[2.0.6] Protect user account

[Extensions Robot]

MOD Name: Protect user account
Author: Niels Chr. Denmark
MOD Description: this mod makes phpbb2 account even more secure, now account can be locked for a time, if too meny bad login attempt is made, admin may also in ACP specify type of paswords accepted.
e.g. minimum length, max age, different from username and so on

MOD Version: 1.2.8 (Updated 03/31/04)



Download File: protect_useraccount_1.2.8em.zip
mods overview page: View
File Size: 20384 Bytes

Security Score:

[AbelaJohnB]

MOD Validated/Released

Personal Notes:
One of my favorite security MOD's of all time <smile>

[morpheus2matrix]

Great MOD : Thanks Niels

[Tones]

Please re-write the login.php section.

The

Code: Select all

# 
#-----[ FIND ]------------------------------------------ 
# 
redirect(appen

can be found on more then one location
and there seems to be a parse error, my html editor reports a problem
between line 78 and 90

Use the entire search line instead of just a part of it.
I'll have to find the bug now.

[wGEric]

Please re-write the login.php section.

The

Code: Select all

# 
#-----[ FIND ]------------------------------------------ 
# 
redirect(appen

can be found on more then one location
and there seems to be a parse error, my html editor reports a problem
between line 78 and 90

Use the entire search line instead of just a part of it.
I'll have to find the bug now.

It should be the first one. Most Authors go from top to bottom of the file making changes instead of random.

Also 'your bug' could just be you making a mistake when installing. I haven't installed it so I wouldn't know but I am guessing it was a mistake on your part.

[Scootersponge]

Yay. Excellent!

[quentin]

very good and useful mod. The best way to prevent account hacking is yet to have users get good passwords.
thanks !

Quentin

[tk102]

@morpheus2matrix:
Having this mod and your Log Actions mod work together would be a great combo.

[morpheus2matrix]

@morpheus2matrix:
Having this mod and your Log Actions mod work together would be a great combo.

so just install both MOD's

[Niels Chr. Denmark]

Please re-write the login.php section.

The

Code: Select all

# 
#-----[ FIND ]------------------------------------------ 
# 
redirect(appen

can be found on more then one location
and there seems to be a parse error, my html editor reports a problem
between line 78 and 90

Use the entire search line instead of just a part of it.
I'll have to find the bug now.

You are right, that the line is to be found more places in the file.
How-ever to make this mod EM ready it is ecential to keep the FIND code as small as posible or EM will fail if other mods are installed.

Therefore a EM ready mod will usually use the FIND tag fond next to the previous FIND tag, most "search tools" will continue earch from the place the cursor is - so it should not be a problem.

in this case the "complete" FIND code looks like this

Code: Select all

						redirect(append_sid($url, true));
					}
					else
					{
						message_die(CRITICAL_ERROR, "Couldn't start session : login", "", __LINE__, __FILE__);

[tk102]

@morpheus2matrix, Niels Chr. Denmark:

Here is what I meant by integrating these two great mods:

First add another function to morpheus2matrix's includes/functions_log.php

Code: Select all

function log_action_at_login($action, $user_ip, $user_id, $username)
{
	global $db;
	$topic_id=0;
	$username = addslashes($username);
	$time = time();
	$sql = "INSERT INTO " . LOGS_TABLE . " (mode, topic_id, user_id, username, user_ip, time)
		VALUES ('$action', '$topic_id', '$user_id', '$username', '$user_ip', '$time')";
	if ( !($result = $db->sql_query($sql)) )
	{
		message_die(GENERAL_ERROR, 'Could not insert data into logs table', '', __LINE__, __FILE__, $sql);
	}
}

Then insert the following lines into login.php after applying Niels' mod:

Code: Select all

//
//----[ FIND ]-----
//
include($phpbb_root_path . 'common.'.$phpEx);

//
//---[ AFTER ADD ]----
//
include($phpbb_root_path . 'includes/functions_log.'.$phpEx);

//
//----[ FIND ]-----
//
$emailer->reset(); 
}

//
//---[ AFTER ADD ]----
//
log_action_at_login('Account blocked', $user_ip, $row['user_id'], $row['username']);

//
//----[ FIND ]-----
//
$message = $lang['Error_login'] . '<br /><br />' . sprintf($lang['Click_return_login']

//
//---[ AFTER ADD ]----
//
log_action_at_login('Login failed', $user_ip, $row['user_id'], $row['username']);

[kleptik]

ok apparently my message was deleted for some reason.

how do i uninstall this mod, so files back to normal?

[tk102]

@kleptik:
I assume from your post that you did not follow this instruction contained within every mod in the mod-db:

Code: Select all

############################################################## 
## Before Adding This MOD To Your Forum, You Should Back Up All Files Related To This MOD 
##############################################################

In that case, you should look through the mod and manually undo the changes that it implemented. Or, if you do not have other mods installed, you can simply re-download the original phpbb files.

As for your database, the additional fields that this mod added to your users table (default = 'phpbb_users') will not impact the functionality of your board. If however you want your database to be as clean as possible, you will want to remove the following fields from that table:

• user_passwd_change
• user_badlogin
• user_blocktime
• user_block_by

[kleptik]

thats the thing. the sql would not work, kept having errors

and i used easymod to install, so easymod backs up all original files

so i just replaced and works fine now

but i mean if i had the sql work i could do this, but until that sql will work i cannot

[tk102]

@kleptik:
Ah I see. What database are you running? I believe the SQL provided with this mod only works on MySQL in its unmodified form. I am using MSSQL-ODBC and had to change the included php script's SQL statements to the following to work correctly. (Specifically, SQL Server didn't like having lengths associated with INT and SMALLINT datatypes, didn't like using NOT NULL without a DEFAULT parameter, and didn't like the use of double quotes within a VALUES clause.)

Original code:

Code: Select all

$sql=array(
'ALTER TABLE ' . USERS_TABLE . ' ADD user_passwd_change INT(11) NOT NULL',
'UPDATE ' . USERS_TABLE . ' SET user_passwd_change=user_regdate',
'UPDATE ' . USERS_TABLE . ' SET user_passwd_change=' .time(). ' WHERE user_level='.ADMIN,
'INSERT INTO '. CONFIG_TABLE . ' (config_name, config_value) VALUES ("max_password_age", "730")',
'ALTER TABLE ' . USERS_TABLE . ' ADD user_badlogin SMALLINT(5) NOT NULL',
'ALTER TABLE ' . USERS_TABLE . ' ADD user_blocktime INT(11) NOT NULL',
'ALTER TABLE ' . USERS_TABLE . ' ADD user_block_by VARCHAR (8)',
'INSERT INTO '. CONFIG_TABLE . ' (config_name, config_value) VALUES ("block_time", "15")',
'INSERT INTO '. CONFIG_TABLE . ' (config_name, config_value) VALUES ("max_login_error", "3")',
'INSERT INTO '. CONFIG_TABLE . ' (config_name, config_value) VALUES ("min_password_len", "6")',
'INSERT INTO '. CONFIG_TABLE . ' (config_name, config_value) VALUES ("force_complex_password", "0")',
'INSERT INTO '. CONFIG_TABLE . ' (config_name, config_value) VALUES ("password_not_login", "1")'
);

Modified code for MSSQL-ODBC:

Code: Select all

$sql=array(
'ALTER TABLE ' . USERS_TABLE . ' ADD user_passwd_change INT DEFAULT 0 NOT NULL',
'UPDATE ' . USERS_TABLE . ' SET user_passwd_change=user_regdate',
'UPDATE ' . USERS_TABLE . ' SET user_passwd_change=' .time(). ' WHERE user_level='.ADMIN,
'INSERT INTO '. CONFIG_TABLE . ' (config_name, config_value) VALUES (\'max_password_age\', \'730\')',
'ALTER TABLE ' . USERS_TABLE . ' ADD user_badlogin SMALLINT DEFAULT 0 NOT NULL',
'ALTER TABLE ' . USERS_TABLE . ' ADD user_blocktime INT DEFAULT 0 NOT NULL',
'ALTER TABLE ' . USERS_TABLE . ' ADD user_block_by VARCHAR (8)',
'INSERT INTO '. CONFIG_TABLE . ' (config_name, config_value) VALUES (\'block_time\', \'15\')',
'INSERT INTO '. CONFIG_TABLE . ' (config_name, config_value) VALUES (\'max_login_error\', \'3\')',
'INSERT INTO '. CONFIG_TABLE . ' (config_name, config_value) VALUES (\'min_password_len\', \'6\')',
'INSERT INTO '. CONFIG_TABLE . ' (config_name, config_value) VALUES (\'force_complex_password\', \'0\')',
'INSERT INTO '. CONFIG_TABLE . ' (config_name, config_value) VALUES (\'password_not_login\', \'1\')'
);