Module: Admin Security Suite
Posted by Joe Curia
All files from this thread
File Name | File Size | Posted by | Date | ||
---|---|---|---|---|---|
admin_security_suite-5.2.1.05.zip | 13.6 KB | open | download | Joe Curia | 04/20/2016 | Read message |
Module: Admin Security Suite August 06, 2007 06:37PM |
Registered: 17 years ago Posts: 1,301 |
Please be sure your are running at least v5.2.1.03 before attempting to upgrade your Phorum install.
This security suite is designed to add additional security functions to a Phorum install. Currently this module can monitor the forum title for hacks, lockout IP addresses after a number of failed logins, restrict admin logins to a set list of IP addresses, allow the admin to search for specific terms in all of the settings saved in the admin area, add a captcha to the admin login, add monitoring of IP sessions to stop hackers from using a cookie to access the admin section without logging in, and restrict admin login to a scheduled time period such as from 9 AM to 5 PM. Most security events will also be displayed in the Event Logging module.
As always, requests for added/improved features are welcome. Either post here or email (email included in readme).
This module can also be used in Phorum 5.1 but you need v1.07a which is found here.
Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald
Edited 7 time(s). Last edit at 10/10/2009 11:13PM by Joe Curia.
This security suite is designed to add additional security functions to a Phorum install. Currently this module can monitor the forum title for hacks, lockout IP addresses after a number of failed logins, restrict admin logins to a set list of IP addresses, allow the admin to search for specific terms in all of the settings saved in the admin area, add a captcha to the admin login, add monitoring of IP sessions to stop hackers from using a cookie to access the admin section without logging in, and restrict admin login to a scheduled time period such as from 9 AM to 5 PM. Most security events will also be displayed in the Event Logging module.
As always, requests for added/improved features are welcome. Either post here or email (email included in readme).
This module can also be used in Phorum 5.1 but you need v1.07a which is found here.
Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald
Edited 7 time(s). Last edit at 10/10/2009 11:13PM by Joe Curia.
Re: Module: Admin Security Suite November 26, 2007 06:00AM |
Registered: 18 years ago Posts: 11 |
Was having a few problems upgrading to the latest beta release - the admin page wasnt loading to complete the upgrade because of to many redirects. Managed to identify it as being caused by this module, and deleted its entry from the phorum_settings table, after which the upgrade finished fine.
Just to warn people, I suggest you turn this module off before performing any upgrades. It can be easily turned on again after.
Tom.
(Edit - after turning the module back on, captchas on the login page were no longer displayed, just an image not found symbol. Replaced the entire module with a fresh download and it worked fine.)
Edited 1 time(s). Last edit at 11/26/2007 06:25AM by tomhmeredith.
Just to warn people, I suggest you turn this module off before performing any upgrades. It can be easily turned on again after.
Tom.
(Edit - after turning the module back on, captchas on the login page were no longer displayed, just an image not found symbol. Replaced the entire module with a fresh download and it worked fine.)
Edited 1 time(s). Last edit at 11/26/2007 06:25AM by tomhmeredith.
Module: Admin Security Suite v5.2.1.01 - enable captcha skipping on first attempt May 16, 2008 08:54PM |
Registered: 17 years ago Posts: 1,301 |
I have completed v5.2.1.01 of the mod with these changes:
- Added the ability to choose whether to ignore the captcha on the first login attempt. Basically, this assumes that a bot isn't going to guess your admin password on the first attempt, so why use a captcha the first try. With this setting enabled, the captcha is displayed, but you do not need to enter it on the first attempt. If the incorrect password is entered, each subsequent attempt will require the captcha.
- Fixed numerous PHP errors.
Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald
- Added the ability to choose whether to ignore the captcha on the first login attempt. Basically, this assumes that a bot isn't going to guess your admin password on the first attempt, so why use a captcha the first try. With this setting enabled, the captcha is displayed, but you do not need to enter it on the first attempt. If the incorrect password is entered, each subsequent attempt will require the captcha.
- Fixed numerous PHP errors.
Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald
Re: Module: Admin Security Suite June 17, 2008 09:09AM |
Registered: 17 years ago Posts: 6 |
One idea I've had for improved admin security is to require admin password to be reentered at some occasions, such as when changing forum settings (where title and head tags are altered) and doing other destructive things, like deleting forums and also for changing the password of any account (including the admins). This should reduce the impact of a stolen cookie considerably.
Perhaps session IDs could also be tied to the IP you logged in with, which completely should eliminate the ability to steal session cookies unless you can attack from the same IP I guess.
Tossing them out there. :)
Perhaps session IDs could also be tied to the IP you logged in with, which completely should eliminate the ability to steal session cookies unless you can attack from the same IP I guess.
Tossing them out there. :)
Re: Module: Admin Security Suite June 17, 2008 09:47AM |
Registered: 17 years ago Posts: 1,301 |
Quote
Mathias
One idea I've had for improved admin security is to require admin password to be reentered at some occasions, such as when changing forum settings (where title and head tags are altered) and doing other destructive things, like deleting forums and also for changing the password of any account (including the admins). This should reduce the impact of a stolen cookie considerably.
I will look into some of these ideas.
Quote
Mathias
Perhaps session IDs could also be tied to the IP you logged in with, which completely should eliminate the ability to steal session cookies unless you can attack from the same IP I guess.
This has already been implemented and is enabled by default in the "Admin IP Address Session Lock" section of the settings page.
Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald
Module: Admin Security Suite v5.2.1.02 - event logging, check config.php, and error fixes July 06, 2008 01:03AM |
Registered: 17 years ago Posts: 1,301 |
I have finished v5.2.1.02 of this mod with these changes:
- Added a number of event flags to be logged in the Event Logging module. All are logged under the category "Security" and actual failed attempts at login, captcha, override codes, etc will show as alerts while other lower risk events will show as warnings.
- Check config.php file permissions to ensure that only the owner can read it. Check for the config.php.sample file as this may also contain database password info if not deleted during the installation. This can help avoid database intrusion on a shared host but this check can be disabled if this is not a concern.
- Fixed numerous PHP errors.
Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald
- Added a number of event flags to be logged in the Event Logging module. All are logged under the category "Security" and actual failed attempts at login, captcha, override codes, etc will show as alerts while other lower risk events will show as warnings.
- Check config.php file permissions to ensure that only the owner can read it. Check for the config.php.sample file as this may also contain database password info if not deleted during the installation. This can help avoid database intrusion on a shared host but this check can be disabled if this is not a concern.
- Fixed numerous PHP errors.
Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald
Module: Admin Security Suite v5.2.1.03 - Bugfix: Error while upgrading Phorum October 15, 2008 09:53AM |
Registered: 17 years ago Posts: 1,301 |
I have completed v5.2.1.03 of this module with the following change:
- Bugfix: The admin_pre function was set to run a security check even while installing or upgrading Phorum. Phorum user Marian reported that this derailed an upgrade from Phorum 5.2.7 to 5.2.9a. Thanks goes to Marian for helping find and fix this bug.
Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald
- Bugfix: The admin_pre function was set to run a security check even while installing or upgrading Phorum. Phorum user Marian reported that this derailed an upgrade from Phorum 5.2.7 to 5.2.9a. Thanks goes to Marian for helping find and fix this bug.
Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald
Module: Admin Security Suite v5.2.1.04 - Support for Phorum 5.2.11 and beyond October 10, 2009 11:14PM |
Moderator Registered: 17 years ago Posts: 1,301 |
I have released v5.2.1.04 of this module with the following change:
- Enhancement: Added support for the Admin Token required by Phorum 5.2.11 and beyond.
Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald
- Enhancement: Added support for the Admin Token required by Phorum 5.2.11 and beyond.
Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald
Re: Module: Admin Security Suite v5.2.1.04 - Support for Phorum 5.2.11 and beyond November 06, 2009 01:26PM |
Registered: 14 years ago Posts: 1 |
Re: Module: Admin Security Suite v5.2.1.04 - Support for Phorum 5.2.11 and beyond November 06, 2009 03:23PM |
Moderator Registered: 17 years ago Posts: 1,301 |
You will need to enable/install the GD library for your PHP installation in order to use this module.
Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald
Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald
Sorry, only registered users may post in this forum.