

What to do? What to do…?

Well, I don’t think it’s a good idea to add barriers in front of users participating in a discussion, so registration is out. I’m pretty lazy and don’t want to manually delete comment spam so moderation isn’t going to work. I am a programmer though so I have an innate confidence in technology to deal with this (mostly anyway). To that end I like to use 2 different services to deal with comment spam; Akismet, which I’m not going to talk about now, and Bad Behavior.

According to the official site:

Bad Behavior complements other link spam solutions by acting as a gatekeeper, preventing spammers from ever delivering their junk, and in many cases, from ever reading your site in the first place. This keeps your site’s load down, makes your site logs cleaner, and can help prevent denial of service conditions caused by spammers.

Thankfully, there are already WordPress plugins for both Akismet and Bad Behavior, so my blog is pretty well protected, but I also work on custom programs and need to protect them too. This got me thinking about how to to get Bad Behavior up and running on your systems; which is why you’re here I’m sure.

Like most things php, installing Bad Behavior is pretty easy. To install just download the files, unzip and place the files somewhere in your applications include path. Then just include the below preferably in a file included in all your pages after you upload the files. Using the below will only protect your site

1
2
3
4

<?php
$path_to_bb = '/path/to/';
require_once("$path_to_bb/bad-behavior-generic.php");
?>

The above is nice and all; your site’s pretty well protected from there but it would be nice to know what was happening behind the scenes. Just how many spam attempts are being blocked?

Bad Behavior does include a logging system but, oddly, at the time of this writing using 2.0.26, they don’t include any sort of install script. The instructions state:

If you just can’t live without logging, you will need to provide a database connection. Bad Behavior uses callbacks whenever it needs to run a database query; in order to provide this functionality, you will need to provide the appropriate hooks into your PHP-based software’s database and add them into the bad-behavior-generic.php file. The code has stub functions which show what is needed, and you can use the bad-behavior-wordpress.php file as an example to work from, though your implementation will necessarily be different.

I’ll go into detail in the next post; I’m still sick so I can’t write anymore.