Code: Alles auswählen
########################################################
## Mod Title: Protect useraccount mod
## Mod Version: 0.9.3
## Author: Niels Chr. Rød Denmark < ncr@db9.dk > http://mods.db9.dk
##
## This mod is for phpBB2 ver 2.0.2
##
## Description: This mod will prevent hacking on users password, the mod works like this
## if a user submit a valid password, then nothing changed,
## if a user submit a wrong password X times, on a users account
## then the specifyed username can not login for a specific time (e.g. 30 min)
## this prevents that a fake user tryes several times to login on another users account.
## Note: that the blocked time, should not be set to long, so the "real" user can still log-in
##
##
##
## Installation Level: Easy
## Installation Time: 2-5 Minutes
## Files To Edit: 4
## language/lang_english/lang_main.php
## login.php
## includes/functions_validate.php
## includes/usercp_register.php
## admin/admin_board.php
## templates/subsilver/admin/board_config.tpl
## Include files: 0
##
## History:
## 0.9.0. - initial BETA, basic fetures
## 0.9.1. - corrected some typo, i the initial 0.9.0 how-to
## 0.9.2. - now included a admin interface, so value are configurable
## 0.9.3. - now include complex password rules, admin interface not yet completted
## 0.9.4. - fixed a "left over" in the admin_board.php
##
##############################################################
## This MOD is released under the GPL License.
## Intellectual Property is retained by the MOD Author(s) listed above
##############################################################
## For Security Purposes, Please Check: http://www.phpbb.com/mods/downloads/ for the
## latest version of this MOD. Downloading this MOD from other sites could cause malicious code
## to enter into your phpBB Forum. As such, phpBB will not offer support for MOD's not offered
## in our MOD-Database, located at: http://www.phpbb.com/mods/downloads/
##############################################################
## Authors Notes:
##
## Instead of runing the SQL commands your self, I have also included a db_update.php file
## if you are loged in as ADMIN, you can run this file, witch will do the neasessary changes to the DB
## the file will by it self put prefix on your tables, else
## if you are using a prefix to you DB tabels then you have to add this to
## the [ADD SQL] commands, e.g. "phpbb_users" instead of just "users" - ONLY
## in the initial [ADD SQL] commands, not in the php code !
##
##
#################################################################
## Before Adding This MOD To Your Forum, You Should Back Up All Files Related To This MOD
## and the Database
#################################################################
#
#-----[ ADD SQL ]------------------------------------------
#
ALTER TABLE `users` ADD `user_badlogin` SMALLINT(5) NOT NULL
#
#-----[ ADD SQL ]------------------------------------------
#
ALTER TABLE `users` ADD `user_blocktime` INT(11) NOT NULL
#
#-----[ ADD SQL ]------------------------------------------
#
INSERT INTO config (config_name, config_value) VALUES ("block_time", "15")
#
#-----[ ADD SQL ]------------------------------------------
#
INSERT INTO config (config_name, config_value) VALUES ("max_login_error", "3")
#
#-----[ ADD SQL ]------------------------------------------
#
INSERT INTO config (config_name, config_value) VALUES ("min_password_len", "6")
#
#-----[ ADD SQL ]------------------------------------------
#
INSERT INTO config (config_name, config_value) VALUES ("force_complex_password", "1")
#
#-----[ ADD SQL ]------------------------------------------
#
INSERT INTO config (config_name, config_value) VALUES ("password_not_login", "1")
####################################################################
#
#-----[ OPEN ]------------------------------------------
#
language/lang_english/lang_main.php
#
#-----[ FIND ]------------------------------------------
#
# AT THE BOTTOM OF THE PAGE
//
// That's all Folks!
// -------------------------------------------------
#
#-----[ BEFORE, ADD ]------------------------------------------
#
//add on for protect useraccount mod
$lang['Error_login_tomutch']='You have specified an locked username, please try again latter';
$lang['Password_not_complex'] ='The specifyed password, does not confirm this sites complexity rules, you should verify that: the password';
$lang['Password_to_short'] = 'is atleast %d long';
$lang['Password_mixed'] = 'have both nubers and letter';
$lang['Password_not_same'] = 'are not the same as your username';
#
#-----[ OPEN ]------------------------------------------
#
index.php
#
#-----[ FIND ]------------------------------------------
#
$sql = "SELECT user_id, username,
FROM " . USERS_TABLE . "
#
#-----[ IN-LINE, FIND ]------------------------------------------
#
, user_level
#
#-----[ IN-LINE, AFTER ADD ]------------------------------------------
#
, user_badlogin, user_blocktime
#
#-----[ FIND ]------------------------------------------
#
if( md5($password) == $row['user_password'] && $row['user_active'] )
#
#-----[ BEFORE, ADD ]------------------------------------------
#
if ($row['user_badlogin']<$board_config['max_login_error'] || $row['user_blocktime']<time() )
{
#
#-----[ FIND ]------------------------------------------
#
$message = $lang['Error_login'] . '<br /><br />' . sprintf($lang['Click_return_login'], '<a href="' . append_sid("login.$phpEx?redirect=$redirect") . '">', '</a>') . '<br /><br />' . sprintf($lang['Click_return_index'], '<a href="' . append_sid("index.$phpEx") . '">', '</a>');
#
#-----[ BEFORE, ADD ]------------------------------------------
#
//block the user for 30 min
$blocktime = ($row['user_badlogin']>=$board_config['max_login_error'])? ", user_blocktime='" . (time()+($board_config['block_time']*60)) . "'":"";
$sql = "UPDATE " . USERS_TABLE . " SET user_badlogin=user_badlogin+1 $blocktime
WHERE username = '" . str_replace("\'", "''", $username) . "'";
if ( !($result = $db->sql_query($sql)) )
{
message_die(GENERAL_ERROR, 'Error updating bad login data', '', __LINE__, __FILE__, $sql);
}
#
#-----[ FIND ]------------------------------------------
#
$message = $lang['Error_login'] . '<br /><br />' . sprintf($lang['Click_return_login'], '<a href="' . append_sid("login.$phpEx?redirect=$redirect") . '">', '</a>') . '<br /><br />' . sprintf($lang['Click_return_index'], '<a href="' . append_sid("index.$phpEx") . '">', '</a>');
message_die(GENERAL_MESSAGE, $message);
}
#
#-----[ AFTER, ADD ]------------------------------------------
#
} else
{
$sql = "UPDATE " . USERS_TABLE . " SET user_badlogin=user_badlogin+1
WHERE username = '" . str_replace("\'", "''", $username) . "'";
$message = (($lang['Error_login_tomutch'])?$lang['Error_login_tomutch']:$lang['Error_login']) . '<br /><br />' . sprintf($lang['Click_return_login'], '<a href="' . append_sid("login.$phpEx?redirect=$redirect") . '">', '</a>') . '<br /><br />' . sprintf($lang['Click_return_index'], '<a href="' . append_sid("index.$phpEx") . '">', '</a>');
message_die(GENERAL_MESSAGE, $message);
}
#
#-----[ OPEN ]------------------------------------------
#
include/functions_validate.php
#
#-----[ FIND ]------------------------------------------
#
?>
#
#-----[ BEFORE, ADD ]------------------------------------------
#
function validate_complex_password ($username, $password)
{
global $board_config, $lang;
$ret = false;
//verify minimum length
if ( strlen($password) < $board_config['min_password_len'] )
{
$ret= true;
$msg_explain .= ($board_config['min_password_len']) ? sprintf ($lang['Password_to_short'],$board_config['min_password_len']) : '';
}
// verify password not the same as login
if ($board_config['password_not_login'] && $username == $password )
{
$ret = true;
$msg_explain .= ($msg_explain) ? ', ' : '';
$msg_explain .= ($board_config['password_not_login']) ? $lang['Password_not_same'] : '';
}
// verify password holds both alfa and numeric
if ( $board_config['force_complex_password'] )
{
if ( ! (preg_match("/[a-zA-Z\.]/",$password) && preg_match("/[0-9\.]/",$password)))
{
$ret = true;
$msg_explain .= ($msg_explain) ? ', ' : '';
$msg_explain .= ($board_config['force_complex_password']) ? $lang['Password_mixed'] : '';
}
}
$msg_explain = ($msg_explain) ? $lang['Password_not_complex'].$msg_explain : '';
return array('error' => $ret, 'error_msg' => $msg_explain);
}
#
#-----[ OPEN ]------------------------------------------
#
includes/usercp_register.php
#
#-----[ FIND ]------------------------------------------
#
if ( !empty($new_password) && !empty($password_confirm) )
{
#
#-----[ AFTER, ADD ]------------------------------------------
#
// validate that the password is complex
$result = validate_complex_password ($username, $new_password);
if ( $result['error'] )
{
$error = TRUE;
$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . $result['error_msg'];
}
#
#-----[ OPEN ]------------------------------------------
#
# (make sure to edit this file for every language your admin uses).
language/lang_english/lang_admin.php
#
#-----[ FIND ]------------------------------------------
#
// That's all Folks!
// -------------------------------------------------
#
#-----[ AFTER, ADD ]------------------------------------------
#
//Added Protect useraccount mod
$lang['Max_login_error'] = 'Block user on wrong login';
$lang['Max_login_error_explain'] = 'If a user submit a wrong password, more than this, then the users account is blocked for a time';
$lang['Block_time'] = 'Block account time';
$lang['Block_time_explain'] = 'Number of minuttes, the users account are blocked, if the submit a wrong password more time than specifyed in "Block user on wrong login"';
$lang['Min_password'] = 'Minimum password length';
$lang['Min_pasword_explain'] = 'if a password is shorter that this value, then it is not accepted';
$lang['Min_password'] = 'Minimum password length';
$lang['Min_pasword_explain'] = 'if a password is shorter that this value, then it is not accepted';
$lang['Complex_password'] = 'Force complex password';
$lang['Min_pasword_explain'] = 'Password must consist of both afla and numeric values';
$lang['Password_not_login'] = 'password != login';
$lang['Min_pasword_explain'] = 'Password must be different than username';
#
#-----[ OPEN ]------------------------------------------
#
admin/admin_board.php
#
#-----[ FIND ]------------------------------------------
#
"L_ENABLE_PRUNE" => $lang['Enable_prune'],
#
#-----[ AFTER, ADD ]------------------------------------------
#
'L_BLOCK_TIME' => $lang['Block_time'],
'L_BLOCK_TIME_EXPLAIN' => $lang['Block_time_explain'],
'L_MAX_LOGIN_ERROR' => $lang['Max_login_error'],
'L_MAX_LOGIN_ERROR_EXPLAIN' => $lang['Max_login_error_explain'],
#
#-----[ FIND ]------------------------------------------
#
"PRUNE_NO" => $prune_no,
#
#-----[ AFTER, ADD ]------------------------------------------
#
'BLOCK_TIME' => $new['block_time'],
'MAX_LOGIN_ERROR' => $new['max_login_error'],
#
#-----[ OPEN ]------------------------------------------
#
# (make sure to edit this file for every theme your admin uses).
templates/subSilver/admin/board_config_body.tpl
#
#-----[ FIND ]------------------------------------------
#
<td class="row2"><input type="radio" name="allow_namechange" value="1" {NAMECHANGE_YES} /> {L_YES} <input type="radio" name="allow_namechange" value="0" {NAMECHANGE_NO} /> {L_NO}</td>
</tr>
#
#-----[ AFTER, ADD ]------------------------------------------
#
<tr>
<td class="row1">{L_MAX_LOGIN_ERROR}<br /><span class="gensmall">{L_MAX_LOGIN_ERROR_EXPLAIN}</span></td>
<td class="row2"><input type="text" size="4" maxlength="4" name="max_login_error" value="{MAX_LOGIN_ERROR}" /></td>
</tr>
<tr>
<td class="row1">{L_BLOCK_TIME}<br /><span class="gensmall">{L_BLOCK_TIME_EXPLAIN}</span></td>
<td class="row2"><input type="text" size="4" maxlength="4" name="block_time" value="{BLOCK_TIME}" /></td>
</tr>
#
#-----[ SAVE/CLOSE ALL FILES ]------------------------------------------
#
# EoM
Code: Alles auswählen
#
#-----[ FIND ]------------------------------------------
#
if( md5($password) == $row['user_password'] && $row['user_active'] )
#
#-----[ BEFORE, ADD ]------------------------------------------
#
if ($row['user_badlogin']<$board_config['max_login_error'] || $row['user_blocktime']<time() )
{
Kann mir jemand helfen ?
naja, muss ich halt auf Tripod ausprobieren. 
