Have I almost reached maximum security?

Started by xenovanis, May 05, 2005, 06:51:20 PM

Previous topic - Next topic

xenovanis

Because of some hackingattemps and illegal passwordretrieval I made some drastic changes on a forum. This is just a thought, not a problem and it may be helpfull to someone, so I just post it here. Maybe I missed something, but I think it's pretty complete.

This is what I did to protect the forum and the members:


  • I set up a membergroup for newbies with some serious restrictions:
    - Not allowed to see the memberlist
    - Not allowed to view other members profile
    - Not allowed to send PM's (I don't want them to see any usernames)
    - Not allowed to view who's online
    - Not allowed to view forumstatistics
    - Not able to upload attachment
  • After 25 posts they move to the next group which has standard permissions. This gives me time to evaluate and keep track of them.
  • I changed the profile view so that Summary shows only the name and not the username, which reduces the risk of someone trying to retrieve a password by using the secret question.
  • In my phpAdmin I used a query to hide all e-mailadressess of existing members, registration is set so that an e-mailadress is automatically hidden. Found the how to here.
  • Guests can no longer see the names of the users online, only the number of.

If you want some more info on how I did this, just let me know.  ;) I certainly sleep better now.
"Insanity: doing the same thing over and over again and expecting different results."

xd3vilx

No Matter What U Do It Won't Prevent Virus Or Spam..But It Minimise Them...

[Unknown]

You should be okay, at this point.  There are other things, theoretically, you could do... but it should be fine at this point without inconveniencing your users.

-[Unknown]

dtm.exe

You can also set the time between each post by any user of the same IP.  This can drastically reduce spamming and such.

Admin > Edit Features and Options

-Dan The Man

xenovanis

Quote from: OIDanTheManIO on May 08, 2005, 02:18:37 AM
You can also set the time between each post by any user of the same IP.  This can drastically reduce spamming and such.

Admin > Edit Features and Options

-Dan The Man

Yeah, I could, but then again, I think I there will be 300 angry children after me. You have no idea how fast they can post.  :)

Thanks [Unknown], I think it's pretty secure this way, but when the time comes it's not enough anymore I'll knock on your door.  ;)
"Insanity: doing the same thing over and over again and expecting different results."

Miraenda

Hi xenovanis,

You posted that you could provide more info on how you did all the options to tighten security.  I'd be interested to see this as it would help to tighten not only my boards but to secure a couple of friends' boards as well if I could get it all setup for them.  I think these are great ideas you've implemented :)

Thanks.

xenovanis

Sure, no problem. What do you want to know?
"Insanity: doing the same thing over and over again and expecting different results."

Miraenda

Step-by-step how you implemented everything? heh ;)

Well, first on how to change the profile view, is that an option in the admin area or done via editing of the code? Also, what did you remove to take off the user's online names to not show them and only the number? Those are the main 2 I'm not sure about.  The others, since I haven't actually setup a group like you did, I'd have to look into it to see if there is anything I don't understand how to do.  I'll likely try it out on a test board before I do it live so I don't screw up my current members somehow :)

xenovanis

Quote from: Miraenda on May 21, 2005, 12:14:00 PM
Step-by-step how you implemented everything? heh ;)

I think my english is too bad for that, it would take me forever  :P

Changing Profile View

This can only be done by editing the files. Be sure to backup before you make any changes.

To show the name instead of the username in Profile -> Summary open the file Profile.template.php (of all your themes) and

find:

', $txt[35], ': ', $context['member']['username'], '


replace with:

', $txt[68], ': ', $context['member']['name'], '


Now, if you're viewing a profile you'll notice that in the titlearea of your browser also the username appears. To get rid of this open Profile.php and find:


'page_title' => $txt[92] . ' ' . $themeUser[$memID]['username'],


replace with:

'page_title' => $txt[92] . ' ' . $themeUser[$memID]['name'],


Hide Users Online

To completely hide the users-online table from guests try this:

In BoardIndex.template.php find


// "Users online" - in order of activity.


add after


if (!$context['user']['is_guest'])


If you want the numbers shown but not the usersnames try this:

In BoardIndex.template.php find


// Assuming there ARE users online... each user in users_online has an id, username, name, group, href, and link.


add after:


if (!$context['user']['is_guest'])


Permissions

If you want to set up this new group with maximum restrictions, just be sure to change 'Ungrouped Members' also to have minimum allowences. This is where I went wrong the first time. The permissions set for my 'junior-group' were okay, but overruled by the 'Ungrouped Members' so in the end they could do most of the things I didn't want them to do.
"Insanity: doing the same thing over and over again and expecting different results."

deathshadow

One thing I recommend after finding by accident, you can change the name displayed on the memberlist without changing the login username. If you make sure all the mods have a different actual username they login with from what is displayed on the board, you don't have to worry about having the memberlist displayed, as normal users no longer see your login name!

Simple, expedient. Now not only do they need your password, they need your login name too. I heartily recommend that all admins (and possibly even mods) on a board take that extra step when setting up their accounts.
"There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies and the other way is to make it so complicated that there are no obvious deficiencies." – C.A.R. Hoare, The 1980 ACM Turing Award Lecture
http://www.cutcodedown.com

[Unknown]

Well, they could also use your email address.

-[Unknown]

Mexican_Pirate

Quote from: xenovanis on May 21, 2005, 12:41:57 PM
Quote from: Miraenda on May 21, 2005, 12:14:00 PM
Step-by-step how you implemented everything? heh ;)

I think my english is too bad for that, it would take me forever  :P

Changing Profile View

This can only be done by editing the files. Be sure to backup before you make any changes.

To show the name instead of the username in Profile -> Summary open the file Profile.template.php (of all your themes) and

find:

', $txt[35], ': ', $context['member']['username'], '


replace with:

', $txt[68], ': ', $context['member']['name'], '


Now, if you're viewing a profile you'll notice that in the titlearea of your browser also the username appears. To get rid of this open Profile.php and find:


'page_title' => $txt[92] . ' ' . $themeUser[$memID]['username'],


replace with:

'page_title' => $txt[92] . ' ' . $themeUser[$memID]['name'],


Hide Users Online

To completely hide the users-online table from guests try this:

In BoardIndex.template.php find


// "Users online" - in order of activity.


add after


if (!$context['user']['is_guest'])


If you want the numbers shown but not the usersnames try this:

In BoardIndex.template.php find


// Assuming there ARE users online... each user in users_online has an id, username, name, group, href, and link.


add after:


if (!$context['user']['is_guest'])


Permissions

If you want to set up this new group with maximum restrictions, just be sure to change 'Ungrouped Members' also to have minimum allowences. This is where I went wrong the first time. The permissions set for my 'junior-group' were okay, but overruled by the 'Ungrouped Members' so in the end they could do most of the things I didn't want them to do.
I see potential for a mod in these security changes.

Ben_S

I don't, none of them are going to help with security in honesty.
Liverpool FC Forum with 14 million+ posts.

[Unknown]

Although 1.1 does show usernames a lot less.

-[Unknown]

Placeman

Quote from: xenovanis on May 21, 2005, 12:41:57 PM
Quote from: Miraenda on May 21, 2005, 12:14:00 PM
Step-by-step how you implemented everything? heh ;)

I think my english is too bad for that, it would take me forever  :P

Changing Profile View

This can only be done by editing the files. Be sure to backup before you make any changes.

To show the name instead of the username in Profile -> Summary open the file Profile.template.php (of all your themes) and

find:

', $txt[35], ': ', $context['member']['username'], '


replace with:

', $txt[68], ': ', $context['member']['name'], '


Now, if you're viewing a profile you'll notice that in the titlearea of your browser also the username appears. To get rid of this open Profile.php and find:


'page_title' => $txt[92] . ' ' . $themeUser[$memID]['username'],


replace with:

'page_title' => $txt[92] . ' ' . $themeUser[$memID]['name'],


Ok.  This worked, except if I click on "Send this member a personal message," the username shows up in the TO field of the new message.

Advertisement: