FaucetBOX.com Discussion

[minifrij]

Hi, can anyone help me to get my faucet working?

I get this error message: Notice: Post request, but session is invalid. in /home/bitcfbqk/public_html/doge/index.php on line 2061
http://doge.bitcoinsforfree.xyz/

Does this happen with every claim or only a few?

[Holdaaja]

Hi, can anyone help me to get my faucet working?

I get this error message: Notice: Post request, but session is invalid. in /home/bitcfbqk/public_html/doge/index.php on line 2061
http://doge.bitcoinsforfree.xyz/

Does this happen with every claim or only a few?

Every claim.

[BitcoinFX]

Security / Bot protection within the FaucetBox.com script is a really good addition !

Herewith, a mod. script I cobbled together for the Bad-Behavior Anti-SPAM script - Download : http://bad-behavior.ioerror.us/

Bad Robots .info script mod. - http://badrobots.info/blacklist.inc.php.txt  or  http://pastebin.com/5GrEc4y7

Just upload the Bad-Behavior script to your host and call the following from your index.php and (optionally) replace blacklist.inc.php ;

Example ;

Code:

require_once("/home/YOURHOST/public_html/bad-behavior/bad-behavior-generic.php");

settings.ini should be edited along with bad-behavior-generic.php , as follows - see: http://bad-behavior.ioerror.us/support/configuration/

Code:

; settings.ini

[settings]
display_stats = false
strict = true
verbose = false
logging = false
httpbl_key = ""
httpbl_threat = 25
httpbl_maxage = 30
offsite_forms = false
eu_cookie = false
reverse_proxy = false
reverse_proxy_header = "X-Forwarded-For"
;reverse_proxy_addresses[] = 
;reverse_proxy_addresses[] = 

settings.ini for cloudflare ;

Code:

; settings.ini

[settings]
display_stats = false
strict = true
verbose = false
logging = false
httpbl_key = ""
httpbl_threat = 25
httpbl_maxage = 30
offsite_forms = false
eu_cookie = false
reverse_proxy = true
reverse_proxy_header = "CF-Connecting-IP"
;reverse_proxy_addresses[] = 
;reverse_proxy_addresses[] = 

Bad-Behavior works great as a standalone rule based website firewall 'as is' for any PHP website - moreover, adding a httpbl_key from https://www.projecthoneypot.org/faq.php#g  and/or setting up the MySql DB functionality will go the extra mile in helping to protect faucets.

The script and mod. have been tested on a production FaucetBox.com faucet as well as other PHP websites.

Hope that this info. is useful.  

EDIT: additional:

whitelist.ini - for cloudflare ip ranges;

Code:

; whitelist.ini
;
; Inappropriate whitelisting WILL expose you to spam, or cause Bad Behavior
; to stop functioning entirely! DO NOT WHITELIST unless you are 100% CERTAIN
; that you should.

; IP address ranges use the CIDR format.

[ip]
; CloudFlare IP Ranges - https://www.cloudflare.com/ips/
ip[] = "103.21.244.0/22"
ip[] = "103.22.200.0/22"
ip[] = "103.31.4.0/22"
ip[] = "104.16.0.0/12"
ip[] = "108.162.192.0/18"
ip[] = "141.101.64.0/18"
ip[] = "162.158.0.0/15"
ip[] = "172.64.0.0/13"
ip[] = "173.245.48.0/20"
ip[] = "188.114.96.0/20"
ip[] = "190.93.240.0/20"
ip[] = "197.234.240.0/22"
ip[] = "198.41.128.0/17"
ip[] = "199.27.128.0/21"

[BitcoinFX]

Herewith, 'Not an access provider or ISP' (optional) blocklist for FaucetBox Script administrators.

Hosting / Virtual Servers / Dedicated / Cloud / VPS / Colocation etc.,

N.B. Entirely independent of FaucetBox.com - this list is in use on my own faucets (will be updated / improved - link to follow here).

So, Security 'Tab' - Bot protection panel;

Enable;

" Use external IP address check service (it'll also report suspicious addresses to this service): "
- NastyHosts.com

" List of hostnames to ban. Partial match is enough. Requires external IP address check service enabled. (one value per line) "

EDIT: List last updated 17th Dec. 2015

- Confirmed 'unconfimed' reverse hostnames list and added below or removed. Additional IP / CIDR blocklist available soon.  

- Separate Proxy / VPN reverse dns hostnames blocklist to follow soon. (work in progress).

Code:

10gen.com
123-vps.co.uk
1blu.de
38cloud.com
7skyhost.com
afterburst.com
alexhost.md
alfahosting-pro.de
alfahosting-vps.de
alvotech.net
aruba.it
arubacloud.de
azar-a.net
balticservers.eu
bigv.io
bitcloud.se
bitfolk.com
blazingfast.io
bluehost.com
campushost.net
chunkhost.com
citycloud.se
citynethost.com
cloud-ips.com
cloudatcost.com
cloudfoundry.com
cloudhosting.lv
cloudlix.com
cloudscale.ch
cloudswitch.com
colocall.com
colocall.net
colocrossing.com
colt.net
contabo.host
coolhousing.net
creanova.org
dailyrazor.com
dataclub.biz
datasfera.com
dedibox.fr
dedicatedpanel.com
digicube.fr
directvps.nl
ecatel.net
edis.at
elastichosts.com
engineyard.com
evolutionet.hu
fastrootserver.de
fastwebserver.de
finalhosting.cz
flexiscale.com
force.com
gigaspaces.com
gogrid.com
gorillaservers.com
hc.ru
heroku.com
hostcats.com
hosteurope.de
hostgator.com
hosting.com
hosting.ua
hosting24.com
hosting90.net
hostkey.com
hostkey.ru
hostsailor.com
infobox.ru
interhost.co.il
is74.ru
iweb.
jiffybox.net
joyent.com
jumpbox.com
justhost.in.ua
keymachine.de
kimsufi.com
layeredtech.com
leasevps.com
leaseweb.com
leaseweb.net
linode.com
ltdomains.com
lunanode.com
mangohost.net
morphexchange.com
mosso.com
mvps.eu
myloc.de
nqhost.com
offshorededicated.net
onlinehome-server.info
ovh.net
pacswitch.com
pcextreme.nl
poneytelecom.eu
privatelayer.com
quadranet.com
racknation.cr
rackspace.com
rackspacecloud.com
redstation.co.uk
romania-webhosting.com
salesforce.com
savvis.com
scaleway.com
securefastserver.com
seflow.it
server.lu
server4you.de
serverprofi24.de
serversub.com
softlayer.com
solarcom.ch
startdedicated.com
startdedicated.net
static.vps.net
stratoserver.net
stwserver.net
terrahost.no
terremark.com
time4vps.eu
timeweb.ru
topcloud.it
transit.ir
uaservers.net
ukrservers.com
ukrtel.net
united-hoster.de
unmetered.com
vmpanel.net
voxel.net
voxility.net
vpsnow.ru
vultr.com
webcreators.nl
webfaction.com
webhosting.uk.com
webtropia.com
worldstream.nl
wowrack.com
yevps.net
your-server.de
yourserver.se
yourvserver.net
zetservers.com

This list will block access to your faucet from a large majority of VPS providers and cloud instances etc., often being used to host Tor exit nodes, private and/or open proxies, VPN services, bots, irc, or just regular folks websites and stuff from the internet!

Arguably, no one should really need to be accessing a faucet from these services, if they are then they are most likely 'gaming' your faucet.

The above list has been verified to include only Reverse look-up domains for most of the 'best' know cloud providers.

Warning: not all of the above hostnames are 'friendly' and some won't even resolve directly !!! Check here first: http://www.urlvoid.com/
 

[hawkfx]

Server is down

[Superhitech]

Server is down

Can confirm, faucetbox.com and faucet sites are still up and sending satoshis, but faucet balances aren't showing. Hope they get this fixed soon.

[ragi]

Everything seems fine right now.

[BitcoinFX]

Updated the list above for 'Not an access provider or ISP'.

Have included hostname: is74.ru which is a 'known proxy cache provider for hackers', allegedly.

Might be some genuine ISP traffic amongst this range (AS8369), although quite doubtful. - http://bgp.he.net/AS8369#_prefixes

Traffic from this AS range appears to be 'gaming' faucets on mass, with referral / bot traffic !

[ragi]

What does nastyhost actually do? Should I enable it? Does the blocking of btc and ip addresses work without it?

BitcoinFX you forgot digitalocean.com

[BitcoinFX]

What does nastyhost actually do? Should I enable it? Does the blocking of btc and ip addresses work without it?

BitcoinFX you forgot digitalocean.com

Seemingly in-script blocking does not function unless the FaucetBOX look-up service is enabled i.e. via NastyHosts.com

DigitalOcean VPS hostnames invariably do not have Reverse DNS as .digitalocean.com - so unfortunately only IP address range blocking is feasible.

Also not included amazonaws.com , as doing so would outright block a couple of ads / metric services like Alexa !

Anyway, have now started researching and tracking various automated captcha-cracking services and robots. Should have a good block script  within a few weeks or into the new year.

[minifrij]

Seemingly in-script blocking does not function unless the FaucetBOX look-up service is enabled i.e. via NastyHosts.com

From what I remember the part of the script which blocks hostnames, IPs and Bitcoin Addresses is seperate to that of NastyHosts. NastyHosts is a service which scans unblocked incoming hosts for any suspicious behavour (if the hostname is a VPS etc).

[Hydrogen]

Are stats in real time?

http://faucetbox.com/en/stats

Something might have broke when the site went down dec 2nd.

Looks like no withdrawals processed since dec 2.

[Kazuldur]

Seemingly in-script blocking does not function unless the FaucetBOX look-up service is enabled i.e. via NastyHosts.com

From what I remember the part of the script which blocks hostnames, IPs and Bitcoin Addresses is seperate to that of NastyHosts. NastyHosts is a service which scans unblocked incoming hosts for any suspicious behavour (if the hostname is a VPS etc).

The script fetch hostnames from Nastyhosts.com, so it has to be enabled for hostname based blocking to work. IP-based blocking works without it.

Are stats in real time?

http://faucetbox.com/en/stats

Something might have broke when the site went down dec 2nd.

Looks like no withdrawals processed since dec 2.

No, they're not realtime. Nothing have broke, we were moving funds to cold wallet, withdrawals will be processed today

[Kazuldur]

Also not included amazonaws.com , as doing so would outright block a couple of ads / metric services like Alexa !

Nastyhosts already blocks Amazon and it's safe - this blocking is only used when sending coins. So unless Alexa bot solves the captcha and provides a valid bitcoin address, it won't be blocked, it'll be able to crawl your site just fine

[Butord]

Security / Bot protection within the FaucetBox.com script is a really good addition !

Herewith, a mod. script I cobbled together for the Bad-Behavior Anti-SPAM script - Download : http://bad-behavior.ioerror.us/

Bad Robots .info script mod. - http://badrobots.info/blacklist.inc.php.txt  or  http://pastebin.com/5GrEc4y7

Just upload the Bad-Behavior script to your host and call the following from your index.php and (optionally) replace blacklist.inc.php ;

Example ;

Code:

require_once("/home/YOURHOST/public_html/bad-behavior/bad-behavior-generic.php");

settings.ini should be edited along with bad-behavior-generic.php , as follows - see: http://bad-behavior.ioerror.us/support/configuration/

Code:

; settings.ini

[settings]
display_stats = false
strict = true
verbose = false
logging = false
httpbl_key = ""
httpbl_threat = 25
httpbl_maxage = 30
offsite_forms = false
eu_cookie = false
reverse_proxy = false
reverse_proxy_header = "X-Forwarded-For"
;reverse_proxy_addresses[] = 
;reverse_proxy_addresses[] = 

settings.ini for cloudflare ;

Code:

; settings.ini

[settings]
display_stats = false
strict = true
verbose = false
logging = false
httpbl_key = ""
httpbl_threat = 25
httpbl_maxage = 30
offsite_forms = false
eu_cookie = false
reverse_proxy = true
reverse_proxy_header = "CF-Connecting-IP"
;reverse_proxy_addresses[] = 
;reverse_proxy_addresses[] = 

Bad-Behavior works great as a standalone rule based website firewall 'as is' for any PHP website - moreover, adding a httpbl_key from https://www.projecthoneypot.org/faq.php#g  and/or setting up the MySql DB functionality will go the extra mile in helping to protect faucets.

The script and mod. have been tested on a production FaucetBox.com faucet as well as other PHP websites.

Hope that this info. is useful.  

EDIT: additional:

whitelist.ini - for cloudflare ip ranges;

Code:

; whitelist.ini
;
; Inappropriate whitelisting WILL expose you to spam, or cause Bad Behavior
; to stop functioning entirely! DO NOT WHITELIST unless you are 100% CERTAIN
; that you should.

; IP address ranges use the CIDR format.

[ip]
; CloudFlare IP Ranges - https://www.cloudflare.com/ips/
ip[] = "103.21.244.0/22"
ip[] = "103.22.200.0/22"
ip[] = "103.31.4.0/22"
ip[] = "104.16.0.0/12"
ip[] = "108.162.192.0/18"
ip[] = "141.101.64.0/18"
ip[] = "162.158.0.0/15"
ip[] = "172.64.0.0/13"
ip[] = "173.245.48.0/20"
ip[] = "188.114.96.0/20"
ip[] = "190.93.240.0/20"
ip[] = "197.234.240.0/22"
ip[] = "198.41.128.0/17"
ip[] = "199.27.128.0/21"

Where should we add

Code:

require_once("/home/YOURHOST/public_html/bad-behavior/bad-behavior-generic.php");

? In index.php that is in the main folder of faucet or that one placed in /template/"the_template_name"/index.php?

[premium_domainer]

Is it possible to add simple faucet game while waiting for next reward !?!!

[BitcoinFX]

...

Where should we add

Code:

require_once("/home/YOURHOST/public_html/bad-behavior/bad-behavior-generic.php");

? In index.php that is in the main folder of faucet or that one placed in /template/"the_template_name"/index.php?

Bad-Behavior script should be called from the main index.php before any other content from your website is loaded.

Code:

<?php

require_once("/home/YOURHOST/public_html/bad-behavior/bad-behavior-generic.php");

/*

where YOURHOST is replaced with your host directory.

or this code should work on most PHP servers ...

Code:

require_once($_SERVER['DOCUMENT_ROOT'].'/bad-behavior/bad-behavior-generic.php');

Check that your website loads and functions properly.

You can test that Bad-Behavior is working by using this Firefox add-on: https://addons.mozilla.org/firefox/addon/user-agent-overrider/

and then adding ' Bad Behavior Test ' to one of the existing User Agents already listed.

[lama-hunter]

faucet is really a nice method to gain some Coins

I just do it when they simply pay enoug for an visit and this is over 1k satoshi !!

regards
lama-hunter

[BitcoinFX]

Seemingly in-script blocking does not function unless the FaucetBOX look-up service is enabled i.e. via NastyHosts.com

From what I remember the part of the script which blocks hostnames, IPs and Bitcoin Addresses is seperate to that of NastyHosts. NastyHosts is a service which scans unblocked incoming hosts for any suspicious behavour (if the hostname is a VPS etc).

The script fetch hostnames from Nastyhosts.com, so it has to be enabled for hostname based blocking to work. IP-based blocking works without it.

I was fairly certain that the hostnames function was doing lookups via Nastyhosts.com . Individual IP-based blocking is mostly time wasting IMHO, although necessary in some instances of course. Thanks for clarification.

Would a separate list of Reverse hostnames for known proxies and VPN providers be useful also ?

Added a couple more hostnames to the 'Not an access provider or ISP' list above, here:

- https://bitcointalk.org/index.php?topic=1094930.msg13125867#msg13125867

[minifrij]

Is it possible to add simple faucet game while waiting for next reward !?!!

It's possible to do pretty much anything to this code, though you would need to know where and how to edit it. To add a game you would have to either custom code it in or pay someone else to do it for you, though the code is easy to understand so it shouldn't cost too much.

or this code should work on most PHP servers ...

Code:

require_once($_SERVER['DOCUMENT_ROOT'].'/bad-behavior/bad-behavior-generic.php');

Could I ask why you use the $_SERVER variable at the beginning instead of just directing towards the bad-behavior folder straight up? Shouldn't it automatically find the files regardless?