vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)
-   -   Add Login To HVM Config Options (https://vborg.vbsupport.ru/showthread.php?t=317571)

woodmj 03-01-2015 08:55 AM
Add Login To HVM Config Options
 
Hi, Is there anyway I can add login to the list of configurable Human Verification options in VB4.2.2? I'd just like to put a dent in the mass brute force login attempts happening on my forum. Banning IP blocks and proxies doesn't seem to work. Maybe hackers are using fake IPs.

kh99 03-01-2015 10:26 AM
Of course it can be done, but there is no simple way like setting an option or editing a template. It would take some coding and possibly some file changes. You could post a request in Modification Requests/Questions (Unpaid), or in Requests for Paid Services if you want to pay someone to do it.

bridge2heyday 03-01-2015 09:42 PM
Vbulletin has Strikes system and it is very effective against brute force attacks

kh99 03-02-2015 10:51 AM
That's a good point. I was thinking woodmj wanted additional security, but it could be that some people don't know about that.

woodmj 03-02-2015 11:34 AM
My thinking is I'm getting waves of brute force attacks against member accounts that still persist past the VB strikes system, after blocking China etc in Apache and installing an anti-proxy mod. I'm guessing the hacking programs are just passing random values directly to login.php so I wondered if popping in some form of Captcha that needed to be satisfied before you could talk to login.php might slow the attacks down. For instance I use Q&A HVM on my registrations that has worked well for much time but it would be nice to apply that to accessing login.php as well.

kh99 03-02-2015 11:37 AM
OK, I think that does make sense, because probably any change in the login process will be enough to stop the attacks. Maybe if I have time later I'll look to see how hard that would be. One thing I can see right away is that the main login above the navbar will have to go to another page to do the HV.

woodmj 03-02-2015 11:45 AM
Ok. Any help/thoughts would be greatly appreciated.

kh99 03-02-2015 11:53 AM
And I'll say this before someone else does: some people will find it annoying to have anything extra to do when logging in. But I have an idea to reduce that. One is to make an option only to show it after one or two failures, so that it isn't there at first but kicks in before the strikes. Another would be to monitor any "strike outs" on any user name, and start showing the HV only if the lockouts hit a certain rate (like X in the past hour or whatever).

woodmj 03-02-2015 12:15 PM
One thing I have noticed is I don't seem to be able to collate the attacks effectively with VBSecurity as far as IPs go as the IPs just seem to be random or faked to look like a member one which just leads to member's getting locked out and the hackers carrying on hacking.

kh99 03-02-2015 12:18 PM
Yeah, I'm curious about that. As someone on vbulletin.com mentioned, I guess there's been a new wave of attacks because there's a new database of usernames and passwords going around. So I suppose it could include ip addresses as well. I also don't know how it could be faked, but if that's what you're seeing then there must be a way.

woodmj 03-02-2015 12:30 PM
Yes. I've talking about it over at vb.com also.

Starts off with your members starting to receive the auto emails from the VB software warning them of 5 strike attempts. The 1st few I thought nothing of and just reminded the members about choosing a good strong password for their account. But the numbers increased and increased stressing the members and me out at which point I was alerted to the problem. Then I saw that post over at vb.com and totally related to it.

I did for the 1st few times when I saw member IPs wonder whether they might have virus/malware on their PCs so asked them to check but then the numbers got so high it wasn't feasible anymore unless all their PCs were infected.

woodmj 03-05-2015 08:35 AM
Thinking further on this I wonder if there are any other login systems that can be used with VB4.2.2 ? I'm sure I remember Ubuntu use a different login system on their VB forum?

Getting the mails from members asking to delete their accounts as they've received a warning from the VB strikes system due to hackers trying to guess their passwords. The waves of hacking attempts still persist. Feel like a bit of a sitting duck.

kh99 03-05-2015 10:47 AM
I had an idea after reading your post this morning. I think I can add HV to the "You have entered an invalid username or password." error screen, so that users will get one try before that appears. That solves the problem of what to do if they're logging in from the navbar and don't have a chance to do the HV thing. Hopefully I'll have it working some time today.

kh99 03-05-2015 08:25 PM
Did you have a chance to try the version I sent?

If anyone else is interested in this mod and wants to test an early version, send me a PM.

woodmj 03-06-2015 08:24 AM
Have PMd you kh99.


Quote:
Originally Posted by kh99 (Post 2539629)
Did you have a chance to try the version I sent?


All times are GMT. The time now is 06:32 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01095 seconds
  • Memory Usage 1,741KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (15)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete