PDA

View Full Version : prevent password (account) sharing


Ruth
07-17-2001, 04:24 PM
Could someone help me with this hack please, i am trying to prevent password sharing in vB, the hack is based on:

(a) limiting access to a specific account per one ip adress at the same time.

(b) if there are more than one ip adress, for the same account at the same time, the account will be reported to the administrator.

(c) limiting access to one account to a number of ips/day, for example if the there are more than 10 ips/account/day the account is reported &/or deleted.

Thanks

AaronB
07-17-2001, 04:39 PM
You could present problems with IP restrictions. I, for example, login from home and work each day... so I have 2 IP's that I would come from and be reported every day.

Most modem users and all AOL users will get a different IP each time they log on. So if I have to get on and off because a family member needs the phone, I could have umteen IP's each day as a result.

I'm not positive on this one, but I think you can actually switch IP's with AOL while in a session. They can change you IP from just clicking from page to page.

Ruth
07-17-2001, 04:55 PM
, for example, login from home and work each day...

true but you wouldn't be using this at the same time i.e you will not be at home and work at the same time.


Dynamic ips

i myself use a dynamic ip, thats why i asked for this option to be reported at least if not deleted, so that i can compare the ip adresses, dynamic ips will result in the last 3 numbers to change...

111.222.333.444 (444 in this case and sometimes 333) but it will be under the same company which is AOL for example.

also if you can set the number of ips/day to a certain number say 10/15/20 ips depending on the nature of users, before an account that can be deleted (if you want this option, otherwise reporting in dynamic ip community)

cheers,

JGraham9382
07-17-2001, 06:49 PM
If someone made this I would DEFINATELY implement this in my board...plus I would kiss their feet...lol...

BradC
07-17-2001, 07:35 PM
I always thought that.. all ISP and everyone had a common ip..

lets say I have 207.1.7.222..

I always thought that atleast 207.*.*... was the same, it was the number after that..

MrLister
07-17-2001, 08:07 PM
it is. users on cable almost always start with 24.*.*.*

GameCrash
07-17-2001, 08:16 PM
Why don't you work with cookies? It would be easier and better (I think)...

Ruth
07-17-2001, 08:45 PM
There are 2 type of IPs:

(1) Static IP
where the whole ip is the same...this is found on cable users...

(2) Dynamic IP
where the last few numbers change, but the DNS of the ip will show the same company (ISP), this is found on most dial up connections, and it changes with every new connection.

(3) Nevermind IP Spoofing

Why don't you work with cookies? It would be easier and better (I think)...

GameCrash, i can't understand exactly how you want to use cookies for that purpose.

The idea of this hack is very protective for vB, for a simple question which is "what would be the case if 2 users logged to the same account in vB at the same time with 2 different ips?

Is there any security in vB for that?
Will it report this to the admin?
Will it delete the account?

All this will result in the account being abused, especially when it is not that easy to be a member of a certain vB, like mine :D

cheers,

dabean
07-17-2001, 09:45 PM
You shouldn't assume that the first section of IP address will not change because most of the larger ISPs have IP allocations in completely different blocks. For example the US cable co roadrunner could dynamically allocate you a 24.x or a 65.x another example is aol where you could get 152.x or a 205.x or 172.x etc....

Secondly if the isp or the person browsing is using a proxy there is always the risk of recording the proxy address not the actual users address. In theory all proxies should forward the user ip but in reality many don't including some "transparent" proxies used by ISPs.

Ruth
07-17-2001, 10:02 PM
For example the US cable co roadrunner could dynamically allocate you a 24.x or a 65.x another example is aol where you could get 152.x or a 205.x or 172.x etc....

as i mentioned before in this case the DNS will show the same for the company or ISP

the person browsing is using a proxy

Again, each user will have a limit of 10/15/or 20 ips/day, and after at least a week of recording the ips, you will know if thats a regular ip (or proxy) used by that user.

And why are you making it so complicated, take life easy, how many people will use a proxy? and if you find someone using a proxy s/he will probably use it forever (instead of showing the regular ip) not only for my vB!

take the idea of the script easy...start by understanding the need for detecting 2 users logging at the same time with the same account...don't go further...at least for now :D

cheers,

Ruth
07-19-2001, 02:17 PM
Anyone?

VirtueTech
07-19-2001, 02:37 PM
This hack would be very very useful.

I too would implement this on my boards in a heart beat. ;)

dabean
07-19-2001, 04:28 PM
You could achieve (a) by firstly modifying the session table to contain a field called “active”. Then with the new field added it becomes as simple as setting active to 1 every time a new session is created and most importantly setting “active” of all other sessions for that userid that have a different IP address to 0. e.g. (UPDATE session SET active =0 WHERE userid=’$bbuserinfo[userid]’ AND host!=’$REMOTE_ADDR’)

Now for the really clever part when a user requests anything you just check to see if the session they are using has been deactivated, if it’s been deactivated you’ve caught simultaneous browsing from different IP addresses.

To achieve (b) Create two new tables (master/detail relationship) called say abuseevent and abusedetail. The reason for using a master detail relationship is it allows for any number of simultaneous sessions.
In abuseevent record the actual abuse e.g. userid, time & abuseid (auto increment)
In abusedetail record each of the IP addresses that where active at the time e.g. abuseid, IP address & abusedetailid (auto increment)

I’ll leave part (c) for someone else to figure out as the solution is extremely involved, personally I would write the code necessary to do parts (a), (b) before even thinking about all extra logic needed for part (c).

Ruth
07-20-2001, 03:52 PM
Thanks for your reply dabean,

i like your theory, but due to the fact that i lack complete knowledge about php, i am unable to decide how to modify tables, and what templates and php files to change.

About part (c) , there is an already made hack about mass delete users (made by Blue2000) and can be found at

http://www.vbulletin.com/forum/showthread.php?threadid=10108&perpage=15&pagenumber=1

i asked for these option to be added
i am wondering if someone canm add these 2 options to this hack:

(1) instead of deleting users, you may have the option to transfer them to another group (say inactive users)

(2) Delete users that have a number of IPs/day, for example if someone has 30 ips/day, the account is more liklely to be a bused, therfore it can delete the account.

which would be easier i think to add the option (C)

so the theory is there for the script, only professional coders needed now :D

please coders support this script by sharing your codes, and those who are not coders, support the script by saying that you want this script so bad ;)

cheers,

VirtueTech
07-20-2001, 05:26 PM
Originally posted by Ruth
(1) instead of deleting users, you may have the option to transfer them to another group (say inactive users)



Kier made this hack to mass move users in and out of usergroups:
http://www.vbulletin.com/forum/showthread.php?s=&threadid=13687

MattR
07-20-2001, 05:33 PM
Would you have to enter annother column? I would think something like this:

every time a page is requested:


SELECT count( * ) AS number
FROM session
WHERE userid = $bbuserinfo[userid]
and lastvisit > $browsertimeout

if( $result[ number ] > 1 ) {
update user set usergroupid = some_id_for_dup_user_acct
where userid = $bbuserinfo[ userid ]
}


this would then block the account and at the end of the day you could look at the users in that account, perform reporting, etc.

Or if you wanted to be tricky, you could alter the UPDATE SESSION query to ignore IP and just user USERID..
UPDATE session SET blah
WHERE userid = $bbuserid[ userid ]

then check mysql_num_rows_affected (or whatever the function is). If it updates more than one row, you have two userids in there.

Ruth
07-22-2001, 05:06 PM
Cool Ideas ...

someone told me that it is better and easier to use SSI (Server Side Includes) to prevent password sharing

tell me what you think?

Wayne Luke
07-22-2001, 06:49 PM
Originally posted by Ruth
Cool Ideas ...

someone told me that it is better and easier to use SSI (Server Side Includes) to prevent password sharing

tell me what you think?

Except that you can't use SSI on dynamically generated pages used in PHP. At least not easily. Since you already have dynamic programmatically generated pages why bother introducing another layer of unneeded complexity?

Ruth
07-23-2001, 11:41 PM
Except that you can't use SSI on dynamically generated pages used in PHP. At least not easily. Since you already have dynamic programmatically generated pages why bother introducing another layer of unneeded complexity?

wluke, i guess you are right, i didn't mention that i'm using php with this.



SELECT count( * ) AS number
FROM session
WHERE userid = $bbuserinfo[userid]
and lastvisit > $browsertimeout

if( $result[ number ] > 1 ) {
update user set usergroupid = some_id_for_dup_user_acct
where userid = $bbuserinfo[ userid ]
}


MattR
(1) where shall i insert this code? in member.php (start login) and include the member.php in everypage ? or insert it in every page?

(2) how can you look at the blocked account or report it automatically?

Thanks guys :)

Wayne Luke
07-24-2001, 12:00 AM
Member.php really has nothing to do with logging in.. Sure it has an action there to account for it, but that is just to show a template and do the proper redirects.

You could enter it in every file but that is kind of redundant and unmaintainable.

The file you are looking for is session.php. This file handles the logging in of every member whether from form or cookie and more importantly it controls the session table where the information you need is located.

A little pseudo code of how I would do it is:

logging in
check userid
if userid exists in session table
redirect to error page
increment invalid login counter.
max invalid logins reached?
lock account (flag on user table).
else
continue with login and proceed.

Ruth
07-24-2001, 12:13 AM
Thanks for your reply wluke, i needed that info :)

if userid exists in session table
redirect to error page


i'm not sure about this, but if the user is not using cookies, will this command still work?


Also, i guess i have to include the sessions.php with the global.php in every page, so is this the correct code to add?


require('./global.php');
require('./admin/sessions.php');


Thanks :)

Wayne Luke
07-24-2001, 01:00 AM
Well Sessions.php handles all logins.. Also it is included in "global.php".

Ruth
07-24-2001, 01:09 AM
(1) so if i add only this code

require('./global.php');

this will be sufficient ?


(2) and what about this code, if the user is not using cookies, will this still work?


if userid exists in session table

thanks :)

Wayne Luke
07-24-2001, 05:42 AM
Yes it will work.. Even when they don't use cookies they have to be assigned a sessionhash when they log in.

Ruth
07-24-2001, 10:29 PM
cp interface

Ruth
07-24-2001, 10:31 PM
When someone clicks on report NOW!

here is a list if report (A)

tell me what you all think? :)

PS. dont forget to check the previous post (attachment)

VirtueTech
07-26-2001, 07:59 AM
Awesome :)

VirtueTech
08-02-2001, 11:22 AM
Any update on this?

Ruth
08-03-2001, 04:04 AM
Any update on this?

thanks for your interest VirtueTech, but due to lack of php knowledge, i am unable to do anything with the script, but i will promise you when i get hold of php, this is the 1st script i will do, unless coders will help us now :D

and i noticed the Admin's log in 2.0.3 CP, which i think will make this hack easier to code.

i need it badly just like you do :(

and thanks to the people who rated this thread as best, but now coders needed :D

Cheers,

Ruth
08-24-2001, 05:04 AM
:::Bump:::

DarkReaper
08-25-2001, 05:06 PM
Um..I see the pics for this but where's the hack itself? I'd really like this one. :)

TuPPerWaR
08-27-2001, 05:12 PM
me2 ! Look really awesome!

And I could use it right now... my board have just been hacked by 1 user, I found him, and banned him from the board... but he is back, with a new username, e-mail, password... maybe a new IP! :(

So I'll just say, keep up the work with this hack! ;)

Heineken77
10-08-2001, 05:29 PM
Any progress on this hack for v2.0.3? :)

This would be SWEET!!

Demetris
10-09-2001, 10:37 AM
How i need this badly as i've been hacked all weekend

Keep us updated with this one

VirtueTech
10-14-2001, 09:33 PM
Any further advancements on this hack?

:)

Heineken77
10-14-2001, 09:37 PM
Not from what I've heard, but I really wish there would be!! :D

Baratator
11-08-2001, 12:41 PM
I'm sooooooooooooooooooooo intersted with this hack pleeassee tell us how it is going ?????

I cannot wait anymore :)

TheUnforgiven
11-08-2001, 06:34 PM
i will help .. if you want to send my what you have so far

exodus
12-03-2001, 04:27 AM
Instead of checking IP's. Why not have it just check hostnames? If a user comes from more than one hostname. It would be great for aol users and such. The only problem with it is if you have a TON of site hits your DNS server will have alot of stress looking up the names.

Fusion
03-21-2002, 04:41 PM
Originally posted by VirtueTech



Kier made this hack to mass move users in and out of usergroups:
http://www.vbulletin.com/forum/showthread.php?s=&threadid=13687 Any reason why this thread would show up as inaccessible?

Neo
03-21-2002, 04:53 PM
look at the link....... it says.. www.vbulletin.com...... this site is org ;)

malc
05-22-2002, 03:09 PM
:D Bump :D

NeutralGold
10-13-2002, 04:33 PM
I think the best and only *Real* way to do this would be to have it not let 2 different ips at once login to the forum as was mentioned above in a previous message. All the other suggestions that ive seen would cause problems in 1 way or the other.. This seems to be the only problem free solution that would actually be a good way to go..

jamoss
07-19-2003, 05:46 AM
I'm still working on this hack. I had a problem with AOL users, who could have a different IP address with each CLICK! Yes, I looked it up on the AOL developers' site. AOL determines which proxy server is the fastest and so the dynamic IP can change in the same session. My Vbull (Version 2.2.5) was creating a different session per click, too.

I think if you check for SAME USERID, DIFFERENT SESSION, DIFFERENT IP, it may work. I'll post something if I find it's working.

What I want to do is have the user show up as multiple on the home page user's list. That way EVERYONE can see if the same account is logged in twice. It will also encourage people to log off of their work PC when they are logging in at home.

Goat Boy
07-30-2003, 02:06 AM
Good stuff.

GB

KAC
02-07-2005, 09:31 PM
Has anything been completed with this hack ?

spaceb
03-19-2005, 05:32 AM
anything new ?