Need to find the security leak! Hack request concept inside.

[magnus]

Would it be possible to lock an account to an IP? For example, each user has an "IP Pool" that is allowed to access their account. For example, if I tried to login from a friend's house using my l/p, it would deny the access. However, from a legit IP, I could add my friend's IP to the IP Pool, thus allowing me access from his home.

Unfortunately, I've had to resort to such drastic ideas/measures to try to find the leak in my moderating team. Plus, I think it could help deter future issues.

Is this possible? Is anyone willing to undertake this task? There has to be a few security nuts out there who would get use out of this as well.

[JulianD]

That would require some sort of hack. Though it's a very neat idea for boards with a very high concept of security.

[Zzed]

A few of my moderators had gotten their passwords compromised and the person who did it broadcasted the contents of our moderator forum on other boards.

I incorporated a few additional security levels on top of the existing ones, and one of them was this particular "trusted host" hack for accessing the private forums.

Unfortunately for personal reasons I have not published this hack.

[Logician]

Here you go:

1- First create a new user profile field in your admincp, make it admin viewable/editable only, note its ID.

2- Create a new template (in all template sets) with this name: "error_unallowedip". Its content is:
"Your IP is not in the allowed IP pool for this user!"

edit functions.php, find:

PHP Code:

global $enablebanning,$banip,$webmasteremail,$session; 


Replace it as:

PHP Code:

global $enablebanning,$banip,$webmasteremail,$session,$bbuserinfo; 


find:

PHP Code:

    $addresses=explode(" ", preg_replace("/[[:space:]]+/", " ", $banip) );
    while (list($key,$val)=each($addresses)) {
      if (strstr(" ".$ipaddress," ".trim($val))!="") {
        eval("standarderror(\"".gettemplate("error_banip")."\");");
      }
    }
  } 


AFTER THAT add:

PHP Code:

$banip2 = trim($bbuserinfo['fieldX']);
    if ($banip2 and $bbuserinfo['userid']>0)
    {
        $ipaddress=getenv("REMOTE_ADDR");
        $addresses2=explode(" ", preg_replace("/[[:space:]]+/", " ", $banip2) );
            while (list($key,$val)=each($addresses2)) 
            {
            if (trim($val) AND substr($ipaddress,0,strlen(trim($val)))==trim($val)) {$IPallowed=1;}
            }
        if ($IPallowed==0) {eval("standarderror(\"".gettemplate("error_unallowedip")."\");");}
    } 


(Replace X with your userprofilefield ID!)

Now you can enter allowed IPs for any member to the userprofile field in their edit user page in your admin cp. Seperate IPs with space and you can use partial IP's too. If you enter IPs to this field for a user, user will be disallowed access if his IP does not match to any IPs in that pool. If you leave that field blank or if user is guest, he won't be affected by this hack.

Enjoy.

[magnus]

Logician, thank you! I appreciate your work, I'll get to adding this right away.

[magnus]

Quick question, are IP's separated by a comma or space? Do I use * for a wildcard, or just leave it empty? (ie. "205.245.74.*" or "205.245.74." )

I've implemented it, and it works great. Before I start adding IP's permanently, I just want to be sure.

[Logician]

works just like default IP ban section in vb settings. So seperate by space and use blank for wildcard.

Eg.
128.0.0.1
128.0.0.
128.0.
128.

etc.

[magnus]

Excellent, thank you again. It works flawlessly.

[magnus]

Logician, a good point was raised today. Would this be easily implemented to a single forumid (or even forum category) rather than the whole board?

Personally, I think denying access completely is the best bet. But some of my more trusted mods have expressed a desire to lock only the Admin section as opposed to everything for convenience sake.

[Logician]

yeah that can be done but I'd say stick with this version. If you remove the hack from the entire board and apply to certain sections that you either need to hack many sections (thread view, print view, forum display, mod cp, admin cp, mod commands ie postings.php etc) or miss a few sections that are not covered by the hack which would defy the purpose of the hack.