Login Security

[vbgamer45]

No changes except added support for SMF 2.0 final so need to update version number.

[RoarinRow]

Cool, thanks for this mod! 

[vbgamer45]

Glad you enjoy it

[Kolya]

No changes except added support for SMF 2.0 final so need to update version number.

Version numbers are means to tell apart different versions of a software product, not medals of accomplishment.
That being said, thank you for updating this mod. It's appreciated.

[Kimojuno]

Hey vbgamer45,

Would it be possible to add an option so that instead of locking the account it would just ban the IP address? For example, after 4-5 fails (could be adjustable by the admin). This would be helpful.

Thanks,
Jeff.

[vbgamer45]

I would have to add that into the system at some point.

[Kimojuno]

I would have to add that into the system at some point.

Hey,

Thanks for the quick response.

Whenever you have a chance to add it is fine.

Jeff.

[Kolya]

I just tested the mod and got the failed login email.

Hello Test123,
We have detected a failed login attempt on your account.

Matched forum members with same ip address:
Kolya


IP address of the failed login attempt: xxx.xxx.xxx.xxx

While this is mostly a very useful mod, providing security that should actually be part of the SMF itself in the first place, I am highly critical of its feature to suggest other forum members by name as potential attacker and providing their IP address.

Since the suggestion is based on IP address information it is quite unreliable. No matter if its correct or not, this practically screams for the victim to take matters into their own hands, eg PMing the other member who allegedly attacked their account, or even publicly accusing them of breaking into their account, leading into flamewars, etc.
If the suggestion is incorrect (which the victim has no way of knowing) we have another member being put into a guilty until proven innocent situation. Additionally their IP is exposed, putting them at risk of "counter" attacks.
In both cases Fear Uncertainty and Doubt are produced on the forums. It's like a police squad hinting the victim of a burglary on the name and address of someone who may have been the burglar.

Clearly this information belongs into the hands of the administration, not into the hands of forum members. An administrator could see if more attacks have been perpetrated from the same account and thereby verify if a suspected forum member is an attacker. But currently administrators never get that info.

[Kolya]

I have changed the mod to produce a more reasonable email notification about a failed login attempt:

Hello Test123,
We have detected a failed login attempt on your account.

If you want to inform the administrators, just reply to this email.

IP address of the failed login attempt: xxx.xxx.xxx.xxx

The changed code is as follows.
In Sources\Subs-LoginSecurity2.php
FIND

Code Select Expand


// Include any IP's that match other forum members....
$memberMatches = '';
if (!empty($IPmemberList))
{
$memberMatches = $txt['ls_matched_members'] . "\n" . $IPmemberList;
}

$msgBody = $txt['ls_failed_email_body'];
$msgBody = str_replace("%name",$emailRow['real_name'],$msgBody);
$msgBody = str_replace("%membermatches",$memberMatches ,$msgBody);
$msgBody = str_replace("%ip",$ip,$msgBody);

sendmail($emailRow['email_address'], $txt['ls_failed_email_subject'], $msgBody);


REPLACE WITH

Code Select Expand


// Include any IP's that match other forum members....
// $memberMatches = '';
// if (!empty($IPmemberList))
// {
// $memberMatches = $txt['ls_matched_members'] . "\n" . $IPmemberList;
// }

$msgBody = $txt['ls_failed_email_body'];
$msgBody = str_replace("%name",$emailRow['real_name'],$msgBody);
// $msgBody = str_replace("%membermatches",$memberMatches ,$msgBody);
$msgBody = str_replace("%membermatches",'If you want to inform the administrators, just reply to this email.' ,$msgBody);
$msgBody = str_replace("%ip",$ip,$msgBody);

sendmail($emailRow['email_address'], $txt['ls_failed_email_subject'], $msgBody);


This is just a quick fix. Certainly the author of this mod could cook up something better, by directly informing the admin in the error log.

[cellax]

hi, thx for this mod, I love it, I am using it on smf 2.0 gold, my mod setting are with default values and the 2 checkboxes unchecked.

I tried to force an account on my server from a proxy, but I had only the usual email check page, and after many login attemp I had this error:

Sorry, you are out of login chances.  Please come back and try again later

it seems that it isn't working the mod, isn't it? it isn't the mod error message

EDIT: I set Number of allowed login attempts to 2, but after 4 attempts, I never been blocked, on error log I have 4 attempts, and my ip has never been blocked for 15 minutes (as it is set to)

[Martingonnella]

I set Number of allowed login attempts to 3, but after 6 attempts, I never been blocked..Is this working correctly...Can Gamer help please?

[vbgamer45]

Busy at the moment remind me in a couple weeks.

[Martingonnella]

Any help before that would be Nice :-)

[T3CHN0]

Hi VBgamer
I want to use this mod but have other Security mods pre-installed
2 files I am having problems with is this
./Sources/LogInOut.php
This part of the code is OK. silly thing is missing the "." at the end of the sentence >  in my template

Code Select Expand

// Login Security Mod
if (isset($_REQUEST['securelogin']))
{
$_SESSION['secureloginhash'] = $_REQUEST['securelogin'];
}

// End Login Security Mod

// Set the login URL - will be used when the login process is done.
this part I have problems with

Code Select Expand

// Challenge passed.
elseif ($_REQUEST['hash_passwrd'] == sha1($user_settings['passwd'] . $sc))
$sha_passwd = $user_settings['passwd'];
else
{
// Login Security Mod
require_once($sourcedir . '/Subs-LoginSecurity2.php');

// They failed login....
AddLoginFailure($user_settings['id_member']);

$loginSecurityErrorLogged = true;

// End Login Security Mod
and this part of the code in
./Themes/default/Profile.template.php

Code Select Expand

// Something to end with?
if (!empty($field['postinput']))
echo '
', $field['postinput'];

echo '
</td>
</tr>';

// Login Security Mod
if ($modSettings['ls_allow_ip_security'] && $key == 'real_name')
{
global $user_info;

echo '<tr>
<td><b>', $txt['ls_ip_address_protection'], ':</b></td>
<td>'
,$txt['ls_current_ip_address'],$user_info['ip'],'<br />
<br />
<input type="text" name="allowedips" size="30" value="', @$context['allowedips'], '" />
<br /><span class="smalltext">',$txt['ls_ip_address_protection_note'],'</span>
</td>
</tr>';
}

// End Login Security

// Allow the administrator to change the date they registered on and their post count.

instead of trying to show you my code and you tell me what to edit I thought might be easyer for you just
to have a look at it, so a attached the two files for you....
No rush buddy do it when you can, I will leave the install till you have time to have a look at the files

cheers

[rootuid]

Hi,
does this email the user or the admin on the failed login attempts?

[vbgamer45]

Emails the user.

[floydpink]

Brilliant mod! Helped me censure people sharing accounts without completely banning them. Thanks very much.

Is it possible to enter more trusted IP's? or a range, using 127.*.*.* ?

Here's a hack to allow a range on the IP's fourth byte i.e. 127.123.123.*. The code is pretty obvious so you should be able to expand it for *.*.*
SMF 1.1.16, Mod 1.0.2.2
sources/Subs-LoginSecurity.php
Find

Code Select Expand

// Check if we have IP Security turned on
if (empty($modSettings['ls_allow_ip_security']))
return true;

// Get user's ip
$ip = $user_info['ip'];

Replace with

Code Select Expand

// Check if we have IP Security turned on
if (empty($modSettings['ls_allow_ip_security']))
return true;

// Get user's ip
$ip = $user_info['ip'];
// FLOYDPINK INSERT - IP Range Check; Create nnn.nnn.nnn.*
$ip_range=substr($ip, 0, strrpos($ip, ".")+1) . "*";

Find

Code Select Expand

// IP's where found make a list
$ipArray = explode(",",$ipRow['allowedips']);

if (in_array($ip, $ipArray) == true)
return true;

Replace with

Code Select Expand

// IP's where found make a list
$ipArray = explode(",",$ipRow['allowedips']);

if (in_array($ip, $ipArray) == true)
return true;
// FLOYDPINK INSERT - IP Range Check
elseif (in_array($ip_range, $ipArray) == true)
return true;


[floydpink]

Here's a couple of enhancements that might also be useful.

Insert error message using restricted member's id rather than guest so that error appears in member's profile
SMF 1.1.16, Mod 1.0.2.2
sources/Subs-LoginSecurity.php
Find

Code Select Expand

// Maybe they get a bypass link or not???
if (CheckForSecureLoginLink($memberID) == false)
{
// IP not found give them a big error message!
$loginInText = str_replace("%link", $scripturl . '?action=login2;sa=securelink;mem=' . $memberID, $txt['ls_invalid_ip']);

Add After

Code Select Expand

// FLOYDPINK INSERT - Force log_errors to insert record for attempted login user rather than guest
global $ID_MEMBER;
$ID_MEMBER = $memberID;


Display IP Restriction on profile summary
sources/profile.php
Find

Code Select Expand

// They haven't even been registered for a full day!?
$days_registered = (int) ((time() - $user_profile[$memID]['dateRegistered']) / (3600 * 24));
if (empty($user_profile[$memID]['dateRegistered']) || $days_registered < 1)
$context['member']['posts_per_day'] = $txt[470];
else
$context['member']['posts_per_day'] = comma_format($context['member']['real_posts'] / $days_registered, 3);

Add Before

Code Select Expand

// FLOYDPINK INSERT - Login Security Restriction
// Login Security
$allowedips = '';
if ($modSettings['ls_allow_ip_security'])
{
global $db_prefix;
$dbresult = db_query("
SELECT
allowedips
FROM {$db_prefix}login_security
WHERE ID_MEMBER = " . $memID, __FILE__, __LINE__);
$numRows = mysql_num_rows($dbresult);
// We are not going to do anything since they don't have any settings defined
if ($numRows != 0)
{

$ipRow = mysql_fetch_assoc($dbresult);
$allowedips = $ipRow['allowedips'];
}
mysql_free_result($dbresult);

}
// End Login Security


themes/default/profile.template.php
Find

Code Select Expand

// If the person looking is allowed, they can check the members IP address and hostname.
if ($context['can_see_ip'])
{
echo '
<tr>
<td width="40%">
<b>', $txt[512], ': </b>
</td><td>
<a href="', $scripturl, '?action=trackip;searchip=', $context['member']['ip'], '" target="_blank">', $context['member']['ip'], '</a>
</td>
</tr><tr>
<td width="40%">
<b>', $txt['hostname'], ': </b>
</td><td width="55%">
<div title="', $context['member']['hostname'], '" style="width: 100%; overflow: hidden; font-style: italic;">', $context['member']['hostname'], '</div>
</td>
</tr>';

Add After

Code Select Expand

// FLOYDPINK INSERT - Login Security Restriction
if (!empty($context['member']['allowedips']))
echo '
<tr>
<td width="40%"></td><td>
<span style="color: red;font-size: small;">Login restricted to ', $context['member']['allowedips'], '</span>
</td>
</tr>';

Note: The coded message 'Login restricted to ' should really be moved to a language file to allow multi-language support

[vbgamer45]

Thanks floydpink for the code snippets I really like the ip range to allow access.

[floydpink]

Here's some code that restricts the USE of an account to the IP not just the login.
It specifically addresses the situation where someone uses a mobile device to login 'forever' using the prescribed IP and then takes that mobile device elsewhere and is able to access the forum using a non-prescribed IP (WFI hotspot , 3G etc.) because the SMF session is still valid.
It might not have much use for a user who sets their own restriction but is a powerful tool for an administrator wanting to place the restriction e.g. if it is established that a user is allowing an unauthorised third party to view private areas of a forum using the mobile device, the restriction limits that user's access to an IP that has been established as being a bona-fide IP at which that user is known to be the real user.
Initially, the user sees the login error message after which they are redirected to the login page.
Notes: The code has been developed with the 'secure login' function disabled - so a user's ability to reset the restriciton via email may be affected -  and is based on the security.php 'is_not_banned' function.

SMF 1.1.16, Mod 1.0.2.2
/index.php
Find

Code Select Expand

// Check if the user should be disallowed access.
is_not_banned();

Add After

Code Select Expand


// Floydpink INSERT - Login Security - Restrict usage
global $ID_MEMBER;
if(isset($ID_MEMBER) && !$user_info['is_guest'])
{
require_once($sourcedir . '/Subs-LoginSecurity.php');
CheckAllowedIP($ID_MEMBER);
}


sources/Subs-LoginSecurity.php
Find

Code Select Expand

global $txt, $db_prefix, $modSettings, $scripturl, $user_info;

Add After

Code Select Expand

global $ID_MEMBER, $sourcedir; //Floydpink INSERT - Login Security - Restrict usage

Find

Code Select Expand

// Check if we have IP Security turned on
if (empty($modSettings['ls_allow_ip_security']))
return true;

Add After

Code Select Expand


// Floydpink INSERT - Login Security - Restrict usage
if (isset($_SESSION['ipchecked']['notallowed']) && $_SESSION['ipchecked']['notallowed'] && !$user_info['is_guest'])
{
$_SESSION['logout_url'] = 'action=login';
require_once($sourcedir . '/LogInOut.php');
Logout(true);
}
elseif (!isset($_SESSION['ipchecked']['ID_MEMBER']) || $_SESSION['ipchecked']['ID_MEMBER'] != $ID_MEMBER || $_SESSION['ipchecked']['ip'] != $user_info['ip'])
{
$_SESSION['ipchecked'] = array(
'ID_MEMBER' => $ID_MEMBER,
'ip' => $user_info['ip'],
'notallowed' => 0,
);
// Floydpink END INSERT

Find

Code Select Expand

$loginInText = str_replace("%link", $scripturl . '?action=login2;sa=securelink;mem=' . $memberID, $txt['ls_invalid_ip']);

// Log error needed because we are including html link!!!
log_error($loginInText);

Add After

Code Select Expand

// Floydpink INSERT - Login Security - Restrict usage
$_SESSION['ipchecked'] = array(
'notallowed' => true,
);

Find

Code Select Expand

// Display error
fatal_error($loginInText,false);

}
}

Add After

Code Select Expand

} // Floydpink INSERT - Login Security - Restrict usage