You are not logged in.

#1 2016-04-20 6:01 am

cwk
Member
Registered: 2009-02-04
Posts: 8

Current (2016) status of ZB Block?

I've been away from webmastering a bit.  I have used ZB Block in the past, but when I went over to get the downloads for a new install, it looks like the code itself is at least two years old.  It appears that current pattern files are being generated, but the core code itself is unchanged and Zaphod appears to have bowed out.  That being the case,

  • What's the current opinion of this group of ZB Block?

  • Are there other similar PHP Preprocessors?

  • How would you suggest protecting a Joomla! 3.5.x site from roachbots?

Thanks to this enterprise for allowing me to confidently flag a raft of bogus users.  Any suggestions and advice (including RTFM -- with thanks for a pointer to TFM).

Chris

Offline

#2 2016-04-20 8:58 am

Maikuolan
Member
From: Perth, Western Australia
Registered: 2011-08-09
Posts: 799
Website

Re: Current (2016) status of ZB Block?

Zap seems to have taken an indefinite hiatus from Spambot Security and ZB Block, for until such a time that only he himself could answer. However, that said, although the main package and mainlined signatures haven't been updated in a few years, the community is actively maintaining the signatures via the Spambot Security forums and via some forks of the signatures that I've been regularly updating whenever I get the chance.

Those forks, if interested, can be found here (but be sure to read the description/information on the page under the "What is this repository?" header before using them):
https://github.com/Maikuolan/zbb-badip-fork
https://github.com/Maikuolan/zbb-dirty30-fork

Additionally, there's a new tool that I've recently developed called "CIDRAM", which can also offer protection against bots such as how ZB Block does. It's conceptually and structurally very similar (although not identical) to ZB Block, and is an effective and reliable replacement for the IP/CIDR blocking functionality that ZB Block would normally provide (this functionality is responsible for blocking a good number of bots and undesirable traffic, although it is definitely not the only means by which ZB Block will stop bots and undesirable traffic), but it isn't a complete replacement for ZB Block in that, whereas ZB Block is an all-round PHP-based firewall solution, CIDRAM is a PHP-based firewall solution specialising in blocking CIDRs/IPs (and so, blocking things like malicious user agents, refspam, XSS, SQLi, etc, are outside of its scope and intended purpose). It has some additional benefits in regards to blocking CIDRs/IPs, too.

A quick comparison of the two:

ZB Block
- Supports only IPv4.
- Can process CIDRs quickly, but slower than CIDRAM.
- Not recommended to use for very large numbers of CIDRs/IPs.
- General all-round solution that will protect against SQLi, XSS, refspam, bad UAs, etc.
- Writing signatures is easy, but still requires *some* minimal PHP confidence.
- PHP5 is fully supported.
- Currently available versions of PHP7 are *mostly* supported (I've thoroughly tested both ZB Block and CIDRAM against all currently available versions of PHP7; At minimum, there's one line of code in ZB Block that will require modifying in order to be 100% compatible with PHP7, equal to about 3 bytes of difference; this isn't difficult to implement, though).
- Not compliant with PSR-1 and PSR-2 (PHP coding standards).

CIDRAM
- Supports both IPv4 and IPv6.
- Can process CIDRs much faster than ZB Block.
- Good with very large numbers of CIDRs/IPs.
- Specialised solution that will block unwanted CIDRs, but won't help against SQL, XSS, bad UAs, etc (because CIDRAM was originally intended to deal purely with CIDRs/IPs, I doubt I'll ever build functionality into it for dealing with things like UAs, refspam, etc, because I want to avoid scope-creep, if possible).
- Writing signatures is *very* easy, and doesn't require *any* PHP knowledge or experience (documentation for writing new signatures is included in the package).
- Requires PHP => 5.3.0 (earlier versions not supported).
- Currently available versions of PHP7 are supported.
- Compliant with PSR-1 and PSR-2 (PHP coding standards).

If you're interested, the package can be found here:
https://github.com/Maikuolan/CIDRAM

For everything else that ZB Block provides (SQLi, XSS protection, etc), there are a *few* other solutions available which are still being regularly maintained (although, whether they're better or worse than ZB Block, could be debatable).

It's possible to still maintain signatures manually by exchanging information with other members of the community, so, even if the package isn't being actively maintained by the original author, for the most part, ZB Block can still be kept mostly up-to-date (so far as signatures go), and so, isn't entirely nonviable, simply because of the original author taking a hiatus. :-)

NinjaFirewall and fail2ban are two other solutions that you could also try:
http://nintechnet.com/ninjafirewall/
http://www.fail2ban.org/wiki/index.php/Main_Page

Also note: All four of the solutions mentioned so far (ZB Block, CIDRAM, NinjaFirewall, fail2ban), to my knowledge, are mutually compatible and shouldn't interfere with each other, so, if you wanted to do so, in theory, you should be able to run them all (though whether you wanted to do something like this, is up to you, and mightn't be necessary).

In any case.. There are always ways to keep out the roachbots. :-)

Offline

#3 2016-04-20 2:31 pm

cwk
Member
Registered: 2009-02-04
Posts: 8

Re: Current (2016) status of ZB Block?

Thanks for the prompt and thorough answer!  It's exactly what I needed.  I never had any trouble with ZB Block, particularly with a generally non-technical North American user base, so I'll stick with it.  The concept is sound, and frankly, I'm surprised it isn't a standard.

Cheers!

Chris

Offline

#4 2016-04-20 3:11 pm

Maikuolan
Member
From: Perth, Western Australia
Registered: 2011-08-09
Posts: 799
Website

Re: Current (2016) status of ZB Block?

No worries, happy to help. :-)

Offline

#5 2016-04-20 9:05 pm

Papa Parrot
Member
From: Mexico
Registered: 2011-08-19
Posts: 1,826
Website

Re: Current (2016) status of ZB Block?

I am using the 2 year old version of zbblock, but inspite of it being a little old, it is keeping 99% of the worst bots and botnets out,  in fact just the other day on a forum that I had left "open", partly with intentions of submitting the spammers that registered and posted to the data base, ...any way that got old, and I was getting hit with a wave of the same old russian garbage bots, but most were just registering , but not posting, so nothing to submit,...anyway I noticed they are all listed here as well any way,...so any way I got tired of looking at new registrations that all ways were russian garbage bots, and decided to start zbblock again and it has them all stopped.
It was either that, or just ban/block the entire russian IP blocks,  I wouldn't miss anything, nothing good ever comes from russia any way.   But they also mostly are using "cloud servers" and tor browsers, so the IPs are not necessarily russian, and zbblock seems very good at blocking those as well.
So any way it seems to be working pretty good still.

Offline

#6 2016-04-30 11:58 am

carbonize
Member
Registered: 2010-12-14
Posts: 231

Re: Current (2016) status of ZB Block?

To be honest I have always felt that ZB Block is in need of a major rewrite to improve it's speed and reduce it's footprint. I'm not a big fan of how it blocks entire ISPs because it is believed they have spammers using them. I also wonder how often older signature entries are checked to see if they are still relevant.

Offline

#7 2016-04-30 12:31 pm

pedigree
uıɐbɐ ʎɐqǝ ɯoɹɟ pɹɐoqʎǝʞ ɐ buıʎnq ɹǝʌǝu ɯ,ı
From: New Zealand
Registered: 2008-04-16
Posts: 7,054

Re: Current (2016) status of ZB Block?

Some of the IPv6 range checks be be made considerably faster with GMP.  I'll dig out some code

Offline

#8 2016-04-30 2:45 pm

Papa Parrot
Member
From: Mexico
Registered: 2011-08-19
Posts: 1,826
Website

Re: Current (2016) status of ZB Block?

I'm not a big fan of how it blocks entire ISPs

I don't think it does that , unless you configure it that way, and I would like to be able to do that, but not sure how.
For example , these russians, nothing good comes from them, they are all spammers, I wish I could just block all of them.
I suppose part of the problem is a lot of them use cloudflare and other cloud services, ot tor browsers,  so the ISP is not necessarily russian.
But any way, it still is doing pretty good, about 90% are getting blocked, and most of those are based on the :

I also wonder how often older signature entries are checked to see if they are still relevant.

most are based on the "older signatures".
It does seem like I need to figure out how to add some new signatures,  I guess maybe I should check at the zbblock forum and see about getting some help with that.

Offline

#9 2016-04-30 3:14 pm

Maikuolan
Member
From: Perth, Western Australia
Registered: 2011-08-09
Posts: 799
Website

Re: Current (2016) status of ZB Block?

carbonize wrote:

I also wonder how often older signature entries are checked to see if they are still relevant.

Since Zap's absence, I've been keeping the CIDR-based signatures up-to-date, and doing my best to ensure that they remain relevant, without diverging too much from the overall structure already implemented by Zap; A few sections have been removed from my forked copies of these files, and quite a few added. I haven't touched any of the others, though (in my own opinion, ideally, there are quite a few areas where signatures could be removed, such as with outdated refspam signatures, for example, which I feel have such a short half-life that they shouldn't really be kept permanently, unless there's evidence to suggest continued positives for these; I'm not sure if suggesting removing things like this would be well-received by others though, and they're all a part of the main signatures file anyhow, which I haven't touched as of yet; I've just been keeping the "badip" and "dirty30" up-to-date).

GarryRicketson wrote:

For example , these russians, nothing good comes from them, they are all spammers, I wish I could just block all of them.

Might be worth checking out Macmathan's optional range blocks, if this is something you want to do; These optionally can be added to ZB Block in addition to the signature files included as standard, and he has one there for Russia. :-)

Edit: Forgot to include the link.

Here you go -> http://macmathan.info/zbblock-range-blocks

Last edited by Maikuolan (2016-04-30 3:15 pm)

Offline

#10 2016-05-01 12:42 am

Papa Parrot
Member
From: Mexico
Registered: 2011-08-19
Posts: 1,826
Website

Re: Current (2016) status of ZB Block?

Thanks,
I will look at that.

Offline

#11 2016-05-08 8:16 pm

carbonize
Member
Registered: 2010-12-14
Posts: 231

Re: Current (2016) status of ZB Block?

GarryRicketson wrote:

I'm not a big fan of how it blocks entire ISPs

I don't think it does that , unless you configure it that way, and I would like to be able to do that, but not sure how.

It does it and it does it by default.

$ax += rmatch($hoster,'exatt.net',"Bad ISP, allows bots to run loose, hides fact it's in Mumbai, India (HN-0038). ");
$ax += rmatch($hoster,'isnet.net','South African Bothosts (HN-0047). ');
$ax += rmatch($hoster,'tiscali.it','tiscali, constant source of forum spam attempts (HN-0048). ');
$ax += rmatch($hoster,'dragonara.net','Spamjockey ISP... GO AWAY! (HN-0049). ');
$ax += rmatch($hoster,'hinet.net','Taiwanese ISP with a history of uncontrolled attacks (HN-0053). ');
$ax += rmatch($hoster,'chello.pl','Problematic ISP/Host, constant source of attacks (HN-0054). ');
$ax += rmatch($hoster,'bezeqint.net','ISP with a bad reputation, and heavy spam record (HN-0072). ');

And they have only just removed asianet.co.th

Offline

#12 2016-05-08 11:15 pm

Alex Kemp
Moderator
From: Nottingham, England
Registered: 2009-12-02
Posts: 2,420
Website

Re: Current (2016) status of ZB Block?

My past experience is, most certainly, that if a host is bad then most of those hosted within it are bad. Inevitably, there will be an innocent in the middle, hunkered down, trying to work out why all this muck 'n' bullets keeps flying over their heads & wetting their trouser-bottoms. However, the overhead of finding a netblock is pretty much the same as finding a single IP, and the host-master needs to decide whether to block by CIDR (which means blocking entire hosts) or by single IPs. Zap – and every other sane webmaster – does it by CIDR.

Offline

#13 2016-05-08 11:36 pm

zero-tolerance
Member
Registered: 2013-02-25
Posts: 339

Re: Current (2016) status of ZB Block?

carbonize wrote:

I'm not a big fan of how it blocks entire ISPs because it is believed they have spammers using them.

I have a forum member on tiscali.it listed above. Tiscali in Italy have more than a million IP addresses. Blocking them all would be unfortunate.

I also have several members on proxad, an ISP which is apparently not well liked on SFS, according to the removal page here.

Generally speaking, if you're dealing with an ISP with millions of IP addresses, a small fraction will be spammers. If the ISP is large, that means lots of spammers. But the ratio of spammers to non-spammers may be much lower than that of smaller ranges.

Blocking CIDRs is a very popular approach, and one I'm very happily managing without.

Offline

#14 2016-05-09 1:46 am

Alex Kemp
Moderator
From: Nottingham, England
Registered: 2009-12-02
Posts: 2,420
Website

Re: Current (2016) status of ZB Block?

zero-tolerance wrote:

Tiscali in Italy have more than a million IP addresses. Blocking them all would be unfortunate.

If a sufficient percentage were spammers then you would be justified in blocking the lot.

The SFS algorithm is supposed to weight blocks in a sufficiently clever manner to allow you (or anyone else) to make an informed choice. I appreciate that few webmasters may make use of that aspect, probably due to ignorance.

Offline

#15 2016-05-09 2:55 am

Papa Parrot
Member
From: Mexico
Registered: 2011-08-19
Posts: 1,826
Website

Re: Current (2016) status of ZB Block?

It is very easy to comment out, or completely remove a line, that blocks a certain ISP, if you really want to :


$ax += rmatch($hoster,'exatt.net',"Bad ISP, allows bots to run loose, hides fact it's in Mumbai, India (HN-0038). ");
$ax += rmatch($hoster,'isnet.net','South African Bothosts (HN-0047). ');

$ax += rmatch($hoster,'dragonara.net','Spamjockey ISP... GO AWAY! (HN-0049). ');
$ax += rmatch($hoster,'hinet.net','Taiwanese ISP with a history of uncontrolled attacks (HN-0053). ');
$ax += rmatch($hoster,'chello.pl','Problematic ISP/Host, constant source of attacks (HN-0054). '); 

In the above,

$ax += rmatch($hoster,'tiscali.it','tiscali, constant source of forum spam attempts (HN-0048). ');

Is removed, they will no longer be blocked.

Offline

#16 2016-05-13 7:38 pm

carbonize
Member
Registered: 2010-12-14
Posts: 231

Re: Current (2016) status of ZB Block?

GarryRicketson wrote:

It is very easy to comment out, or completely remove a line, that blocks a certain ISP, if you really want to :


$ax += rmatch($hoster,'exatt.net',"Bad ISP, allows bots to run loose, hides fact it's in Mumbai, India (HN-0038). ");
$ax += rmatch($hoster,'isnet.net','South African Bothosts (HN-0047). ');

$ax += rmatch($hoster,'dragonara.net','Spamjockey ISP... GO AWAY! (HN-0049). ');
$ax += rmatch($hoster,'hinet.net','Taiwanese ISP with a history of uncontrolled attacks (HN-0053). ');
$ax += rmatch($hoster,'chello.pl','Problematic ISP/Host, constant source of attacks (HN-0054). '); 

In the above,

$ax += rmatch($hoster,'tiscali.it','tiscali, constant source of forum spam attempts (HN-0048). ');

Is removed, they will no longer be blocked.

Except a lot of users are not that savvy and there is no easy settings for ZBBlock. It should run a configuration script at the start that allows users to activate/deactivate the various types of blocks as well as decide which ISPs they wish to block.

Offline

#17 2016-05-14 10:48 am

Maikuolan
Member
From: Perth, Western Australia
Registered: 2011-08-09
Posts: 799
Website

Re: Current (2016) status of ZB Block?

carbonize wrote:

Except a lot of users are not that savvy and there is no easy settings for ZBBlock. It should run a configuration script at the start that allows users to activate/deactivate the various types of blocks as well as decide which ISPs they wish to block.

That, I do agree with.

I doubt it'll happen unfortunately, due to stagnation of development at this point. At the least, I'm aiming to not have similar problems in regards to my own little firewall script (CIDRAM), by way of implementing something like this (already partially implemented, but there are still some things yet to be done; although, due to that CIDRAM is only intended for blocking CIDRs and not intended for blocking hostnames -- unlike ZB Block which blocks on the basis of a much wider range of vectors, including user agents, CIDRs, hostnames, queries and some other things -- there probably won't be as much to worry about as there would be for ZB Block in that regard).

In any case, ideally, making things as easy as possible for the end-user and including ways to configure things easily are definitely good ideas.

Offline

#18 2016-08-26 9:45 am

zaphod
Jägermonster
From: USA
Registered: 2008-11-22
Posts: 2,985
Website

Re: Current (2016) status of ZB Block?

Maikuolan wrote:

Zap seems to have taken an indefinite hiatus from Spambot Security and ZB Block, for until such a time that only he himself could answer. However, that said, although the main package and mainlined signatures haven't been updated in a few years, the community is actively maintaining the signatures via the Spambot Security forums and via some forks of the signatures that I've been regularly updating whenever I get the chance.

I wish I could say when I would come off this hiatus, but this current job, and life in general has eaten my life. Honestly, I make as much in 4 weeks at this job, as ZB Block provided me throughout it's life.  So what I would like to do, is deliver ZB Block into the hands of someone with time to maintain it and rewrite it.  IPV6 is so important, that ZB Block really can't be "all that" in the face of it.  SO, what I would like to do is allow the project to drop into the hands of someone who has the time.

Perhaps a 3rd level domain name like github.spambotsecurity.com redirecting to an official ZB Block dev site would be an answer.  I need to know who will be project head, and I will have to deliver into their hands the "keys" if you will to editing the site on the server to fix the outdated pages and such.  The only credit I want in any future rewrites or forks is "Inspired by ZB Block originally by Zaphod/Mike H./AE7EC".  Just please please please keep it GPL!

I'll try to look back in, in a couple of days, to see where this goes.

(And yes, I am doing science and I'm still alive!)


Get Protected, Stay Protected...
With ZB Block, GNU/GPL Freeware Anti-Spam/Anti-Hack protection for your php based website.

Little boxes in the server farm, little boxes running php...

Offline

#19 2016-08-26 8:51 pm

Papa Parrot
Member
From: Mexico
Registered: 2011-08-19
Posts: 1,826
Website

Re: Current (2016) status of ZB Block?

(And yes, I am doing science and I'm still alive!)

That is good to hear,
Good to hear from you, and hopefully everything is going ok.

Offline

#20 2016-09-30 1:30 am

Mrwilson
Member
From: Knoxville Tn
Registered: 2009-03-04
Posts: 55
Website

Re: Current (2016) status of ZB Block?

I hope someone does take  ZB Block over and continues it. As far as I am concerned, Zap is a hero and a fine fellow, and deserves a great deal of credit for what he has done.

I am still using it


Hooked on ZB Block

Offline

#21 2018-06-16 11:27 am

Snowhog
Member
From: Minnesota
Registered: 2012-09-09
Posts: 60
Website

Re: Current (2016) status of ZB Block?

Almost two years since zaphod posted about transferring the reigns of ZB Block to 'someone else'. It doesn't appear as if that has occurred; unfortunately. sad

Has he followed up on that, with anyone?


Administrator - Kubuntu Forums . Net
"It is a capital mistake to theorize before one has data." - Sherlock Holmes
Using Kubuntu Linux since March 23, 2007

Offline

#22 2018-06-16 2:02 pm

Maikuolan
Member
From: Perth, Western Australia
Registered: 2011-08-09
Posts: 799
Website

Re: Current (2016) status of ZB Block?

Has he followed up on that, with anyone?

Nope. SBS is effectively dead at this point too (forums are defunct due to continued server problems which were never properly addressed, continue to go unaddressed, and can't be accessed at all at this point; PHP errors everywhere on the SBS website as a whole, too). I'm not holding my breath on it ever happening either.

No idea whether Zap is aware of this or not (I suspect, probably not), but JamesC has taken upon themselves to continue maintaining the project. Their work can be found here.

Worth noting, that most (but not all) of the links I'd posted earlier in this discussion have since either become defunct too, or relocated elsewhere.

CIDRAM continues to be available at the same place as it has always been (link can be found earlier in the discussion, or in my forum signature).

My "badip" and "dirty30" forks, I've long since officially deprecated, and the associated repositories have long since been deleted. Taking over their former role, is the "zb" section of my "Exports" repository, which can be found here.

The ZB Block signatures contained in my "Exports" repository are intended for use with ZB Block 0.6.0 and onward. 0.4.10a3 marks the final official ZB Block release by Zaphod; Newer versions since then have been released by JamesC, available via the above-posted link for the continuation of the project.

Macmathan's optional blocklists have also been moved, and can now be found here (note: the way to use them with ZB Block has changed a little in recent months, so it would be good to read the associated documentation for them prior to using them with ZB Block).

Offline

#23 2018-06-16 2:10 pm

Snowhog
Member
From: Minnesota
Registered: 2012-09-09
Posts: 60
Website

Re: Current (2016) status of ZB Block?

Thank you. Yes, the SpambotSecurity website is fully non-functional, and yes, either Zap is unaware of it or simply no longer cares (enough) to address it. It's sad, really, but he does have a life, and it currently consumes all of his time, leaving none for ZB Block.

I'm aware of the continuation of ZB Block that JamesC has undertaken. I might end up converting over to his project, as it, at least, is being actively maintained.


Administrator - Kubuntu Forums . Net
"It is a capital mistake to theorize before one has data." - Sherlock Holmes
Using Kubuntu Linux since March 23, 2007

Offline

#24 2018-06-16 2:18 pm

Maikuolan
Member
From: Perth, Western Australia
Registered: 2011-08-09
Posts: 799
Website

Re: Current (2016) status of ZB Block?

Possibly also useful, for anyone considering which version of ZB Block and/or CIDRAM to use (in terms of compatibility concerns with whichever various versions of PHP, what will/won't where and so on): Compatibility Charts.

Offline

#25 2018-06-17 4:59 pm

Papa Parrot
Member
From: Mexico
Registered: 2011-08-19
Posts: 1,826
Website

Re: Current (2016) status of ZB Block?

All ready mentioned in this thread: Has anyone heard from Zap---

Maikuolan >>

Not me, at least.

JamesC has continued development of ZB Block here though, so it looks like the project isn't quite dead yet. ;-)

But as for Zap? No idea at all, unfortunately.

"JamesC has continued development of ZB Block "
Here:
http://zb-block.net/zbf/

I have looked at the forum (the new one) and others are still participating and active.

When Zap started this thread, nobody responded to volunteer, if anyone sent him a PM, we would not know since Private Message (PM) is private.  I considered offering, but did not feel I was qualified .
The website " SpambotSecurity "(http://www.spambotsecurity.com/) , and old forum is pretty much broken
so it is obvious no one is taking care of the website.
As far as this goes:

zaphod>> SO, what I would like to do is allow the project to drop into the hands of someone who has the
time.

Obviously, with the new forum that JamesC  has, at the above url and the work Maikuolan is doing, the "project" has gone into the hands of not just "some one" but "others" that do have the time.

==== off topic =====
When I try to connect just now , to ( http://zb-block.net/zbf/ )I was blocked, so it is clear that JamesC is using zbblock for the site, and  it is working.

The reason(s) your connection was interrupted are:
Generic bot detection:open (UA.G26). 

 

Zap and I had problems with my ISP in the past, and he had to "white list " me so I could access, but any way that is another topic.

Offline

Board footer

Powered by FluxBB

Close
Close