IntegraMOD

[AlaskaMat]

Thanks, Helter. I need adult supervision, sometimes!

[Helter]

lol...no problem. I think it is a bug in ctracker. It should not accept a null input.

[looser9]

to reset your users accounts, unzip and upload the attached file to your forum root, then browse to reset_login.php. Be sure to delete the file when finished. It will reset both phpBB security and CrackerTracker login tries.

What is going to be reset if I use this?

Only the locked accounts or is it also resetting e.g. Forum rules acknowledgement?


Yours, looser9

[Helter]

it resets phpbb's and Ctrackers "login attempt" counts which essentially unlocks all member accounts

[Teelk]

I need some clarification of the problem, can users not unlock their own accounts?

IntegraMOD 141 has tools that you should use right away to combat this.

Unfortunately, the most effective way to combat a brute force attack is by blocking IP's. I know, it sucks...

There are some steps you can do to help prevent a successful attack.

CrackerTracker isn't just here to look pretty, it does have some useful features. In Admin/CrackerTracker/Settings scroll down to the Check Password section and activate it, setting the number of days users have to change their passwords before their accounts are locked. Then, directly under this setting make sure the Password Complexity Check is Active and change the Password Complexity mode to something more complex. This forces users to change their password and forces them to come up with something that is difficult to "guess". Finally, I would change the Password Minimum Length to 8, any less then this and you're asking for trouble, any more and people will be cheesed.

Before you do any of this though, do this code change.

FIND

Code: Select all

$lang['ctracker_info_pw_expired']        = "The administrator has made adjustments so that a password may be valid only for <b>%s days</b>. days. We recommend for safety reasons that you change your password now. (<a>Profile</a>)";

REPLACE WITH

Code: Select all

$lang['ctracker_info_pw_expired']        = 'User account passwords expire in <b>%s days</b> days, after which user accounts will be locked if password is not changed. Please click (<a>HERE</a>) to change your password';

Change the code, cause there is a bug there that'll return error messages and won't actually tell your users to reset their passwords. The English is a little shoddy in that MOD, the author is German, and while his English is better then my German, I think that I'll rewrite the language file and post it soon.

We may find that we already have the tools we need to fight this, I don't think there is much more security out there to offer. There is only so much that you can do to prevent these weirdos.

[Helter]

Great to see you Teelk!
The mod I sent you is also available for phpBB3 and in that version you have the ability to block ip's and email addresses that have been reported to "block forum spam". We use it here. Youll find it in the acp/integramod section. I have not looked to deeply into the phpBB2 version that I sent you, but im hoping it is the same. Im hoping that if you can mod it for PCP it will be the knockout punch for these damn spammers.

is there a way using ctracker, to force reactivation when a users ip address has changed? It might be a pain for some users but often times an email with a reactivation link is much easier than captcha and far more secure

[MWE_001]

Holy Smokes! It's Teelk! Great to see you. I am glad you guys are working on this. I admin a couple other 1.4.1 sites and I have had an issue like this for a bit now.

[Teelk]

Thanks guys, good to see you too.

It's been a while so I wasn't aware that CrackerTracker didn't send an activation email. That seems like an obvious thing it should do. So, it just locks the account?

Unfortunately, the phpBB2 version of that MOD isn't quite as sophisticated. It just allows you to block profile items from users who haven't posted x amount of times. I'll look for the phpBB3 version and see if it's adaptable.

[Teelk]

Oops... I lied.

The version of that MOD that I had was extremely old. I'm not sure how I got such an old version. I found the latest one, and I'm working on integrating it. It introduces a new CAPTCHA, so it it'll interfere with CrackerTracker, might take some DIY to turn CT's CAPTCHA off to use this one. Maybe I can integrate them, I'm not sure right now. I"ve had some drinks lol... I'll work on it when I'm sobered up.

[Teelk]

Ok, this MOD does look good Helter, I've almost completed the IM version. It seems that CrackerTracker, phpBB Security, and Advanced Visual Confirmation are all fighting each other over dominance of one part of board security or another. I'm going to try and let the better ones dominate without completely rewriting all of 141's security. I'd prefer to move on to IM3 if at all possible in the near future.

One thing to do at the moment, if you want your users to be able to unlock their own accounts, let phpBB Security do it. Turn off CrackerTracker's login protection in the ACP. phpBB Security will ask the user for their Username, Email address, and the answer to their security question.

This isn't the ideal solution. What should happen is the password should be reset and an email with the new password should be sent to the user's email address. But, for the time being phpBB Security's solution should work ok.

[Helter]

sounds great Teelk! Your help with IM3 would be greatly appreciated by everyone as my time has been pretty tight lately and your skills are much better than mine <img>

[AlaskaMat]

One thing to do at the moment, if you want your users to be able to unlock their own accounts, let phpBB Security do it. Turn off CrackerTracker's login protection in the ACP. phpBB Security will ask the user for their Username, Email address, and the answer to their security question.

Teelk,
I did this, but have a new problem...users have forgotten their security answer. Is there a way for me to either reset their question/answer or provide them the chance to do so?
Thanks

[Teelk]

Well, you can but it is really not recommended. What you can do is unlock their accounts for them first, the go to Security>>settings in the ACP and enable allow users to change their SQ.

Then I would recommend making a global announcement using CrackerTracker, something along the lines of "Users have 3 days to change their Security Question." Then after the three days disable allow users to change their SQ.

[mspringgay]

Could someone one point me to the mod being discussed as potential solution to this problem as I too am getting hit repeatedly by locked accounts. Thanks!

[Teelk]

Unfortunately, the MOD won't do anyone any good. I've looked into it and the phpBB2 version of the MOD doesn't do much that IM 1.4.x doesn't already do.

If everyone is tired of locked accounts, go to their ACP>>Security>>Configuration.

Change Login Attemps to 99.

Then go to ACP>>CrackerTracker>>Settings and make sure that Login Protection System is activated. And change "Number of Logins up to the Visual Confirmation" to 1.

This shouldn't lock the account, but will force a CAPTCHA on user's next login. Unfortunately, this doesn't stop the brute force attacks, only IP banning will do that. I know it's a pain, but there really is no other option, and when I say that I mean no other option for anyone, whether they use IntegraMOD or any other system.

IP banning from an online list is a possibility, and I've done some work to try to integrate it. But, it's difficult to test, so no guarantees.

P.S. I do apologize for my previous advice about turning off CrackerTracker Login Protection System and letting phpBB Security handle login. But, I have just come back from a 3 year hiatus from IntegraMOD and am relearning much of it.