I tripped across ZB BLOCK (http://www.spambotsecurity.com/zbblock.php) (a GPL V2 PHP Protection Script) this week by accident and have been pretty impressed at what all it does, completely for FREE. Anyway, for those unaware I just wanted to share the information so they could beef-up their own website's security against all the various nasty's out there.

ZB BLOCK
Don't let the robots in the door!
A GPL V2 PHP Protection Script for your site.


This php security script is designed to detect certain behaviors detrimental to websites, or known bad addresses attempting to access your site. It then will send the bad robot (usually) or hacker an authentic 403 FORBIDDEN page with a description of what the problem was. If the attacker persists, then they will be served up a permanently reccurring 503 OVERLOAD message with a 24 hour timeout.

What ZB Block is Excellent at:
Saves money by reducing hacker bandwith usage! (by 2,500% on this site's index page alone!)
Strengthing your site against defacement.
Preventing PHP script exploitation.
Ending Remote File Include (RFI) exploits.
Protecting against directory traversal attacks.
Stopping MySQL database injection and tampering.
Removing access from known bad addresses and domain names.
Blocking access from top level domains, like .cn (China) and .kp (North Korea).What ZB Block is Good at:
Avoiding website scraping/content theft.
Deterring bad user agents.
Halting referrer spam.
Impeding some Cross Site Scripting (XSS) attacks.What ZB Block will not do:
Protect non-PHP pages.
Stop access to non-exploitable resource files like .gif, .jpg, or .swf .ZB Block is also fast, not only does ZB Block check for over 100,000,000 bad IPs/Hostnames and many thousands of bots, but standard execution times are around 1/10th of a second on an aged PIII 930, which is unnoticeable to the web surfer. This anti-exploit / anti-'sploit / anti-hacking / anti-injection script should find many uses around the web as it's good at detecting, and stopping exploitation probes from many of the worst known skript kiddie tools. Moderator(s), MOVE this thread to wherever you think it will do the most good for fellow vB Adminstrators.

In just a couple of days, ZB BLOCK (http://www.spambotsecurity.com/zbblock.php) has denied over 1,000 bad-bot behaviors on my website. Below is a sampling of my logs as a result of having it installed...

#: 14 @: Wed, 24 Nov 2010 00:39:55 -0500
Host: ks310145.kimsufi.com
IP: 188.165.200.113
Score: 1
Why blocked: kimsufi, forum spambots. .
Query:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FREE; .NET CLR 1.1.4322)


#: 17 @: Wed, 24 Nov 2010 00:42:16 -0500
Host: ec2-174-129-146-20.compute-1.amazonaws.com
IP: 174.129.146.20
Score: 1
Why blocked: Amazon Web Services. Not an ISP. Used by hackers, Keyword spamming SEO bots, and other unsavories. Checked for bypass.
Query:
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)


#: 23 @: Wed, 24 Nov 2010 00:54:54 -0500
Host: 221.194.132.229
IP: 221.194.132.229
Score: 1
Why blocked: No registrations, or logins, from hosts listed as hostile on http://www.stopforumspam.com/ (remote). . .
Query: do=register
User Agent: Mozilla/4.0 (compatible; MSIE 4.01; Digital AlphaServer 1000A 4/233; Windows NT; Powered By 64-Bit Alpha Processor)


#: 28 @: Wed, 24 Nov 2010 01:42:22 -0500
Host: 61.135.167.74
IP: 61.135.167.74
Score: 1
Why blocked: Your computer is infected with Trojan Downloader tencenttraveler . Go to http://www.safer-networking.org and get Spybot Search & Destroy, clean your machine, then come back.
Query:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;TencentTraveler)


#: 35 @: Wed, 24 Nov 2010 02:08:52 -0500
Host: 212-95-58-200.local
IP: 212.95.58.200
Score: 1
Why blocked: Ecatel/internetserviceteam.com/netdirekt e.K./NetDirect/jmhservices.com notorious forum spammers. .
Query: tag=tandem
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 4.0) Opera 7.0 [en]


#: 47 @: Wed, 24 Nov 2010 02:30:43 -0500
Host: crawl5.dotnetdotcom.org
IP: 208.115.111.246
Score: 4
Why blocked: Dotbot - Paid Service SEO Service (Keyword Spamming Aides). SEOMOZ keyword scraper. Bad search spider. Ignores robots.txt. Offers an explosive .zip to those who try to use their services. Dotbot - Paid Service SEO Service (Keyword Spamming Aides).
Query: ?
User Agent: Mozilla/5.0 (compatible; DotBot/1.1; http://www.dotnetdotcom.org/, crawler@dotnetdotcom.org)


#: 55 @: Wed, 24 Nov 2010 02:40:40 -0500
Host: ip-212-117-169-11.server.lu
IP: 212.117.169.11
Score: 1
Why blocked: Forum spamming bot, real announces as "AOL". .
Query:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.2; Windows NT 5.1; SV1; .NET CLR 1.1.4322)


#: 104 @: Wed, 24 Nov 2010 05:27:45 -0500
Host: serwer.exforum.pl
IP: 188.40.49.199
Score: 1
Why blocked: Referer code injection thru referer logging attempt, ++ after php, should be ? or +. .
Query:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)


#: 113 @: Wed, 24 Nov 2010 05:45:36 -0500
Host: 178.73.204.111
IP: 178.73.204.111
Score: 1
Why blocked: Windows 95 is unusable. .
Query:
User Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 95; MSIECrawler)


: 122 @: Wed, 24 Nov 2010 07:05:02 -0500
Host: fiberlink-37-136.mioveni.rdsnet.ro
IP: 79.116.136.37
Score: 1
Why blocked: Bothost and/or Server Farm. .
Query:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; .NET CLR 1.1.4322; PeoplePal 6.2)


#: 183 @: Wed, 24 Nov 2010 11:51:53 -0500
Host: 213.186.120.196.utel.net.ua
IP: 213.186.120.196
Score: 1
Why blocked: RBN.
Query: do=markread&markreadhash=guest
User Agent: Mozilla/5.0 (compatible; SiteBot/0.1; +http://www.sitebot.org/robot/)


#: 263 @: Wed, 24 Nov 2010 15:09:09 -0500
Host: 195.162.68.27
IP: 195.162.68.27
Score: 1
Why blocked: Your computer is infected with spyware/mail.ru_agent . Go to http://www.safer-networking.org and get Spybot Search & Destroy, clean your machine, then come back. .
Query:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MRA 4.3 (build 01218); .NET CLR 1.1.4322)


#: 323 @: Wed, 24 Nov 2010 21:29:54 -0500
Host: 131.51.150.178.triolan.net
IP: 178.150.51.131
Score: 1
Why blocked: RFI attack/SQL injection (nested percents, level 1). . .
Query: f=25%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2BResult:%2B%25 25E7%2525E0%2525F0%2525E5%2525E3%2525E8%2525F1%252 5F2%2525F0%2525E8%2525F0%2525EE%2525E2%2525E0%2525 EB%2525E8%2525F1%2525FC%2B%252528%2525E2%2525EA%25 25EB%2525FE%2525F7%2525E5%2525ED%2B%2525F0%2525E5% 2525E6%2525E8%2525EC%2B%2525F2%2525EE%2525EB%2525F C%2525EA%2525EE%2B%2525F0%2525E5%2525E3%2525E8%252 5F1%2525F2%2525F0%2525E0%2525F6%2525E8%2525E8%2525 29%253b
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.0 Beta 1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)


#: 350 @: Wed, 24 Nov 2010 23:15:08 -0500
Host: dsl212-235-107-31.bb.netvision.net.il
IP: 212.235.107.31
Score: 2
Why blocked: ISP with a filthy reputation. netvision.net.il (filthy reputation ISP). .
Query:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; APC; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50215; InfoPath.1)


#: 574 @: Thu, 25 Nov 2010 16:21:39 -0500
Host: 179.200-62-69.ftth.dyn.surewest.net
IP: 69.62.200.179
Score: 1
Why blocked: Windows 95 is unusable. .
Query: dest=aHR0cDovL3ZpenJ0c2VydmVyLzo0MDgwL25vbmF1dGgvZ GVueS5waHA/ZGVzdD1hSFIwY0RvdkwzWnBlbkowYzJWeWRtVnlMem8wTURnd0 wyNXZibUYxZEdndlpHVnVlUzV3YUhBL1pHVnpkRDFoU0ZJd1kw UnZka3d6WkROa2VUVjVXbGRPTVdKWFNteGlibEo1WVZkU2JHTn VUWFZpTTBwdVRESmFkbU51Vm5SamVUbDZZVWM1TTJSSGFIbGFW MFpyVEc1Q2IyTkVPVEJRVkdONlRVRTlQU1pKUkQxTlZGRm5UbW M5UFNaRVFrdzkmSUQ9TVRRZ05nPT0mREJMPQ==&ID=MTQgNg==&DBL=
User Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 95; MSIECrawler)


#: 587 @: Thu, 25 Nov 2010 16:37:01 -0500
Host: 91-40-134-95.pool.ukrtel.net
IP: 95.134.40.91
Score: 4
Why blocked: Robot Probe. ukrtel, forum spambots. Filthy Russian Netblock. HTTP_REFERER pollution of serverlogs with spam ad word porn, we don't link from there.
Query:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Deepnet Explorer 1.5.0; .NET CLR 1.0.3705)

#: 736 @: Fri, 26 Nov 2010 07:19:41 -0500
Host: 88.81.88.18
IP: 88.81.88.18
Score: 1
Why blocked: Referer code injection thru referer logging attempt, ++ after php, should be ? or +. .
Query:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)

#: 863 @: Fri, 26 Nov 2010 13:20:06 -0500
Host: dynamic-adsl-62-10-64-128.clienti.tiscali.it
IP: 62.10.64.128
Score: 1
Why blocked: tiscali, constant source of forum spam attempts.
Query: t=1122
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)

#: 1026 @: Sat, 27 Nov 2010 04:57:09 -0500
Host: comyoucom.net
IP: 109.169.41.22
Score: 7
Why blocked: g Rapidswitch, dangerous network. POST cloaking attempt POST-17. POST print attempt POST-19. POST RFI attempt POST-28. POST username forcing attempt POST-29. POST execution wedge via bbcode POST-31.0. POST execution wedge via bbcode POST-32.
Query:
User Agent: Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u)

I just stumbled across this while looking at the stopforumspam.com website. Yes, it looks interesting.

It's a TREMENDOUS add-on for any PHP based application, vBulletin included. :D Since adding it to our forums in NOV, our Bandwidth usage has dropped due to fewer spambots being able to crawl the website any longer.(see log entries in above post)

On some days, unsavory spiders had pushed our BW usage up over 1gB/day, whereas normal (for us) was around 200-300mB/day. We were faced with having to double our costs :eek: (i.e. by going to a larger hosting plan) when ZB BLOCK helped us to curtail a lot of wasted bandwidth 'some' robots were chewing up for no good reason at all. :mad:

Visit http://www.spambotsecurity.com/ for more info. :up: Highly Recommended!

This was worth reading and applying. Installed.

Lets hope this does not block out valid bots though, such as Google or valid members.

This basically will prevent anyone not welcome onto your community.

Lets hope this does not block out valid bots though, such as Google or valid members.

There are plenty of 'well-behaved' bots, crawling my site all the time. Meanwhile, as you mentioned it's preventing many unsavory 'bots access from our community.

So are you guys adding the 1 line of php code to your vBulletin files or to your major templates? (forumhome, forumdisplay, showthread)? Or is there a better place?

Well, per this thread ZB Hook (needed) only global.php? (http://www.spambotsecurity.com/forum/viewtopic.php?f=32&t=521) it's only needed in the global.php file from what I gathered.

However since I understand oh-so-little of all this -and- I'm a bit paranoid, I also added the single line of code to my index.php; login.php and register.php files as well.(overkill? probably:o)

My train of thought behind doing so was, what if someone access the register.php file directly from off-site? I wasn't sure global.php was called in that instance so I figured, better safe than sorry.

I'm sure someone more intelligent than me in how vBulletin's internals actually run could say for sure...but until then. ;)

Well global.php is definitely called by register.php and login.php, and every .php file basically besides functions (which themselves are called by global to begin with) so I'd imagine just adding to global is enough...

However it might be easy to forget to re-edit global.php on an upgrade so I'm wondering if it isn't better to put this line in a plugin on a hook in global.php instead so you don't need to worry about upgrades...

sounds pretty awesome.

I knew those china spiders were up to no good....

to be honest, I do not know a lot about spiders, but I do most
do not appear useful, and i normally see 5+ trying to register
at any given time on my forum...rather then some spiders
trying to help your forum/content grow, they would rather hurt you.

Uninstalled

I ended up getting a 503 error after using this. Odd thing is it only affected me.

...However it might be easy to forget to re-edit global.php on an upgrade so I'm wondering if it isn't better to put this line in a plugin on a hook in global.php instead so you don't need to worry about upgrades...

Ah, yeah, that sounds like a great idea to me...whatever it was you said?! :erm:

Seriously though if/when you do that, post some details so a non-coder could work their way through the same process. :up:

Uninstalled

I ended up getting a 503 error after using this. Odd thing is it only affected me.

That sucks...

I added the line at the very top of global.php

not sure how long it supposed to take for it to work...

I still have 20+ spiders online, and google.com and googlebot.com
have prevention signs preventing them from doing something, so I
am not sure if they were like that before I added the line or not...

the hook method sounds like it would be a good idea to implement...

--------------- Added 1292559903 at 1292559903 ---------------

I guess it is working..nice...

#: 1 @: Thu, 16 Dec 2010 21:55:46 -0600

Host: 211.43.152.16

IP: 211.43.152.16

Score: 1

Why blocked: Korean Suspicious.

Query: f=0

Referer:

User Agent: Mozilla/5.0 Firefox/3.0.5

Reconstructed URL: http:// bizwebforum.com /forumdisplay.php?f=0



#: 2 @: Thu, 16 Dec 2010 21:56:17 -0600

Host: ec2-75-101-167-57.compute-1.amazonaws.com

IP: 75.101.167.57

Score: 1

Why blocked: Amazon Web Services. Not an ISP. Used by hackers, Keyword spamming SEO bots, and other unsavories. Checked for bypass.

Query:

Referer:

User Agent: Mozilla/5.0 (compatible; Firefox Addon; Windows XP 5.1)

Reconstructed URL: http:// www.bizwebforum.com /forum.php

Damn Korean hackers....

Another fine tool to help fight auto hackers and spammers.

Uninstalled

I ended up getting a 503 error after using this. Odd thing is it only affected me.

First, per the (PDF) manual...

If your page starts with HTML like...
<html>
<head>
Or perhaps even a <doctype> statement, then the proper place for ZB Block, is on the
first line like...
<?php include('yourdirectory/zbblock/zbblock.php'); ?><html>
<head>
Restating here again, that there should be NO spaces, and NO newlines where ZB Block is added.

These will not work...
<?php include('yourdirectory/zbblock/zbblock.php'); html>
<head>
This is just bad syntax and may even error the browser.
<html><?php include('yourdirectory/zbblock/zbblock.php'); ?>
<head>
This will cause an error if ZB Block tries to throw it's own 403 or 503 error, as bytes have already been sent to the output buffer.

Once again, if ZB Block exits without detection, no bytes will be added before “<!
DOCTYPE” and your page will be perfect when viewed remotely.

Oh, just in the case you didn't understand, ZB Block has to be on the first line of the source. No blank lines above it. (Some people have missed this).

Also, if the page is something.htm or something.html, you will have to rename it (and re-aim your links) to something.php for ZB Block to work. As of now, there is no safe way to use a rewrite rule to attach ZB Block to other file types.

--------------- Added 1292560586 at 1292560586 ---------------

Uninstalled

I ended up getting a 503 error after using this. Odd thing is it only affected me.

Also, from the manual...

As installed, ZB Block will work fine for most people, but a lock-out condition could
happen if you trigger the warning more than 3 times in 1 day.

So understand if you try the ?test=xtestx syntax with your browser more than 3 times, to see how it's working -and- you have not set a master password (see p3-2 of the manual), then yes you will get blocked.

Setting the master password allows you to automatically record your own IP Address into the whitelisting so you can experiment all you want w/o getting locked out.

oh yea about that password...I did enter that password url, along with password,
and all i got was a blank page...is anything supposed to happen?

and am I supposed to block off the zd directory with the htaccess file?

Yes, it takes awhile (like 20 secs or so), but then you should see a message reading:

"IP added to whitelist DB"

And yes, the INSTALL & VAULT directories should have their own .htaccess files. Mine were added upon installation, automatically.

Yes, it takes awhile (like 20 secs or so), but then you should see a message reading:

"IP added to whitelist DB"

And yes, the INSTALL & VAULT directories should have their own .htaccess files. Mine were added upon installation, automatically.

ok htaccess seems ok..

concerning the password - all i got was a blank page...

still not so sure what the password is used for.

--------------- Added 1292569550 at 1292569550 ---------------

how do I add IP'S to Whitelist?

ok htaccess seems ok..

concerning the password - all i got was a blank page...

still not so sure what the password is used for.
To my knowledge (which is limited), all it does is allow you (as the Admin) to instantly ADD your own IP Address to the Whitelist via a saved favorite or bookmark.


how do I add IP'S to Whitelist?
In the Vault Directory, edit the IPWLDB.CSV file, separating individual entries with a comma of course.

@ adwade

1) Entered the code correctly

2) Site was working fine for me for 1 1/2 days, then gave me the 503 error (after 1 1/2 days)

3) did not provide a password, as I thought if it can block me .... It can block innocent members of my community.

4) Ran the test 1x and only 1x.... 1 1/2 days before.

I like the idea behind it. But this is not for me. Maybe in the future.

I played with this today, first off I think it's better to put the 1 line of code into your config.php file, not global.php.

But I had some issues... first all AOL proxy users are blocked by default- this is not something I can live with... I found out how to unblock them in the ZBBlock forums though.

It ran well for an hour blocking about 20 requests but when I looked at the log I wasn't happy... For some reason a number of Amazon.com product URL's were being blocked and since I have an affiliate program this didn't look good...

Also bad it was blocking some pages that referred to me because of "spam" words in the referral link... in my case the word was "boob" because the referring page title was something along the lines of "Sarah Palin Boob Job?" - so I lost that visitor, he (or she) was blocked by this.

Finally, and what caused me to remove it for now, using this totally kills Tapatalk access to your forum...

I read a lot about what this author did and it is commendable he worked hard on this but personally I think his default settings are MUCH too strict for prime time use. I'm sure with enough customizing these issues can be overcome but it will be a while before I dedicate time to researching this.

If you're not losing the spam war I suggest you be very wary of installing this, it looks like you will lose legit visitors under the default settings.

--------------- Added 1292615449 at 1292615449 ---------------

I decided to try again but instead of putting it on config.php or global.php which would block Tapatalk I'm using it on register.php, login.php, and a few other select pages. This should still stop bots from registering or logging in but allow the rest of the forum to function. I know this doesn't give me all the security as running it on every script but it seems like a decent compromise for now.

I guess I will uninstall just because of doubt...I see a sites denied because
of hackers/content scrapers, etc, but I do not know who else
this script could be killing access too...legit surfers....

Feel free to keep updating the script...has very good potential.

I have also notice while my site is "suppose" to be under the scripts
protection, I also noticed 5 spiders attempting to register for accounts...

so it is indeed not 100%

I am not worried about accidently locking out legit surfers....

So I just installed this to my vb site and was wondering if I did it correctly.

After the setup ran and finished it spit out a line of code that I added to the very top of my global.php file.

Is that all that I needed to do?

What files can be deleted from the zdblock folder to make it secure on my server?

Sounds like you've got it figured out. Did you run the TEST script, just to check?(i.e. ?test=xtestx) Make sure you set a password, as described on p3-2 of the manual so you can instantly unlock your IP Address if/when needed. If so, you should be good to go. Nothing to delete, as .htaccess files protect the critical files automatically.

Also note, there are several versions of signatures available at http://www.spambotsecurity.com/zbblock_download.php If you think you're blocking too much just use the UNBLOCKED signature set instead, for the minimum protection until you get things figured out like you want them.

Personally I'm running signature set #68 with a few custom signature allowances (i.e. allow all AOL, etc) and it's working perfectly for me.

Sounds like you've got it figured out. Did you run the TEST script, just to check?(i.e. ?test=xtestx) Make sure you set a password, as described on p3-2 of the manual so you can instantly unlock your IP Address if/when needed. If so, you should be good to go. Nothing to delete, as .htaccess files protect the critical files automatically.

Also note, there are several versions of signatures available at http://www.spambotsecurity.com/zbblock_download.php If you think you're blocking too much just use the UNBLOCKED signature set instead, for the minimum protection until you get things figured out like you want them.

Personally I'm running signature set #68 with a few custom signature allowances (i.e. allow all AOL, etc) and it's working perfectly for me.

Yep I am all installed perfectly and tested and setup. I will look into the signature files. Thanks for the heads up...

I'm using this. Since installing it has literally cut my server load by 95%!

But I'm occasionally getting people saying they can't access my site.

Watch your LOGS and you can sort of see who is being blocked and why. I've had 3 or 4 issues, each easily solved. Whenever you have someone blocked: Delete the IPDDB.CSV & IPPBDB.CSV files, as they will automatically rebuild themselves. Also, READ your logs to see what's unusual/different.

One issue was AOL users since they are so heavily proxied, and I had to add an exclusion statement for them to my customsig.inc file.(see my post entitled "Blocked Registration Attempt?" in the ZB Bug Reports Forum on SpambotSecurity.com)

Another was, I use vBAdvanced's Link Directory (http://www.vbadvanced.com/products.php?do=productinfo&productid=2) Product and I had to add an custom statement for it since it's a product that is external to vBulletin.(see the thread entitled Beta Updates 67 in the Signature Updates Forum on SpambotSecurity.com)

If you'll search for my posts on the SpambotSecurity forum, you can follow my progress and learning curve through figuring out the little tweaks I've done to ZB BLOCK to perfect using it it with vBulletin so far.

Overall though, I am SUPER pleased with ZB BLOCK and would NOT consider running a forum w/o it, now that I've seen what it's capable of fending off.(i.e. Harvesters, Infected Browsers, Robot Probes, etc) Our monthly BandWidth usage has decreased roughly 75%, meanwhile legitimate users are still free to peruse the site at will.:D

Interesting. Noting to check into later.

interesting..

After months of using this I had to uninstall it because it blocked my own IP and the IP of some of my important members.

Hi BOP5,

Zb block looks pretty interesting

Just wondering if you have any updates (opinion wise) on running this

Thanks



I decided to try again but instead of putting it on config.php or global.php which would block Tapatalk I'm using it on register.php, login.php, and a few other select pages. This should still stop bots from registering or logging in but allow the rest of the forum to function. I know this doesn't give me all the security as running it on every script but it seems like a decent compromise for now.

I just installed this yesterday on my site and love it so far.

I have it installed in my global.php file as well as the separate archives/global.php file. I installed this specifically because my vbulletin install was apparently being exploited by a Joomla attack? I don't understand how it was working since I don't have Joomla installed on the server, but it appeared to work through archive/index.php.

Anyway -- very powerful script and works great. A little common sense goes a long ways -- seeing the people say how their own IP got blocked shows that reading the manual is too hard for some folks. *facepalm*

We used to use that and it worked well, but it was occasionally banning the ip of people who used search because something in the url was triggering it. It probably could have been fixed easily but I never had the time to look at it so we eventually removed it. That was a few years ago so that problem may have been fixed.

Edit: oops, I missed that we're on page 3 of this thread. Maybe it's been discussed already.

I read a lot about what this author did and it is commendable he worked hard on this but personally I think his default settings are MUCH too strict for prime time use. I'm sure with enough customizing these issues can be overcome but it will be a while before I dedicate time to researching this.

If you're not losing the spam war I suggest you be very wary of installing this, it looks like you will lose legit visitors under the default settings.Any updates on this one? It would be great if you could code a vBulletin plugin for it. Seems like a good tool and idea if one could tweak it to the most optimal settings.

No, I never ended up using it, wasn't useful to my sites.

This works well https://vborg.vbsupport.ru/showthread.php?t=268208 without the issues of this script