|
Could someone help me with this hack please, i am trying to prevent password sharing in vB, the hack is based on:
(a) limiting access to a specific account per one ip adress at the same time. (b) if there are more than one ip adress, for the same account at the same time, the account will be reported to the administrator. (c) limiting access to one account to a number of ips/day, for example if the there are more than 10 ips/account/day the account is reported &/or deleted. Thanks |
You could present problems with IP restrictions. I, for example, login from home and work each day... so I have 2 IP's that I would come from and be reported every day.
Most modem users and all AOL users will get a different IP each time they log on. So if I have to get on and off because a family member needs the phone, I could have umteen IP's each day as a result. I'm not positive on this one, but I think you can actually switch IP's with AOL while in a session. They can change you IP from just clicking from page to page. |
Quote:
Quote:
111.222.333.444 (444 in this case and sometimes 333) but it will be under the same company which is AOL for example. also if you can set the number of ips/day to a certain number say 10/15/20 ips depending on the nature of users, before an account that can be deleted (if you want this option, otherwise reporting in dynamic ip community) cheers, |
If someone made this I would DEFINATELY implement this in my board...plus I would kiss their feet...lol...
|
I always thought that.. all ISP and everyone had a common ip..
lets say I have 207.1.7.222.. I always thought that atleast 207.*.*... was the same, it was the number after that.. |
it is. users on cable almost always start with 24.*.*.*
|
Why don't you work with cookies? It would be easier and better (I think)...
|
There are 2 type of IPs:
(1) Static IP where the whole ip is the same...this is found on cable users... (2) Dynamic IP where the last few numbers change, but the DNS of the ip will show the same company (ISP), this is found on most dial up connections, and it changes with every new connection. (3) Nevermind IP Spoofing Quote:
The idea of this hack is very protective for vB, for a simple question which is "what would be the case if 2 users logged to the same account in vB at the same time with 2 different ips? Is there any security in vB for that? Will it report this to the admin? Will it delete the account? All this will result in the account being abused, especially when it is not that easy to be a member of a certain vB, like mine :D cheers, |
You shouldn't assume that the first section of IP address will not change because most of the larger ISPs have IP allocations in completely different blocks. For example the US cable co roadrunner could dynamically allocate you a 24.x or a 65.x another example is aol where you could get 152.x or a 205.x or 172.x etc....
Secondly if the isp or the person browsing is using a proxy there is always the risk of recording the proxy address not the actual users address. In theory all proxies should forward the user ip but in reality many don't including some "transparent" proxies used by ISPs. |
Quote:
Quote:
And why are you making it so complicated, take life easy, how many people will use a proxy? and if you find someone using a proxy s/he will probably use it forever (instead of showing the regular ip) not only for my vB! take the idea of the script easy...start by understanding the need for detecting 2 users logging at the same time with the same account...don't go further...at least for now :D cheers, |
Anyone?
|
This hack would be very very useful.
I too would implement this on my boards in a heart beat. ;) |
You could achieve (a) by firstly modifying the session table to contain a field called active. Then with the new field added it becomes as simple as setting active to 1 every time a new session is created and most importantly setting active of all other sessions for that userid that have a different IP address to 0. e.g. (UPDATE session SET active =0 WHERE userid=$bbuserinfo[userid] AND host!=$REMOTE_ADDR)
Now for the really clever part when a user requests anything you just check to see if the session they are using has been deactivated, if its been deactivated youve caught simultaneous browsing from different IP addresses. To achieve (b) Create two new tables (master/detail relationship) called say abuseevent and abusedetail. The reason for using a master detail relationship is it allows for any number of simultaneous sessions. In abuseevent record the actual abuse e.g. userid, time & abuseid (auto increment) In abusedetail record each of the IP addresses that where active at the time e.g. abuseid, IP address & abusedetailid (auto increment) Ill leave part (c) for someone else to figure out as the solution is extremely involved, personally I would write the code necessary to do parts (a), (b) before even thinking about all extra logic needed for part (c). |
Thanks for your reply dabean,
i like your theory, but due to the fact that i lack complete knowledge about php, i am unable to decide how to modify tables, and what templates and php files to change. About part (c) , there is an already made hack about mass delete users (made by Blue2000) and can be found at http://www.vbulletin.com/forum/showt...5&pagenumber=1 i asked for these option to be added Quote:
so the theory is there for the script, only professional coders needed now :D please coders support this script by sharing your codes, and those who are not coders, support the script by saying that you want this script so bad ;) cheers, |
Quote:
Kier made this hack to mass move users in and out of usergroups: http://www.vbulletin.com/forum/showt...threadid=13687 |
Would you have to enter annother column? I would think something like this:
every time a page is requested: Code:
SELECT count( * ) AS numberOr if you wanted to be tricky, you could alter the UPDATE SESSION query to ignore IP and just user USERID.. UPDATE session SET blah WHERE userid = $bbuserid[ userid ] then check mysql_num_rows_affected (or whatever the function is). If it updates more than one row, you have two userids in there. |
Cool Ideas ...
someone told me that it is better and easier to use SSI (Server Side Includes) to prevent password sharing tell me what you think? |
Quote:
|
Quote:
PHP Code:
(1) where shall i insert this code? in member.php (start login) and include the member.php in everypage ? or insert it in every page? (2) how can you look at the blocked account or report it automatically? Thanks guys :) |
Member.php really has nothing to do with logging in.. Sure it has an action there to account for it, but that is just to show a template and do the proper redirects.
You could enter it in every file but that is kind of redundant and unmaintainable. The file you are looking for is session.php. This file handles the logging in of every member whether from form or cookie and more importantly it controls the session table where the information you need is located. A little pseudo code of how I would do it is: Code:
logging in |
Thanks for your reply wluke, i needed that info :)
Quote:
Also, i guess i have to include the sessions.php with the global.php in every page, so is this the correct code to add? PHP Code:
|
Well Sessions.php handles all logins.. Also it is included in "global.php".
|
(1) so if i add only this code
require('./global.php'); this will be sufficient ? (2) and what about this code, if the user is not using cookies, will this still work? Quote:
|
Yes it will work.. Even when they don't use cookies they have to be assigned a sessionhash when they log in.
|
1 Attachment(s)
cp interface
|
1 Attachment(s)
When someone clicks on report NOW!
here is a list if report (A) tell me what you all think? :) PS. dont forget to check the previous post (attachment) |
Awesome :)
|
Any update on this?
|
Quote:
and i noticed the Admin's log in 2.0.3 CP, which i think will make this hack easier to code. i need it badly just like you do :( and thanks to the people who rated this thread as best, but now coders needed :D Cheers, |
:::Bump:::
|
Um..I see the pics for this but where's the hack itself? I'd really like this one. :)
|
me2 ! Look really awesome!
And I could use it right now... my board have just been hacked by 1 user, I found him, and banned him from the board... but he is back, with a new username, e-mail, password... maybe a new IP! :( So I'll just say, keep up the work with this hack! ;) |
Any progress on this hack for v2.0.3? :)
This would be SWEET!! |
How i need this badly as i've been hacked all weekend
Keep us updated with this one |
Any further advancements on this hack?
:) |
Not from what I've heard, but I really wish there would be!! :D
|
I'm sooooooooooooooooooooo intersted with this hack pleeassee tell us how it is going ?????
I cannot wait anymore :) |
i will help .. if you want to send my what you have so far
|
Instead of checking IP's. Why not have it just check hostnames? If a user comes from more than one hostname. It would be great for aol users and such. The only problem with it is if you have a TON of site hits your DNS server will have alot of stress looking up the names.
|
Quote:
|
| All times are GMT. The time now is 03:21 AM. |
Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
| X vBulletin 3.8.12 by vBS Debug Information | |
|---|---|
|
|
 More Information |
|
|
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|