New Mod: Admin Security Suite

Well I decided to go with png, and I do have fun coding myself :) The worst part was spelling captcha right every time. I think I had just about every variation of it at one point or another. Anyways. . .

I have finished v1.06 with these changes:
- Added the ability to send the lockout override code to the email address of the user who failed to login, but only if that user has admin access.

- Added the ability to centrally manage all users who have been granted Admin access.

- Added the ability to add a captcha to the admin login. Requires a change in the "admin_pre" hook. See the readme for more info.

- More changes to the module's settings interface to add features and help.

The file on the first page contains the latest version.

Well, I am just about tapped out for ideas (as I also believe the limited admin feature would be another mod). I am still willing to code other security related features into this mod based on suggestions. Just drop me a line on this thread.

Sergej, as I have time and if I have the ability, I will try to look into your idea.

---

Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald



Edited 1 time(s). Last edit at 08/03/2007 08:34AM by Azumandias.

Want ideas?

One idea might be to have "office hours". Security systems now and then have an option to tell what the logical hours are for accessing the system. This way, the system can be accessible during day time, but closed down during night time (that's when the hacker folks wake up ;-) for example. This system could also make use of the override system to gain emergency access outside office hours.

Another idea is to keep track of the IP addresses from which a single administrator is accessing the system in combination with the admin cookie and disallow access from unknown IP addresses (with of course the override system implemented ;-). This sounds a lot like the IP address feature and might be a simple checkbox in the config (enable cookie/IP locking or so). The target is to prevent stealing cookies through XSS hacks and using them from other IP addresses without confirmation.

This has become a great module, thanks!

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

Will the new hook be added as standard to the next release of Phorum?

i.e. the:

phorum_hook( "admin_pre", "" );

hack that this module requires to log admin logins?

Thanks,

/\dam

--
My notable Phorum sites:
Movie Deaths Database - "review comments" system mostly powered by Phorum
Learn Chinese! - integrated forum quiz

We can look into that for 5.2. I don't know if we will still add new hooks to 5.1 now 5.2 has gone alpha.

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

Thanks for the ideas Maurice. Just when I thought I'd come near to finishing this mod :)

Also, please note the updated readme (which I realized now that I need to update). With the addition of captchas the hook should now read:

phorum_hook( "admin_pre", "$module" );

This change lets me highjack the login module and swap it with my own, captcha enabled, version.

---

Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald

Sounds like a useful hook for doing stuff like that. It allows for writing full replacements for Phorum admin modules if you like. Somewhat like I have used the common hook in the past, before we had the addon.php script.

And my apologies for the extra ideas. It sounded like you were eager for more of those ;-)

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

An idea that I came across and am about to implement on a contact form that might be useful here (and on the posting and registration forms for anti spam):

Leave the action field in the form =="". Fill it in with java script when the form is submitted. This prevents the non-java enabled bots from obtaining the name/address of the action script, so they won't probe, and/or they won't send anything to the site. Once they find a working form, they will continuously probe or send messages for days or weeks, even if you block them. nip them in the bud!

Maurice, I love new challenges, its one of the reasons I like coding for Phorum (besides the hefty salary and over-the-top benifits package).

Could you check my logic on your IP/cookie lock idea. I've tested it with a vpn connection to mask my ip and it seems to work, but let me know what you think:

I don't care about the cookies, that is ignored.
When you login, I assign your IP address to your user_id.
Every time the admin page loads, if your user_id and assigned IP don't match, you get logged off and sent back to the login page where you can login and have your new IP address assigned.

Like I said this seems to work without any need to get complicated with cookies (though I thought of this after getting my hands into php cookie creation/checking - another first for me so thanks for that). If you see something wrong with my logic on this let me know. I would like to keep it simple, but I don't want to leave it open to hacking.

Thanks

---

Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald

No, that logic is perfectly fine and binding the IP to the user_id is virtually analog to binding to the auth cookie (don't they taste well? ;-). By making sure that a user can only login from one IP address at a time, you will effectively block stolen auth cookie hacks as well.

So.. feeding time for another security feature? ;-)

How about keeping track of the user agent that the admin is using? You could bind the user agent (which is in the $_SERVER["HTTP_USER_AGENT"] variable IIRC) to the user as well and disallow requests, just like you do with the IP address binding from above. During an admin session, the user agent should not change. This could be a security option that is useful for admins that are behind a proxy cluster, causing the IP address to change over time. Of course, if a hacker is able to score an admin cookie, he might as well be able to guess the http referer that the browser would sent. But it's a nice extra hurdle to take. Especially if the option to use a list of allowed IP addresses is enabled as well, because then the hacker would have to go through the same proxy cluster too. And if the paranoid admin uses a browser like Opera, it is really easy to configure some arbitrary user agent. I don't think it's possible to retrieve the changed user agent from javascript code.

Okay, rambled enough. I think you get the idea.

So could you tell me where those pay checks are normally handed out?

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

Maurice, thanks for checking my logic and for giving me another function to add. I'll be sure to take your description for the help bubble :).

I usually follow the second star on the left until morning to get my paychecks, and even then there's a long line at the counter.

Just out of light-hearted curiosity, are you guys still trying to catch a glimpse of the title hackers at work by leaving this site without my 800-pound gorilla at the gate?

---

Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald