:: Home :: FAQ :: Search :: Memberlist :: Usergroups :: Register :: Profile :: Log in to check your private messages :: Log in ::
New forum Security

 
Post new topic   Reply to topic    www.tcpclan.net Forum Index -> -= News =-
View previous topic :: View next topic  
Author Message
}TCP{Carnage
-=HeAdShOt=-


Joined: 19 Dec 2002
Age: 43
Posts: 4594
Location: Nightbar Rooie Ooren

PostPosted: Sat Sep 17, 2005 3:57 pm    Post subject: New forum Security Reply with quote

I installed a new forum security
The forum should be totaly script kiddy proof Smile

If u have any problems loging in or other ones just send me a mail or hit me up on icq / msn

Cheers
Car...

_________________
Patience Is A Virtue
Anger Is A Gift

Unreal 1 - 32 slot 227h- }TCP{ Funhouse #6 [MonsterMash !!]-:: Go There ::-
Unreal 1 - 8 slot 227f - }TCP{ Funhouse #7 [TeamArenaMaster !!] -:: Go There ::-
UT2004 - 12 slot }TCP{ Funhouse #1 [TAM / Freezetag] !! -:: Go There ::-
UT2004 - 32 slot }TCP{ Funhouse #2 [Freon Madness] !! -:: Go There ::-
UT2004 - 2/4 slot }TCP{ Funhouse #3 [1vs1 or 2 vs 2] !! -:: Go There ::-
UT2004 - 12 slot }TCP{ Funhouse #4 [ONS/TAM/AM/Moso 12p] !! -:: Go There ::-
UT2004 - 8 slot }TCP{FunHouse #5 [TAM/1on1-DM] !! -:: Go There ::-




Open Source Beer
The }TCP{ Website
Back to top
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
Hyper
úber Spammer


Joined: 13 Jul 2003
Age: 37
Posts: 809
Location: 127.0.0.1

PostPosted: Sat Sep 17, 2005 5:50 pm    Post subject: Reply with quote

What is the new security?
_________________
Alter your reality...Forever.

http://www.hypercoop.tk
unreal://hypercoop.tk
Back to top
View user's profile Send private message Visit poster's website
}TCP{ZzCaT
}TCP{Member


Joined: 20 Dec 2002
Age: 52
Posts: 1348
Location: Tukker Country

PostPosted: Sat Sep 17, 2005 6:30 pm    Post subject: Reply with quote

Hyper wrote:
What is the new security?


We hired an ex CIA agent, license to kill.


Razz
Back to top
View user's profile Send private message
}TCP{Carnage
-=HeAdShOt=-


Joined: 19 Dec 2002
Age: 43
Posts: 4594
Location: Nightbar Rooie Ooren

PostPosted: Sat Sep 17, 2005 6:36 pm    Post subject: Reply with quote

Here ya go Smile

Code:
Due to the fact coding opens exploits, it is inevitable, i am making
and releasing this security mod for phpBB based boards. The problem
is with phpBB, if you have admin level, you have full access to
everything on the site. Which is only a problem because exploits
allow malicous script kiddies to make them selves admins or make admin
accounts. So i plan to render that issue here.

#====
#==== v1.0.0
#====

-> Extra login box on admin panel, so even if you have admin access,
you still can not access the admin panel to delete users, delete
posts, rename things, etc.. This is controled by a .htaccess file &
a .phpbbsecurty file holding the info. There is no way in this mod
for admins to change this info, that would make it pointless & allow
for some admins to lock other admins out etc. Please read the bottom
of the install for instructions on how to setup your username & password.

-> Limit amount of tries an account can be failed. Meaning inputting
the wrong username & password on an account. The amount is set by the
admin. If this number is exceeded, the account is locked.

-> Added a security question and answer to the users table. Every user
will have to add this. It is built into the script to redirect anyone
who has not added this info to their profile so they can update it.

-> Force a user to unlock their account with the security question and
answer provided. If the account is locked, when they try to login, they
will be informed its locked & given a link to unlock it. From there they
have to input the username & email on account to see the security question.
Then they have to answer the question. The answers are stored as an MD5
hash so no one can see what peoples answers are. Security purposes. If
they get it right, the account becomes unlocked & they can then login.

-> Admin notification feature. If an account becomes locked, the mod
will dispatch a PM to an admin, which who it is sent to is configured
in the acp. This feature has an off switch, so if you dont care to know
when accounts get locked, switch this off. You will also reveive an
email notice regarding this as well.

-> For security purposes, users can not change their security question
or answer. If they wish to change it, they need to contact an admin and
have the admin reset their SQ info.

-> Added some blocking features, this mod will try to help block attacks
such as DDoS, Clike, UNION & SQL Injection attacks.

-> Admins have the capability to lock or unlock anyones account in the
User Management admin. They can also reset a users SQ & SA info from
there.

-> Auto ban IP's that are caught trying to use UNION, SQL Injection, Clike
or DDoS tricks. Admin chooses to use this feature or not.

-> Keep sessions table rows under a certain amount. Admins can choose this
amount in the ACP. If the sessions table exceeds this amount of sessions, the
oldest ones will be deleted until its under the set amount.

-> Keeps track of who all attemps to attack your site. These are stored in
a table so they can be viewed. It tracks what they try to do, what time,
and how many times they tried to do it. You can choose to display these
results if you like.

-> Block unadded admins. The board owner will set up a field, the field name
is chosen by them, so a script kiddie can not retrieve it as it will not be
a dynamic field name. Then the board owner will choose a number (the number
of admins on the board). Any admins that exceed this number will be blocked
from the site. So if you have 4 admins, you set the number to 4, and a kid
comes along, injects him an admin account into the DB, this script will keep
him out, as you allow 4 & he makes 5. This feature can be enabled or disabled
only by the oldest admin on the board.

-> Same thing as the above but for moderators.

#====
#==== V1.0.1
#====

-> Added protection against fopen(), so people can not remote open files.

-> Added protection against fwrite(), so people can not remote write to files.

-> Added protection against system(), which appears to let people execute pearl scripts.

-> Added protection against the CBACK Worm including:
   rush=echo%20_START_
   %20cd%20
   %20wget
   and many others this worm uses to get into sites.

-> Added the ability to use any/all of the features via ACP. Also with this is the option to
   auto ban, block or ignore any of them.

-> Added the ability to pm or email the admin to be notified, or neither.

-> Added the ability to allow users to change their sq info, acp contoled to allow this, not
   recomended.

-> Added pagination to the caught page, also added the link they used when they were caught.


#====
#==== V1.0.2
#====

-> Added sessions/cookie protection so no one can manipulate the auto login in any way. This
ensures & checks the cookied password to match the cookied user id, since phpBB its self
doesn't do it when it needs to be done.

-> Added a configuration option for how many entires per page to show on the caught page
since some people where being timed out or loading 404 pages from having to many per page.

-> Removed the edits to the Configuration section & added a seperate admin section.

-> Added the ability for the oldest board admin to allow other admins to modify the special
fields.

-> Added the ability to block users based on user agent.

-> Added the ability to block users based on their referer.

-> Added user level protection, so every refresh it is reset, this way no user can manipulate
the board to pass off as a mod or admin.

-> Added a link to users profiles when they have to add a SQ & Answer, this was neglected in past
versions.

-> Fixed an insecure line of code, where & what wont be mentioned, but its fixed never the less.

-> Added the proper check to make sure the include file is being included from your site *
not being included from an offsite script.

-> Added 3 levels of DDoS protection, since the current is a bit strong for some users.

-> Removed the version number, by popular request. But by doing this, you will now be asked
everytime you post for support what version you are using.

-> Fixed the counter so it now adds multiple exploits again. With 1.0.1 the counter only added
one per IP even if they did try over & over on the same IP.

-> Added a message to the "phpBB Security Thinks You Should Go Away" for each reason someone
is reading it, so they will now know WHY they have been blocked & be given the boards email
to contact the admins if there was a mistake.

-> Added a quick "Member Tries" screen, so it will display any users who have posted & also
tried to exploit your site. It will also display what they did to be banned.

-> Added a "Quick Search" so if someone complains about being banned, you can input their IP
and find out why they where banned & optionally unban them from the same screen. This also
comes with a wildcard (partial match) or exact match choice.

-> Added an automated database backup system. So every day at a preset time (by the admins) the
database will be backed-up & saved to your FTP. This is on/off switchable in the ACP incase
you dont have the space to spare for this feature. But my suggestion is you leave it on & just
delete the old ones every couple days, this way you always have a good copy of your database.


_________________
Patience Is A Virtue
Anger Is A Gift

Unreal 1 - 32 slot 227h- }TCP{ Funhouse #6 [MonsterMash !!]-:: Go There ::-
Unreal 1 - 8 slot 227f - }TCP{ Funhouse #7 [TeamArenaMaster !!] -:: Go There ::-
UT2004 - 12 slot }TCP{ Funhouse #1 [TAM / Freezetag] !! -:: Go There ::-
UT2004 - 32 slot }TCP{ Funhouse #2 [Freon Madness] !! -:: Go There ::-
UT2004 - 2/4 slot }TCP{ Funhouse #3 [1vs1 or 2 vs 2] !! -:: Go There ::-
UT2004 - 12 slot }TCP{ Funhouse #4 [ONS/TAM/AM/Moso 12p] !! -:: Go There ::-
UT2004 - 8 slot }TCP{FunHouse #5 [TAM/1on1-DM] !! -:: Go There ::-




Open Source Beer
The }TCP{ Website
Back to top
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
Xavious
Vae Victus


Joined: 13 Jul 2003
Posts: 2250

PostPosted: Sat Sep 17, 2005 7:25 pm    Post subject: Reply with quote

Lol
Quote:
...allow malicous script kiddies to make them selves admins or make admin
accounts. So i plan to render that issue here.

Bad english, that is. Literally, he just said he would make it possible to make these admin accounts.
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic   Reply to topic    www.tcpclan.net Forum Index -> -= News =- All times are GMT + 2 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2012 phpBB Group
Protected by Anti-Spam ACP
Customized by }TCP{Carnage