Tag Archives: security

How to prevent link spamming in AVChat

Alin Oita,
Director of Tech Support

Published by alin on | No Comments

AVChat 3, Documentation, Research, Tips & Tricks

Hello everybody,

Over the Internet there will always be someone who might want to harm your website’s activity just for fun or for some material reasons. We’re writing this article in order to help our AVChat customers who are getting spammed.

Here are the steps that you can do in order to prevent future incidents.

1. Search for logs and look for his or her IP

In case you’re not online while the user is spamming so that you can see his IP in the chat:

  1. if someone notifies you by e-mail, you can take a look over the TEXT CHAT TRANSCRIPTS and search for the desired username and find his IP
  2. from time to time, you can also take a look over the text chat transcripts and search for known spam links or known users and find their IPs.

This is where you can find the text chat transcripts:

  • On WOWZA: wowza_install_dir/applications/avchat30/avchat3_transcripts
  • On FMIS:  fms_install_dir/applications/avchat30/sharedobjects/_definst_
  • On Red5: red5_install_dir/webapps/avchat30/avchat3_transcripts

Here’s how a tipical text chat transcript looks like:

avchat transcripts

Once you have the IP:

  1. you can ban him from the AVChat admin interface.
  2. You can also limit access to the entire website (check out chapter 6 bellow).

2 . Banning malicious users by IP, cookie and username

In case an admin is online, here are 3 ways to find the spammers:

  1. if the spam happens in a public room, as an admin you can just click on the user and then click the Ban… link in the side menu that shows up.

  1. if the spam happens in private chats, as an admin, you can see private chats if the setting $avconfig["adminCanViewPrivateMessages"] located in avc_settings.xxx is set to ’1′.
  2. if the spam happens in private rooms, as an admin, you can join private rooms without being asked for a password. You can do this if the following setting $avconfig["adminCanJoinPrivateRoomsWithoutPermission"] located in avc_settings.xxx is set to ’1′.

The ban pannel allows you to ban each user in the chat by IP, username or cookie. Here’s how the ban pannel looks like:

Banning the username is not strong unless you have AVChat integrated and guests are not allowed.

Banning by cookies cannot be removed.

How to view existing bans

Go to your AVChat admin interface and click the “Active Bans” button located in the upper side.

3. Edit your badwords.xml

Some spammers are generally posting links to certain sites. You can ban those sites from showing up in the text chat.

All the banned words are kept in a badwords.xml file. This file is located in your AVChat installation folder.

Open it with a text editor and add a new line for each word that you think relates to the spammer.

4. Turn off automatic link highlithing

Links are detected by AVChat and automatically turned blue and underlined to look like a REAL web links. You can turn this feature off to prevent the spammer’s links from being clicked on.

This is a more radical solution since it will effect everyone not just the spammer.

To turn the feature off, open the avc_settings.xxx file with a text editor, search for this variable: $avconfig['interpretLinks'] and set it to “0″.

This way, whetherver the URLs posted in the text chat should not be interpreted and transformed to clickable links.

As you can see in the picture bellow, the link from the default welcome message is interpreted and clickable and the URL posted by the user was censored:

censored links

5. Forbid all URLs in the chat

This is an even more radical method. You can censor all links posted in the chat.

Here’s how to do it:

Open the avch_settings.xxx file and search for this variable: $avconfig['allowUrls'].

Setting it to “0″, all URLs will be censored with asterisk (*).

6. Blocking the IP on the entire server (Linux only)

If nothing of these steps are getting success, here’s the extreme method to ban an IP.

You can ban a specific IP on the entire server.  Banned IPs will not be able to access anything from your server, including the website where you host AVChat.

This method does not work in Brazil where they have only dinamic IPs.

You can do this only if you have a VPS or dedicated server with root access.

This can be done in several different ways, e.g. with iptables (firewall) rules or by setting up a reject route.

The command for route ban is:

/sbin/route add -host 192.168.0.0 reject (replace the IP with the desired one).

and for firewall:

/sbin/iptables -A INPUT -s 192.168.0.0 -j DROP (same IP replacement as before).

Then, make sure you save the firewall:

services iptables save

To view blocked IP addresses, here’s the command:

iptables -L INPUT -v -n

In case you can’t manage this by yourself, you can ask your hosting admin to do it.

Hope this helped !

More Secure Private Rooms and Push to Talk in the New AVChat June build 1572

Published by bursuc on | 1 Comment

AVChat 3, Builds

Hello all,

Hope you had a great  May month. We have some new exciting features that we’ve developed for you for the June build.We’ve also tried,  with this build,  to release one the most stable builds so we’ve fixed allot of bugs and i want to take this opportunity to thank our clients that tested the beta version and gave us great feedback.

The key feature in this build is the improved mechanism that creates private rooms (password protected) and allows users to join them. Let’s say that with the new mechanism you won’t have to worry that hackers can read your private conversations.

Let’s see what else is  new in this build:

  • Push to Talk: the “push to talk”  button appears when you  turn off the Mic. When you press this button you will transmit audio data  until you release it. While released you will not transmit any audio. This will help with preventing echo in rooms.
  • Safety checks for CSS in case you delete or misspell some of the lines inside style.css
  • When you create a room the name is limited to 50 chars now, this will prevent spammers from creating rooms with very large names.
  • The external users list also contains the users that are logged in the chat but they’re not in a room (this will give  you a better picture of who’s in the chat)
  • We’ve automated the version check for Flash Player using swfobject to assure that your clients have the right version (this also includes a check for iOS platforms which paves the way for making a iOS chat  client in the future)
  • You can now see who kicked who in text chat area
  • There is a security reinforcement for Wowza and FMS through adminSwfFileName option. This works well in countries were there are few fixed IPs like Brazil.
  • The background options have been moved to style.css. All looks & feel options have to be in the same unified CSS file, this will enable us to provide themes in the future by just creating new CSS files.
  • We’ve implemented a mechanism to assure that your clients that connect to the media server have the right swf version/build (clients that have older versions cached will not be allowed to connect, instead an error message will appear telling them to clear cache). This will prevent the errors caused by users having cached old versions of the swf file when doing an AVChat update. You can disable this check (although we do not recommend it) trough the new synchronizeRevisionNumber setting in settings.asc on FMIS and avchat3.properties on Red5 and Wowza.
  • A way to remove the IPs that were sent with every text message ( this was the last place were the IPs could be seen without having control on them). The option is server side and it’s called includeIPSInTextChatMessages, you can find it in settings.asc on FMIS and avchat3.properties on Wowza and Red5.
  • You can route  the Open Profile and Send Gift actions to a JS API , the JS  functions called are onSendGift and onViewProfile and you can view them in index.html .
  • Admins can now stop the streams of other users

As I was saying earlier we’ve also focused on fixing the known problems so that your clients can enjoy the AVChat experience properly.

Here’s a list with some of the fixes in this build:

  • admin can still view private cams when he is not allowed fix
  • send files to private rooms fixed
  • private streams  related fixes
  • sendFileToUserEnabled ==2 behaviour fixed
  • issues with MIC/CAM checkboxes fixed
  • fixed the way that links starting with www were interpreted
  • fixed issue with the rotating text messages mechanism inserting white space when receiving an empty string

How to get the new build:

The new build is available in your private client areas.

This build is not available yet to trial users.

How to upgrade an existing build:

You need to overwrite your existing AVChat files (both client side and server side) and DELETE ALL THE PERSISTENCE FILES (SHARED OBJECTS) RELATED TO ROOMS (eg: r1textchat, roomlist).

Forum thread:

There’s a forum thread regarding this build available here:http://avchathq.com/forum/index.php?/topic/1637-new-june-build-1572/


Some of the features from the next (unreleased) AVChat 3 build (the November one)

Octavian Naicu,
Founder

Published by naicu on | 7 Comments

AVChat 3, Builds

The online demo of AVChat 3 has been updated to build 1052 .

Here are some of the new features:

  • full .NET support (dropped classic ASP support)
  • moved position of free video time/day display
  • new admin limitations & settings in avc_settings.xxx
  • clean text chat area button
  • fixed some security issues with previewing files
  • fixed issues with some whois links not working
  • fixed issue with web cams going behind the text chat area

This build will be made available for download later this week after intensive testing!

The AVChat 3 build for August (900)

Octavian Naicu,
Founder

Published by naicu on | 2 Comments

AVChat 3, Builds

New features:

  • works properly on Android phones with Flash Player 10.1
  • new setting: users can create only public or only private rooms (allowedRooms setting in avc_settings.xxx)
  • new setting: can users switch their stream to private/public (usersCanSwitchBetweenPrivateAndPublic setting in avc_settings.xxx)
  • new setting: turn off te video chat for maintenance (downForMaintenance setting in avc_settings.xxx)
  • new setting: kick users after being idle for some time (kickAfterIdleTime setting in avc_settings.xxx)
  • new setting: position the who is typing box at the top or bottom of the text chat  (whosTypingPosition setting in avc_settings.xxx)
  • you can now control the background color of the users list frum style.css
  • new [Reset] button in the admin’s Rooms pannel that resets the users number
  • option to hide the top status bar completely (hideStatusBar in avc_settings.xxx)
  • initial RTL support (rightToLeft setting in avc_settings.xxx, feature still in beta)
  • toggle video button on other people’s webcams (turning video off on a stream will save a lot of bandwidth, you will still hear the audio)
  • profileURL in avc_settings.xx is now independent for each user (this will mean that guests will not have  a functional [View Profile] link in the video chat)
  • you can now change the female/male/couple icons used troughout the video chat (maleImageUrl, femaleImageUrl and coupleImageUrl settings in avc_settings.xxx)
  • an eye icon is now shown in the userslist besides everyone who is watching you
  • slight improovement in emoticons positioning + emoteicons are now resized if they are higher than 14px
  • the siteId variable for each user is now also available in the external rooms list
  • Social Engine 4 integration kit
  • updates to the phpFox2 integration kit (settings and pop-up options available directly from the admin area)

Security improovements:

  • token authentication for Red5, FMIS and Wowza (php only, turned off by default, article on how to turn it on will be available soon)
  • admins can now delete multiple rooms at once
  • admins can now ban ip ranges
  • added js code tho html files to prevent inclusion of the video chat in iframes
  • improoved ip distribution and access to ip info mechanism
  • improoved private mesages distribution mechanism
  • added optional ip check to scripts on the web server called only by the media server
  • more secure upload proces

Fixed bugs:

  • keyboard input did not matter when tracking your idle status
  • one could not enter a room full with hidden admins

How to get the new AVChat 3 build:

  • download the software again from your client area

How to update your installation:

  • in the usual way: overwrite ALL the old files (including the en.xml language file and the media server files) and restart the media server!
  • if the above fails make a clean clean  install!

How to enable token based authentication in AVChat

Octavian Naicu,
Founder

Published by naicu on | 2 Comments

Documentation

Starting with build 900, AVChat 3 introduces a new security feature called “token based authentication”. When enabled this prevents 3′rd party swf files (hosted on other web sites than your own or by malicious users) to connect to your media server. There are other security measures in place to prevent this however token based authentication is the most secure!

This feature is turned off by default because with it enabled:

  • it takes slightly more time for users to connect to the media server,
  • it might cause some connection attempts to the media server over slow Internet connections to fail
  • we’ve only had a few clients that really needed this feature!

How o turn it on:

  • install AVChat
  • edit the settings file on the media server  (avchat3.properties on Red5 and Wowza, settings.asc on FMIS)
  • set the value of the tokenUrlLocation variable to the absolute url to token_verify.php  (token_verify.php is in the folder where you installed AVChat on your website, good example: http://avchat.net/demos/av30/token_verify.php)
  • restart the media server