[2.0.6] Protect user account

The cleanup is complete. This forum is now read only.
Post Reply

Rating:

Excellent!
21
46%
Very Good
9
20%
Good
5
11%
Fair
2
4%
Poor
9
20%
 
Total votes: 46

Extensions Robot
Extensions Robot
Extensions Robot
Posts: 28684
Joined: Sat Aug 16, 2003 7:36 am

[2.0.6] Protect user account

Post by Extensions Robot »

MOD Name: Protect user account
Author: Niels Chr. Denmark
MOD Description: this mod makes phpbb2 account even more secure, now account can be locked for a time, if too meny bad login attempt is made, admin may also in ACP specify type of paswords accepted.
e.g. minimum length, max age, different from username and so on

MOD Version: 1.2.8 (Updated 03/31/04)



Download File: protect_useraccount_1.2.8em.zip
mods overview page: View
File Size: 20384 Bytes

Security Score:
Last edited by Extensions Robot on Mon Apr 30, 2007 12:28 am, edited 1 time in total.
(this is a non-active account manager for the phpBB Extension Customisations Team)
AbelaJohnB
Former Team Member
Posts: 5674
Joined: Fri Jul 06, 2001 11:56 pm

Post by AbelaJohnB »

MOD Validated/Released :mrgreen:

Personal Notes:
One of my favorite security MOD's of all time <smile>
User avatar
morpheus2matrix
Former Team Member
Posts: 9171
Joined: Wed Apr 10, 2002 7:31 pm
Location: France
Contact:

Post by morpheus2matrix »

Great MOD : Thanks Niels :wink:
Former phpBB MOD-Team Member -

Forgive my bad English :(

No support by PM/Email - Thanks - You can thanks me here :) - Pay me for installing MOD's :lol:
Tones
Registered User
Posts: 127
Joined: Sun Mar 02, 2003 8:22 pm

Post by Tones »

Please re-write the login.php section.

The

Code: Select all

# 
#-----[ FIND ]------------------------------------------ 
# 
redirect(appen
can be found on more then one location
and there seems to be a parse error, my html editor reports a problem
between line 78 and 90

Use the entire search line instead of just a part of it.
I'll have to find the bug now.
wGEric
Former Team Member
Posts: 8805
Joined: Sun Oct 13, 2002 3:01 am
Location: Friday
Name: Eric Faerber
Contact:

Post by wGEric »

Tones wrote: Please re-write the login.php section.

The

Code: Select all

# 
#-----[ FIND ]------------------------------------------ 
# 
redirect(appen
can be found on more then one location
and there seems to be a parse error, my html editor reports a problem
between line 78 and 90

Use the entire search line instead of just a part of it.
I'll have to find the bug now.


It should be the first one. Most Authors go from top to bottom of the file making changes instead of random.

Also 'your bug' could just be you making a mistake when installing. I haven't installed it so I wouldn't know but I am guessing it was a mistake on your part.
Eric
Scootersponge
Registered User
Posts: 27
Joined: Thu Sep 25, 2003 11:27 pm
Contact:

Post by Scootersponge »

Yay. Excellent!
quentin
Registered User
Posts: 197
Joined: Tue May 20, 2003 7:30 am
Location: Geneva, Switzerland
Contact:

Post by quentin »

very good and useful mod. The best way to prevent account hacking is yet to have users get good passwords.
thanks !

Quentin
The largest message boards on the web !
Web Design Library (coming soon)
Friends sites: Heroes of might and magic - Biometric security
tk102
Registered User
Posts: 16
Joined: Sun Sep 21, 2003 4:16 am

Post by tk102 »

@morpheus2matrix:
Having this mod and your Log Actions mod work together would be a great combo.
User avatar
morpheus2matrix
Former Team Member
Posts: 9171
Joined: Wed Apr 10, 2002 7:31 pm
Location: France
Contact:

Post by morpheus2matrix »

tk102 wrote: @morpheus2matrix:
Having this mod and your Log Actions mod work together would be a great combo.


so just install both MOD's :wink:
Former phpBB MOD-Team Member -

Forgive my bad English :(

No support by PM/Email - Thanks - You can thanks me here :) - Pay me for installing MOD's :lol:
Niels Chr. Denmark
Registered User
Posts: 1320
Joined: Thu Jan 10, 2002 1:00 pm
Contact:

Post by Niels Chr. Denmark »

Tones wrote: Please re-write the login.php section.

The

Code: Select all

# 
#-----[ FIND ]------------------------------------------ 
# 
redirect(appen
can be found on more then one location
and there seems to be a parse error, my html editor reports a problem
between line 78 and 90

Use the entire search line instead of just a part of it.
I'll have to find the bug now.


You are right, that the line is to be found more places in the file.
How-ever to make this mod EM ready it is ecential to keep the FIND code as small as posible or EM will fail if other mods are installed.

Therefore a EM ready mod will usually use the FIND tag fond next to the previous FIND tag, most "search tools" will continue earch from the place the cursor is - so it should not be a problem.

in this case the "complete" FIND code looks like this

Code: Select all

						redirect(append_sid($url, true));
					}
					else
					{
						message_die(CRITICAL_ERROR, "Couldn't start session : login", "", __LINE__, __FILE__);
Earth should spin a litle slower, then there would be 28H/dayImage
tk102
Registered User
Posts: 16
Joined: Sun Sep 21, 2003 4:16 am

Post by tk102 »

@morpheus2matrix, Niels Chr. Denmark:

Here is what I meant by integrating these two great mods:

First add another function to morpheus2matrix's includes/functions_log.php

Code: Select all

function log_action_at_login($action, $user_ip, $user_id, $username)
{
	global $db;
	$topic_id=0;
	$username = addslashes($username);
	$time = time();
	$sql = "INSERT INTO " . LOGS_TABLE . " (mode, topic_id, user_id, username, user_ip, time)
		VALUES ('$action', '$topic_id', '$user_id', '$username', '$user_ip', '$time')";
	if ( !($result = $db->sql_query($sql)) )
	{
		message_die(GENERAL_ERROR, 'Could not insert data into logs table', '', __LINE__, __FILE__, $sql);
	}
}
Then insert the following lines into login.php after applying Niels' mod:

Code: Select all

//
//----[ FIND ]-----
//
include($phpbb_root_path . 'common.'.$phpEx);

//
//---[ AFTER ADD ]----
//
include($phpbb_root_path . 'includes/functions_log.'.$phpEx);

//
//----[ FIND ]-----
//
$emailer->reset(); 
}

//
//---[ AFTER ADD ]----
//
log_action_at_login('Account blocked', $user_ip, $row['user_id'], $row['username']);

//
//----[ FIND ]-----
//
$message = $lang['Error_login'] . '<br /><br />' . sprintf($lang['Click_return_login']

//
//---[ AFTER ADD ]----
//
log_action_at_login('Login failed', $user_ip, $row['user_id'], $row['username']);
kleptik
Registered User
Posts: 18
Joined: Mon Oct 20, 2003 10:07 am

Post by kleptik »

ok apparently my message was deleted for some reason.

how do i uninstall this mod, so files back to normal?
tk102
Registered User
Posts: 16
Joined: Sun Sep 21, 2003 4:16 am

Post by tk102 »

@kleptik:
I assume from your post that you did not follow this instruction contained within every mod in the mod-db:

Code: Select all

############################################################## 
## Before Adding This MOD To Your Forum, You Should Back Up All Files Related To This MOD 
##############################################################
In that case, you should look through the mod and manually undo the changes that it implemented. Or, if you do not have other mods installed, you can simply re-download the original phpbb files.

As for your database, the additional fields that this mod added to your users table (default = 'phpbb_users') will not impact the functionality of your board. If however you want your database to be as clean as possible, you will want to remove the following fields from that table:
  • user_passwd_change
  • user_badlogin
  • user_blocktime
  • user_block_by
kleptik
Registered User
Posts: 18
Joined: Mon Oct 20, 2003 10:07 am

Post by kleptik »

thats the thing. the sql would not work, kept having errors

and i used easymod to install, so easymod backs up all original files

so i just replaced and works fine now

but i mean if i had the sql work i could do this, but until that sql will work i cannot
tk102
Registered User
Posts: 16
Joined: Sun Sep 21, 2003 4:16 am

Post by tk102 »

@kleptik:
Ah I see. What database are you running? I believe the SQL provided with this mod only works on MySQL in its unmodified form. I am using MSSQL-ODBC and had to change the included php script's SQL statements to the following to work correctly. (Specifically, SQL Server didn't like having lengths associated with INT and SMALLINT datatypes, didn't like using NOT NULL without a DEFAULT parameter, and didn't like the use of double quotes within a VALUES clause.)

Original code:

Code: Select all

$sql=array(
'ALTER TABLE ' . USERS_TABLE . ' ADD user_passwd_change INT(11) NOT NULL',
'UPDATE ' . USERS_TABLE . ' SET user_passwd_change=user_regdate',
'UPDATE ' . USERS_TABLE . ' SET user_passwd_change=' .time(). ' WHERE user_level='.ADMIN,
'INSERT INTO '. CONFIG_TABLE . ' (config_name, config_value) VALUES ("max_password_age", "730")',
'ALTER TABLE ' . USERS_TABLE . ' ADD user_badlogin SMALLINT(5) NOT NULL',
'ALTER TABLE ' . USERS_TABLE . ' ADD user_blocktime INT(11) NOT NULL',
'ALTER TABLE ' . USERS_TABLE . ' ADD user_block_by VARCHAR (8)',
'INSERT INTO '. CONFIG_TABLE . ' (config_name, config_value) VALUES ("block_time", "15")',
'INSERT INTO '. CONFIG_TABLE . ' (config_name, config_value) VALUES ("max_login_error", "3")',
'INSERT INTO '. CONFIG_TABLE . ' (config_name, config_value) VALUES ("min_password_len", "6")',
'INSERT INTO '. CONFIG_TABLE . ' (config_name, config_value) VALUES ("force_complex_password", "0")',
'INSERT INTO '. CONFIG_TABLE . ' (config_name, config_value) VALUES ("password_not_login", "1")'
);
Modified code for MSSQL-ODBC:

Code: Select all

$sql=array(
'ALTER TABLE ' . USERS_TABLE . ' ADD user_passwd_change INT DEFAULT 0 NOT NULL',
'UPDATE ' . USERS_TABLE . ' SET user_passwd_change=user_regdate',
'UPDATE ' . USERS_TABLE . ' SET user_passwd_change=' .time(). ' WHERE user_level='.ADMIN,
'INSERT INTO '. CONFIG_TABLE . ' (config_name, config_value) VALUES (\'max_password_age\', \'730\')',
'ALTER TABLE ' . USERS_TABLE . ' ADD user_badlogin SMALLINT DEFAULT 0 NOT NULL',
'ALTER TABLE ' . USERS_TABLE . ' ADD user_blocktime INT DEFAULT 0 NOT NULL',
'ALTER TABLE ' . USERS_TABLE . ' ADD user_block_by VARCHAR (8)',
'INSERT INTO '. CONFIG_TABLE . ' (config_name, config_value) VALUES (\'block_time\', \'15\')',
'INSERT INTO '. CONFIG_TABLE . ' (config_name, config_value) VALUES (\'max_login_error\', \'3\')',
'INSERT INTO '. CONFIG_TABLE . ' (config_name, config_value) VALUES (\'min_password_len\', \'6\')',
'INSERT INTO '. CONFIG_TABLE . ' (config_name, config_value) VALUES (\'force_complex_password\', \'0\')',
'INSERT INTO '. CONFIG_TABLE . ' (config_name, config_value) VALUES (\'password_not_login\', \'1\')'
);
Post Reply

Return to “[2.0.x] MOD Database Cleanup”