Due to recent exploits, it inspired me to freeze all the 'fun' mods & make a serious one. So i took some time & made a phpBB Security mod. With this, it should render exploits useless. Below is a feature list.
Code: Select all
Due to the fact coding opens exploits, it is inevitable, i am making and releasing this security mod for phpBB based boards. The problem is with phpBB, if you have admin level, you have full access to everything on the site. Which is only a problem because exploits allow malicous script kiddies to make themselves admins or make admin accounts. So i plan to render that issue here. -> Extra login box on admin panel, so even if you have admin access, you still can not access the admin panel to delete users, delete posts, rename things, etc.. This is controled by a .htaccess file & a .phpbbsecurty file holding the info. There is no way in this mod for admins to change this info, that would make it pointless & allow for some admins to lock other admins out etc. Please read the bottom of the install for instructions on how to setup your username & password. -> Limit amount of tries an account can be failed. Meaning inputting the wrong username & password on an account. The amount is set by the admin. If this number is exceeded, the account is locked. -> Added a security question and answer to the users table. Every user will have to add this. It is built into the script to redirect anyone who has not added this info to their profile so they can update it. -> Force a user to unlock their account with the security question and answer provided. If the account is locked, when they try to login, they will be informed its locked & given a link to unlock it. From there they have to input the username & email on account to see the security question. Then they have to answer the question. The answers are stored as an MD5 hash so no one can see what peoples answers are. Security purposes. If they get it right, the account becomes unlocked & they can then login. -> Admin notification feature. If an account becomes locked, the mod will dispatch a PM to an admin, which who it is sent to is configured in the acp. This feature has an off switch, so if you dont care to know when accounts get locked, switch this off. -> For security purposes, users can not change their security question or answer. If they wish to change it, they need to contact an admin and have the admin reset their SQ info. -> Added some blocking features, this mod will try to help block attacks such as DDoS, Clike, UNION & SQL Injection attacks. -> Admins have the capability to lock or unlock anyones account in the User Management admin. They can also reset a users SQ & SA info from there. -> Auto ban IP's that are caught trying to use UNION, SQL Injection, Clike or DDoS tricks. Admin chooses to use this feature or not. -> Discard multiple sessions per ip, only store the newest one. -> Keep sessions table rows under a certain amount. Admins can choose this amount in the ACP. If the sessions table exceeds this amount of sessions, the oldest ones will be deleted until its under the set amount. #==== Other Suggested Mods -> Registration IP -> Advanced IP Tracker -> IP Search
Code: Select all
#==== #==== V1.0.2 #==== -> Added sessions/cookie protection so no one can manipulate the auto login in any way. This ensures & checks the cookied password to match the cookied user id, since phpBB its self doesn't do it when it needs to be done. -> Added a configuration option for how many entires per page to show on the caught page since some people where being timed out or loading 404 pages from having to many per page. -> Removed the edits to the Configuration section & added a seperate admin section. -> Added the ability for the oldest board admin to allow other admins to modify the special fields. -> Added the ability to block users based on user agent. -> Added the ability to block users based on their referer. -> Added user level protection, so every refresh it is reset, this way no user can manipulate the board to pass off as a mod or admin. -> Added a link to users profiles when they have to add a SQ & Answer, this was neglected in past versions. -> Fixed an insecure line of code, where & what wont be mentioned, but its fixed never the less. -> Added the proper check to make sure the include file is being included from your site * not being included from an offsite script. -> Added 3 levels of DDoS protection, since the current is a bit strong for some users. -> Removed the version number, by popular request. But by doing this, you will now be asked everytime you post for support what version you are using. -> Fixed the counter so it now adds multiple exploits again. With 1.0.1 the counter only added one per IP even if they did try over & over on the same IP. -> Added a message to the "phpBB Security Thinks You Should Go Away" for each reason someone is reading it, so they will now know WHY they have been blocked & be given the boards email to contact the admins if there was a mistake. -> Added a quick "Member Tries" screen, so it will display any users who have posted & also tried to exploit your site. It will also display what they did to be banned. -> Added a "Quick Search" so if someone complains about being banned, you can input their IP and find out why they where banned & optionally unban them from the same screen. This also comes with a wildcard (partial match) or exact match choice. -> Added an automated database backup system. So every day at a preset time (by the admins) the database will be backed-up & saved to your FTP. This is on/off switchable in the ACP incase you dont have the space to spare for this feature. But my suggestion is you leave it on & just delete the old ones every couple days, this way you always have a good copy of your database.
You're welcome to try & get into my account (aUsTiN) there by trying to guess the password. You have 4 guesses :p & then you will see the locked account feature. The concept is the same as lost password, you have to input the username & email, and itll take ya from there.
Im open for requests, if you can think of other things that can be done...
It can be downloaded & tested from Here