wollte Fragen, ob phpBB Security 1.0.1 was bringt?
Due to the fact coding opens exploits, it is inevitable, i am making
and releasing this security mod for phpBB based boards. The problem
is with phpBB, if you have admin level, you have full access to
everything on the site. Which is only a problem because exploits
allow malicous script kiddies to make them selves admins or make admin
accounts. So i plan to render that issue here.
#====
#==== v1.0.0
#====
-> Extra login box on admin panel, so even if you have admin access,
you still can not access the admin panel to delete users, delete
posts, rename things, etc.. This is controled by a .htaccess file &
a .phpbbsecurty file holding the info. There is no way in this mod
for admins to change this info, that would make it pointless & allow
for some admins to lock other admins out etc. Please read the bottom
of the install for instructions on how to setup your username & password.
-> Limit amount of tries an account can be failed. Meaning inputting
the wrong username & password on an account. The amount is set by the
admin. If this number is exceeded, the account is locked.
-> Added a security question and answer to the users table. Every user
will have to add this. It is built into the script to redirect anyone
who has not added this info to their profile so they can update it.
-> Force a user to unlock their account with the security question and
answer provided. If the account is locked, when they try to login, they
will be informed its locked & given a link to unlock it. From there they
have to input the username & email on account to see the security question.
Then they have to answer the question. The answers are stored as an MD5
hash so no one can see what peoples answers are. Security purposes. If
they get it right, the account becomes unlocked & they can then login.
-> Admin notification feature. If an account becomes locked, the mod
will dispatch a PM to an admin, which who it is sent to is configured
in the acp. This feature has an off switch, so if you dont care to know
when accounts get locked, switch this off. You will also reveive an
email notice regarding this as well.
-> For security purposes, users can not change their security question
or answer. If they wish to change it, they need to contact an admin and
have the admin reset their SQ info.
-> Added some blocking features, this mod will try to help block attacks
such as DDoS, Clike, UNION & SQL Injection attacks.
-> Admins have the capability to lock or unlock anyones account in the
User Management admin. They can also reset a users SQ & SA info from
there.
-> Auto ban IP's that are caught trying to use UNION, SQL Injection, Clike
or DDoS tricks. Admin chooses to use this feature or not.
-> Keep sessions table rows under a certain amount. Admins can choose this
amount in the ACP. If the sessions table exceeds this amount of sessions, the
oldest ones will be deleted until its under the set amount.
-> Keeps track of who all attemps to attack your site. These are stored in
a table so they can be viewed. It tracks what they try to do, what time,
and how many times they tried to do it. You can choose to display these
results if you like.
-> Block unadded admins. The board owner will set up a field, the field name
is chosen by them, so a script kiddie can not retrieve it as it will not be
a dynamic field name. Then the board owner will choose a number (the number
of admins on the board). Any admins that exceed this number will be blocked
from the site. So if you have 4 admins, you set the number to 4, and a kid
comes along, injects him an admin account into the DB, this script will keep
him out, as you allow 4 & he makes 5. This feature can be enabled or disabled
only by the oldest admin on the board.
-> Same thing as the above but for moderators.
#====
#==== V1.0.1
#====
-> Added protection against fopen(), so people can not remote open files.
-> Added protection against fwrite(), so people can not remote write to files.
-> Added protection against system(), which appears to let people execute pearl scripts.
-> Added protection against the CBACK Worm including:
rush=echo%20_START_
%20cd%20
%20wget
and many others this worm uses to get into sites.
-> Added the ability to use any/all of the features via ACP. Also with this is the option to
auto ban, block or ignore any of them.
-> Added the ability to pm or email the admin to be notified, or neither.
-> Added the ability to allow users to change their sq info, acp contoled to allow this, not
recomended.
-> Added pagination to the caught page, also added the link they used when they were caught.
#==== Other Suggested Mods
-> Registration IP
-> Advanced IP Tracker
-> IP Search
! Danke!