HTTP Authentication by User / pass / ip ranges

ok , this is the first hack i post around here so i hope im doing it ok
if not mods please fix me :P
ok, this hack is ment for closed comunity of vbulltien forums that want exstra security against unwelcome guests

this hack adds HTTP Authentication which change acording to username / password

to make the security bit higher i added ip ranges part - mean every users got ip range and if his ip is not wellcome then its not let him in
(can help abit against shared account).

ok so lets start

// run this db query

PHP Code:

ALTER TABLE user ADD ipmasks varchar(250) NOT NULL default ''; 


// open the file admincp/user.php

find :

PHP Code:

print_input_row($vbphrase['email'], 'user[email]', $user['email'], 0); 


below it add :

PHP Code:

print_input_row('ip masks', 'user[ipmasks]', $user['ipmasks'], 0); 


save the file and upload it back to your server

ok, now u got 2 options :
option1 - put it only in root dir
option2 - put itin root and on admincp/modcp dir

ok
if option 1 then
// open root/global.php

find :

PHP Code:

require_once('./includes/init.php'); 


Below it add :

PHP Code:

//HTACCESS Hack + IP restriction
if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="Restricted area"');
    header("HTTP/1.0 401 Unauthorized");
    echo "Unauthorized login attempts are logged.\n";
    echo "bla";
    exit;
} else {
    //checking database
    $userinf=$DB_site->query_first("SELECT user.password,user.userid,user.salt FROM user WHERE username='$_SERVER[PHP_AUTH_USER]'");
    $isvalidip=0;
    if($userinf['userid']){
        // if user exists check if ip is valid $REMOTE_ADDR
        $validip=$DB_site->query_first("SELECT ipmasks FROM user WHERE userid='$userinf[userid]'");
        $validip=explode(" ",$validip['ipmasks']);
        foreach($validip as $testip){
            if ($testip=='') { continue; }
            if (strstr($REMOTE_ADDR,$testip)==$REMOTE_ADDR || stristr(gethostbyaddr($REMOTE_ADDR),$testip)==$testip){
                $isvalidip=1;
                break;
            }
        }
    }
    //checking if the user login is ok & that he connects from a valid ip
    
        $salt = $userinf['salt'];
        $pass = $userinf['password'];
        $userp = md5(md5($_SERVER['PHP_AUTH_PW']) . $salt);
        
    

        
    if ($pass != $userp) {
        //we have a looser:)
        header('WWW-Authenticate: Basic realm="Restricted area"'); 
        header('HTTP/1.0 401 Unauthorized'); 
        echo "Unauthorized login attempts are logged.\n";
        exit;
    }elseif(!$isvalidip){
        header('HTTP/1.0 401 Unauthorized'); 
        echo "Your Ip is not allowed here...Unauthorized login attempts are logged.\n";
        exit;
    }
}
//HTACCESS Hack + IP restriction (end) 


save the file and upload it back to your server

now if u want option 2 then :

open includes/init.php

find :

PHP Code:

    $DB_site->connect($servername, $dbusername, $dbpassword, $usepconnect); 


Below it add :

PHP Code:

//HTACCESS Hack + IP restriction
if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="Restricted area"');
    header("HTTP/1.0 401 Unauthorized");
    echo "Unauthorized login attempts are logged.\n";
    echo "bla";
    exit;
} else {
    //checking database
    $userinf=$DB_site->query_first("SELECT user.password,user.userid,user.salt FROM user WHERE username='$_SERVER[PHP_AUTH_USER]'");
    $isvalidip=0;
    if($userinf['userid']){
        // if user exists check if ip is valid $REMOTE_ADDR
        $validip=$DB_site->query_first("SELECT ipmasks FROM user WHERE userid='$userinf[userid]'");
        $validip=explode(" ",$validip['ipmasks']);
        foreach($validip as $testip){
            if ($testip=='') { continue; }
            if (strstr($REMOTE_ADDR,$testip)==$REMOTE_ADDR || stristr(gethostbyaddr($REMOTE_ADDR),$testip)==$testip){
                $isvalidip=1;
                break;
            }
        }
    }
    //checking if the user login is ok & that he connects from a valid ip
    
        $salt = $userinf['salt'];
        $pass = $userinf['password'];
        $userp = md5(md5($_SERVER['PHP_AUTH_PW']) . $salt);
        
    

        
    if ($pass != $userp) {
        //we have a looser:)
        header('WWW-Authenticate: Basic realm="Restricted area"'); 
        header('HTTP/1.0 401 Unauthorized'); 
        echo "Unauthorized login attempts are logged.\n";
        exit;
    }elseif(!$isvalidip){
        header('HTTP/1.0 401 Unauthorized'); 
        echo "Your Ip is not allowed here...Unauthorized login attempts are logged.\n";
        exit;
    }
}
//HTACCESS Hack + IP restriction (end) 


thats all

*WARNING - IN ANY WAY DONT USE BOTH OPTIONS
its will cuse to the page ask for several time the user/pass
and its will be very buggy.

note :
if user got dynamic ips for exsample :

143.229.64.58
143.229.78.99
145.88.45.68

just add it like that
143.229 145.88
with 1 space between each ip range
dont user * as wildcard.

thats all :P
if u got some qustions or anything , then im here to suport u guys.

Sorry for my very bad english.

[lasto]

cant believe mist this - will give it a test if it stops people sharing ips

cheers

Edit - if i add this how will members know the httaccess - will it auto be their username and password from the forums ?

[miz]

for exsample your usename is test and password is mytest
so htaxx user is test and htaxx password is mytest

btw its auto login u to forums so u wont be needed to login again in vbb script

[BarBeQue]

Euhm, this only works when someone actually enters the forums right?

Cause atm i have a .htaccess in the root of my forums dir to protect the root and all subdirs.
It only uses 1 fixed login user/pass.
I would like to have that one use the database userass info for each member. Any way to make that file check the userass info by using the database instead of the htaxx .passwd file?

[miz]

this is the hack i made
htaxx by user/pass
to make it work
remove your .htacces file

[Liquid1ce]

so if i dont include all the

Code:

 ALTER TABLE user ADD ipmasks varchar(250) NOT NULL default '';

+all to do with the ip masks it should just work against the account name/pass>?
if so this is alot simpler than the one in beta forums


:P works sweet thnx

[miz]

yes
if u do remove it then its can work with out the ips
i can write this for u if u wish..

[Armin]

@miz

you can a hack post only with user/pass what works without ip

PHP Code:

if (!isset($_SERVER['PHP_AUTH_USER'])) { 
    header('WWW-Authenticate: Basic realm="Restricted area"'); 
    header("HTTP/1.0 401 Unauthorized"); 
    echo "Unauthorized login attempts are logged.\n"; 
    echo "bla"; 
    exit; 
} else { 
    //checking database 
    $userinf=$DB_site->query_first("SELECT user.password,user.userid,user.salt FROM user WHERE username='$_SERVER[PHP_AUTH_USER]'"); 
}
//checking if the user login is ok 
     
        $salt = $userinf['salt']; 
        $pass = $userinf['password']; 
        $userp = md5(md5($_SERVER['PHP_AUTH_PW']) . $salt); 
                    
    if ($pass != $userp) { 
        //we have a looser:) 
        header('WWW-Authenticate: Basic realm="Restricted area"'); 
        header('HTTP/1.0 401 Unauthorized'); 
        echo "Unauthorized login attempts are logged.\n"; 
        exit; 

    } 


so I think once, however, doesn't work on gold


what's wrong :devious:

[IceCUbe]

Is there an option to disable IP restriction for certain members ? Shall I try not putting anything in the IP Masks textbox ?

[shadow187]

Don't get this to work.....

It pops up the httpacces box were you fill in you're user/pass

but it comes back, don't think it will check the database for user and pass...

CAn anyone help me on this please...

S.