Ban by IP or user agent in htaccess.
Implement some sort of CAPTCHA at registration. The ones included in OpenCart might not be that effective, but there are other in the marketplace that may work better.
Implement some sort of CAPTCHA at registration. The ones included in OpenCart might not be that effective, but there are other in the marketplace that may work better.
First line of defence:
in htaccess:
1) block any request with a host header stating your server ip address instead of your domain
2) block any request with a protocol lower than http/1.1, i.e. http/0.9 and http/1.0
3) block any POST request without a language accept header
1 and 2 will cover about 95% of all covert bots, 3 will cover public bots as well.
For the remaining, better constructed bots (as in trying to pretent to be human), add an extension like spambuster by Neuhoff or something similar that is avialable in the marketplace.
in htaccess:
1) block any request with a host header stating your server ip address instead of your domain
2) block any request with a protocol lower than http/1.1, i.e. http/0.9 and http/1.0
3) block any POST request without a language accept header
1 and 2 will cover about 95% of all covert bots, 3 will cover public bots as well.
For the remaining, better constructed bots (as in trying to pretent to be human), add an extension like spambuster by Neuhoff or something similar that is avialable in the marketplace.
DISCLAIMER:
You should not modify core files .. if you would like to donate a cup of coffee I will write it in a modification for you.
https://www.youtube.com/watch?v=zXIxDoCRc84
No, not extensions. They are rules your can add to htaccess. However there are extensions in the marketplace that block spam bots from registering.
There is no setting to verify account via email in OpenCart. You could try searching the marketplace, but unless it deletes they unverified accounts it wouldn't make much difference.
There is no setting to verify account via email in OpenCart. You could try searching the marketplace, but unless it deletes they unverified accounts it wouldn't make much difference.
Use the SpamBot Buster which prevents these nasty fake account registrations coming from bots quite effectively.
Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig
This should help: https://www.opencart.com/index.php?rout ... er=antropy
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
This is what im talking about
A new customer has signed up:
Web Site: www.clearvape.com
First Name: Raymondnum
Last Name: RaymondnumOP
Customer Group: Customer
E-Mail: first_of_all@rambler.ru
Telephone: 85799641642
A new customer has signed up:
Web Site: www.clearvape.com
First Name: Raymondnum
Last Name: RaymondnumOP
Customer Group: Customer
E-Mail: first_of_all@rambler.ru
Telephone: 85799641642
Enable Basic Captcha extension.
Business Web Development | Content Creation | Analytics and Reporting | SEO
If that's a real customer that's a pretty serious GDPR breachgsc1ugs wrote: ↑Thu Mar 02, 2023 4:25 pmWeb Site: www.clearvape.com
First Name: ***
Last Name: ***
Customer Group: Customer
E-Mail: ***@***.ru
Telephone: ***
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
This thread is 3 days old now, and suggestions were posted here on how to prevent these fake account registrations, and still you haven't taken any actions yet?
Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig
you can set rules in mod security if your host allows it or just in your apache conf/htaccess file like:
Or you can direct these conditions (and others) to a php file (hta.php in this case) for better tracking as to why the server config rejects something by creating said php file with:
and then the htaccess rewrite rules would become like this and rejected request (for which you set report = true) would be logged in your oc error log :
It does then involve invoking PHP but it does give better insight into what is happening and why.
Code: Select all
# 1--------------------------------------------------------------------------------------
# your server ip in host request header, always a bad bot targetting on ip space scans.
# apache will use the first VH if it cannot find a proper match which basically allows scanners to target the server by ip only.
# 421 misdirected request
# requested host contains server ip address
RewriteCond %{HTTP_HOST} xxx\.xxx\.xxx\.xxx
#
RewriteRule ^.*$ - [END,R=421]
# 2--------------------------------------------------------------------------------------
# wrong host, always a useless bot, basically also covers rule 1 which is also a wrong host
# 421 misdirected request
#
# requested host not containing your domain name
RewriteCond %{HTTP_HOST} !your-domain-name [NC]
#
RewriteRule ^.*$ - [END,R=421]
# 3--------------------------------------------------------------------------------------
# http/0.9 or http/1.0, cheap bots
# 426 upgrade required
# http/1.0
RewriteCond %{THE_REQUEST} HTTP/1\.0 [OR]
# http/0.9
RewriteCond %{THE_REQUEST} HTTP/0\.9
#
RewriteRule ^.*$ - [END,R=426]
# 4--------------------------------------------------------------------------------------
# POST without accept-language header, always a bot but also legit bots like googlebot, bingbot, etc.
# whitelist any bot which should be posting and where.
# 406 Not Acceptable
#
# POST method used
RewriteCond %{REQUEST_METHOD} POST
#
# whitelist possible callbacks (paypal)
RewriteCond %{QUERY_STRING} !callback
#
# no language accept header, only bots ommit this
RewriteCond %{HTTP:Accept-language} ^$
#
RewriteRule ^.*$ - [END,R=406]
# --------------------------------------------------------------------------------------
Code: Select all
<?php
define('EXITLOG', 'path to your oc error log file');
function exit_log_prepare () {
global $exitlog_handle;
$exitlog_handle = fopen(EXITLOG, 'a');
if (!$exitlog_handle) {
error_log('HTA:Error: can't open '.EXITLOG.' file');
} elseif (!flock($exitlog_handle, LOCK_EX)) {
error_log('HTA:Error: can't get a lock on '.EXITLOG.' file');
}
}
function exitlog_write($log = false) {
global $exitlog_handle;
if ($exitlog_handle) {
fwrite($exitlog_handle, '['.date('Y/m/d H:i:s').'] '.$log."\n");
} else {
error_log('HTA: Cannot use '.EXITLOG.', fallback to php error log.');
error_log($log."\n");
}
}
// the basics
$ip = $_SERVER['REMOTE_ADDR'];
$host = ($_SERVER['HTTP_HOST'] ?? '');
$url = ($_SERVER['REQUEST_URI'] ?? '');
$query = ($_SERVER['QUERY_STRING'] ?? '');
$method = ($_SERVER['REQUEST_METHOD'] ?? '');
$user_agent = ($_SERVER['HTTP_USER_AGENT'] ?? '');
$referer = ($_SERVER['HTTP_REFERER'] ?? '');
$protocol = ($_SERVER['SERVER_PROTOCOL'] ?? 'HTTP/1.1');
exit_log_prepare ();
$condition = (isset($_SERVER['REDIRECT_CONDITION']) ? $_SERVER['REDIRECT_CONDITION'] : false);
if ($condition) {
// parse the environment variable condition
$parts = explode('_',$condition);
$res = (isset($parts[0]) ? $parts[0] : '');
$reason = (isset($parts[1]) ? $parts[1] : '');
// get the request headers
$aheaders = array_change_key_case(apache_request_headers(),CASE_LOWER);
// log report by default
$report = true;
// don't log request headers by default
$report_aheaders = false;
// check response codes and what to do with them
if ($res == '421') {
$response = '421 Misdirected Request';
$report = false;
$report_headers = true;
} elseif ($res == '426') {
$response = '426 Upgrade Required';
$report = false;
} elseif ($res == '406') {
$response = '406 Not Acceptable';
} else {
$response = '503 Service Unavailable';
exitlog_write('HTA:['.$ip.'] No valid response code given:['.$res.'], responding with default 503);
$report_headers = true;
}
// remove any headers we might have set
if (!headers_sent()) header_remove();
// log report
if ($report) exitlog_write('HTA:['.$ip.']['.$response.'] because of ['.$reason.'] requesting ['.$protocol.']['.$method.']['.$url.$query.'] with agent['.$user_agent.'] referred by ['.$referer.']');
// log request headers
if ($report_aheaders) exitlog_write('HTA:['.$ip.'] '.print_r($aheaders,true));
} else {
exitlog_write('HTA:['.$ip.'] No valid condition given, responding with 503 requesting ['.$protocol.']['.$method.']['.$url.$query.'] with agent['.$user_agent.'] referred by ['.$referer.']');
$response = '503 Service Unavailable';
}
fclose($exitlog_handle);
// set the final response header
header($protocol.' '.$response, true);
exit();
Code: Select all
# 1--------------------------------------------------------------------------------------
# your server ip in host request header, always a useless bot, targetting on ip space scans.
# apache will use the first VH if it cannot find a proper match which basically allows scanners to target the server by ip only.
# 421 misdirected request
#
# requested host contains server ip address
RewriteCond %{HTTP_HOST} xxx\.xxx\.xxx\.xxx
#
RewriteRule ^.*$ /hta.php [END,NE,E=CONDITION:421_IpInHost]
# 2--------------------------------------------------------------------------------------
# wrong host, always a useless bot, basically also covers rule 1
# 421 misdirected request
#
# requested host not containing your domain name
RewriteCond %{HTTP_HOST} !your-domain-name [NC]
#
RewriteRule ^.*$ /hta.php [END,NE,E=CONDITION:421_WrongHost]
# 3--------------------------------------------------------------------------------------
# http/0.9 or http/1.0, cheap bots
# 426 upgrade required
#
# http/1.0
RewriteCond %{THE_REQUEST} HTTP/1\.0 [OR]
#
# http/0.9
RewriteCond %{THE_REQUEST} HTTP/0\.9
#
RewriteRule ^.*$ /hta.php [END,NE,E=CONDITION:426_WrongProtocol]
# 4--------------------------------------------------------------------------------------
# POST without accept-language header, always a bot but also legit bots like googlebot, bingbot, etc.
# whitelist any bot which should be allowd to post and where!
# 406 Not Acceptable
#
# POST method used
RewriteCond %{REQUEST_METHOD} POST
#
# whitelist possible callbacks (paypal)
RewriteCond %{QUERY_STRING} !callback
#
# no language accept header, most and only bots ommit this
RewriteCond %{HTTP:Accept-language} ^$
#
RewriteRule ^.*$ /hta.php [END,NE,E=CONDITION:406_PostNoLAHeader]
# --------------------------------------------------------------------------------------
DISCLAIMER:
You should not modify core files .. if you would like to donate a cup of coffee I will write it in a modification for you.
https://www.youtube.com/watch?v=zXIxDoCRc84
Check the Captcha settings under the Option tab in the main OpenCart settings.
That's why. CAPTCHA for the registration page was only added in OpenCart 2.1.x.
Who is online
Users browsing this forum: adycobra2003, kirkhall, Majestic-12 [Bot] and 404 guests
