XMLTagsEditHistoryDiscussion

  1. Introduction
  2. Detecting attacks
  3. Blocking an attacker (IP address)
  4. Blocking edits to a page
  5. Reverting attacks
  6. Protecting against automated massive attacks
  7. Requiring authentication

Edit Link Top

Introduction

This page serves as a guideline for how to handle attacks to wikis managed by svnwiki.

Edit Link Top

Detecting attacks

Usually you'll want to be monitoring all changes to your wiki. To do this, you'll usually run the following commands in a given copy:

# Update the repository, to see if changes have been made.
svn up

# Optional: check the log if you actually see changes.
# '-v' causes svn to show you which files where modified.
svn log -v | less

# In the above command, identify the last version you have
# monitored (whether by the dates, files modified or commit
# message).  Lets say it is 8012.  Get a report of all changes:
svn diff -r 8102 | less

Edit Link Top

Blocking an attacker (IP address)

If you identify an attacker, the first thing you'll want to do is block his IP address from making further modifications. You can get the IP address from the Subversion commit log (svn log).

Edit the edit-deny file and add an entry such as the following at its end:

# r8012:8219, spam about cialis
213.140.22.71

The first line is a comment and svnwiki will ignore it. It should, however, let you know why you added that IP address.

The order of the IP addresses listed in edit-deny is entirely irrelevant as far as svnwiki is concerned, but should make it easier to handle in the future.

Don't forget to commit this file.

Edit Link Top

Blocking edits to a page

If you want to make it impossible to modify a certain page or directory through svnwiki's web interface, set the Subversion svnwiki:frozen property to yes on it. For example, if your index file gets a lot of vandalism, you would run the following and commit:

svn ps svnwiki:frozen 'yes' index

You can set this on a directory to affect all its contents recursively.

Note, of course, that users with Subversion accounts will still be able to modify the file. If you need to make it impossible for some Subversion accounts to modify files at the Subversion level, enable authz control in your Apache configuration, as described in the Subversion Book.

Note that setting svnwiki:authenticate, as described below, is often preferable to setting svnwiki:frozen.

Edit Link Top

Reverting attacks

Reverting attacks is relatively easy.

For every set of subsequent revisions corresponding to an attack that has yet to be reverted, you'll need to run the following command, where the numbers $END and $GOOD are the last revision in the sequence and the first revision in the sequence minus one respectively. It will revert all changes: the first command in the pipe generates a patch reverting the changes and the second applies them to the repository.

svn diff -r $END:$GOOD | patch -p0

In most cases you'll just have one sequence of revisions corresponding to an attack. The only reason you could have more than one is if your users where making changes to the wiki while the attack was taking place.

Once you've reverted all the attacks, you'll want to apply your changes, hopefully providing a nice log message:

svn ci -m "Reverting attack in revisions $(($GOOD + 1)) to $END"

For example, if an attacker changed files foo, bar, baz and arhz in revisions 3824, 3827, 3828 and 3829, you'll:

svn diff -r 3824:3823 | patch -p0
svn diff -r 3829:3826 | patch -p0
svn ci -m "Reverting attacks in r3824, 3827:3829."

Edit Link Top

Protecting against automated massive attacks

Sometimes spammers will set their systems to add spam periodically to Svnwiki-powered wikis. We've been able to hold them simply by requiring contributors to answer simple questions before their commits are allowed. Although an attacker commited to spamming a given wiki would probably be able to write some logic to automatically answer the questions we are using, we haven't seen any do it so far.

In order to enable this functionality, add the “edit-question-arithmetic” token to the value of the svnwiki:handler Subversion property of your repository's root directory. For example, if the property currently has the value “progress upload”, you could do:

svn ps svnwiki:handler "progress upload edit-question-arithmetic" .

Edit Link Top

Requiring authentication

Another option if you are seeing attacks is to require all users to provide authentication tokens to make commits through the web interface. Depending on the nature of your wiki, this may or may not be practical.

To do this, set the svnwiki:require-auth Subversion property to yes on the root directory in which your wiki is stored:

svn ps svnwiki:require-auth yes /path/to/the/wiki

Note that you could set this property not on the root of your wiki but only on a few specific files or sub-directories.

Last update: 2007-08-24 (Rev 12844)

svnwiki $Rev: 14721 $