HTTP Authentication by User / pass / ip ranges

ok , this is the first hack i post around here so i hope im doing it ok
if not mods please fix me :P
ok, this hack is ment for closed comunity of vbulltien forums that want exstra security against unwelcome guests

this hack adds HTTP Authentication which change acording to username / password

to make the security bit higher i added ip ranges part - mean every users got ip range and if his ip is not wellcome then its not let him in
(can help abit against shared account).

ok so lets start

// run this db query

PHP Code:

ALTER TABLE user ADD ipmasks varchar(250) NOT NULL default ''; 


// open the file admincp/user.php

find :

PHP Code:

print_input_row($vbphrase['email'], 'user[email]', $user['email'], 0); 


below it add :

PHP Code:

print_input_row('ip masks', 'user[ipmasks]', $user['ipmasks'], 0); 


save the file and upload it back to your server

ok, now u got 2 options :
option1 - put it only in root dir
option2 - put itin root and on admincp/modcp dir

ok
if option 1 then
// open root/global.php

find :

PHP Code:

require_once('./includes/init.php'); 


Below it add :

PHP Code:

//HTACCESS Hack + IP restriction
if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="Restricted area"');
    header("HTTP/1.0 401 Unauthorized");
    echo "Unauthorized login attempts are logged.\n";
    echo "bla";
    exit;
} else {
    //checking database
    $userinf=$DB_site->query_first("SELECT user.password,user.userid,user.salt FROM user WHERE username='$_SERVER[PHP_AUTH_USER]'");
    $isvalidip=0;
    if($userinf['userid']){
        // if user exists check if ip is valid $REMOTE_ADDR
        $validip=$DB_site->query_first("SELECT ipmasks FROM user WHERE userid='$userinf[userid]'");
        $validip=explode(" ",$validip['ipmasks']);
        foreach($validip as $testip){
            if ($testip=='') { continue; }
            if (strstr($REMOTE_ADDR,$testip)==$REMOTE_ADDR || stristr(gethostbyaddr($REMOTE_ADDR),$testip)==$testip){
                $isvalidip=1;
                break;
            }
        }
    }
    //checking if the user login is ok & that he connects from a valid ip
    
        $salt = $userinf['salt'];
        $pass = $userinf['password'];
        $userp = md5(md5($_SERVER['PHP_AUTH_PW']) . $salt);
        
    

        
    if ($pass != $userp) {
        //we have a looser:)
        header('WWW-Authenticate: Basic realm="Restricted area"'); 
        header('HTTP/1.0 401 Unauthorized'); 
        echo "Unauthorized login attempts are logged.\n";
        exit;
    }elseif(!$isvalidip){
        header('HTTP/1.0 401 Unauthorized'); 
        echo "Your Ip is not allowed here...Unauthorized login attempts are logged.\n";
        exit;
    }
}
//HTACCESS Hack + IP restriction (end) 


save the file and upload it back to your server

now if u want option 2 then :

open includes/init.php

find :

PHP Code:

    $DB_site->connect($servername, $dbusername, $dbpassword, $usepconnect); 


Below it add :

PHP Code:

//HTACCESS Hack + IP restriction
if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="Restricted area"');
    header("HTTP/1.0 401 Unauthorized");
    echo "Unauthorized login attempts are logged.\n";
    echo "bla";
    exit;
} else {
    //checking database
    $userinf=$DB_site->query_first("SELECT user.password,user.userid,user.salt FROM user WHERE username='$_SERVER[PHP_AUTH_USER]'");
    $isvalidip=0;
    if($userinf['userid']){
        // if user exists check if ip is valid $REMOTE_ADDR
        $validip=$DB_site->query_first("SELECT ipmasks FROM user WHERE userid='$userinf[userid]'");
        $validip=explode(" ",$validip['ipmasks']);
        foreach($validip as $testip){
            if ($testip=='') { continue; }
            if (strstr($REMOTE_ADDR,$testip)==$REMOTE_ADDR || stristr(gethostbyaddr($REMOTE_ADDR),$testip)==$testip){
                $isvalidip=1;
                break;
            }
        }
    }
    //checking if the user login is ok & that he connects from a valid ip
    
        $salt = $userinf['salt'];
        $pass = $userinf['password'];
        $userp = md5(md5($_SERVER['PHP_AUTH_PW']) . $salt);
        
    

        
    if ($pass != $userp) {
        //we have a looser:)
        header('WWW-Authenticate: Basic realm="Restricted area"'); 
        header('HTTP/1.0 401 Unauthorized'); 
        echo "Unauthorized login attempts are logged.\n";
        exit;
    }elseif(!$isvalidip){
        header('HTTP/1.0 401 Unauthorized'); 
        echo "Your Ip is not allowed here...Unauthorized login attempts are logged.\n";
        exit;
    }
}
//HTACCESS Hack + IP restriction (end) 


thats all

*WARNING - IN ANY WAY DONT USE BOTH OPTIONS
its will cuse to the page ask for several time the user/pass
and its will be very buggy.

note :
if user got dynamic ips for exsample :

143.229.64.58
143.229.78.99
145.88.45.68

just add it like that
143.229 145.88
with 1 space between each ip range
dont user * as wildcard.

thats all :P
if u got some qustions or anything , then im here to suport u guys.

Sorry for my very bad english.

[bloodcult]

i tried by myself, no result's at the moment... so anybody else will have a look for it?

[Isaiah33]

anyone would be nice if it auto log into forum also

[Wential]

You know what would be nice? A hack that checks the 1st IP # of the visiting user (Ex: 233.x.x.x) against the registration ip on file in the User database. This would require no inputing of data on the admins part. If it doesn't match, it kicks them out.

[miz]

Quote:

Originally Posted by Wential

You know what would be nice? A hack that checks the 1st IP # of the visiting user (Ex: 233.x.x.x) against the registration ip on file in the User database. This would require no inputing of data on the admins part. If it doesn't match, it kicks them out.

im sorry for not supporting this thread my linicence removed but its back now
ok so about the qoute , what if user changes his compeny ? or user have diff ip masks for exsample in israel netvision got something like 4 diff ip masks

Quote:

Originally Posted by bloodcult

nice hack, it's possible that the user logged in when they autenticate with this method?

you mean like when users put his user/pass on the http auth then its auto login him to forums ? well if the answer is yes then its not should be a problem just add query that will run login.php with username + password

note : dont use get methood cuse then you will have a major security problem

but if you want i think i can make your life bit more easy and do it for you

[Rodrigo]

you can also use hostmasks... like if the users hostmask ends with aol.com, you can also type this in the ipmasks field...

[Crank]

any more support for this thread?

[VriendP]

I hope so.

I also have another question about it. Suppose I had installed it partially (just added the ipmasks field), and I wanted to autofill this with the ip-information from the post table.

Such a thing would take time... so I figure a script to do this would be nice also.

[RDog14]

I placed TripLcixx's code in the global.php file... I get the authentication box, but it will not accept any username/password combination, any suggestions would be greatly appreciated.

Also,
Anything new with being able to auto-login? That would be great, but is a little above my head to develope right now.

Thanks

[Inferno Dragon]

can I use this hack to password protect a any individual directory within my forum for example: forums/songs ?

[sybakaos]

How do I redirect users instead of showing them the standard "Authentication Failed" message? (I'm using the shorter version of TripLcixx)?

Thanks!