Pages:
1
2
3 |
bfgadmin
Member
Posts: 52
Registered: 5-7-2020
Location: Pittsburgh, PA
Member Is Offline
Mood: Technical
|
|
A few quick notes on this, on our XMB forum we changed the hashing algorithm to SHA256 (I believe), and of course had to rehash existing passwords
(via mandatory password reset).
We also added a database table to track failed logins, and even an anti-spam system to track known behavior (ie: proceding to the User CP within a
minute of registration, attempts to insert URLs into bio/signature fields, etc)
If anybody is interested in collaborating on this, let me know! I also run a forum in a non-production environment that we can nuke the crap out of in
the name of development/progress
Can I just add how exciting it is to see interest in XMB?
|
|
bfgadmin
Member
Posts: 52
Registered: 5-7-2020
Location: Pittsburgh, PA
Member Is Offline
Mood: Technical
|
|
Quote: Originally posted by miqrogroove | Quote: Originally posted by lottos |
XMB misc.php allows one password reset request per 24 hours, date and time of last request in members table, column pwdate. |
This part is fine. The report shows we have less than 3 bytes of useful entropy and even less with stronger hacks. Without any rate limits or extra
tokens it is possible to brute force account access. |
Oh yes, we danced with this for quite awhile. Our site owner was dead set on VB initially, but I managed to talk him into going with XMB so this issue
in particular was in the forefront.
Other than account lockout timers (similar to the Windows domain feature) and implementing a more secure hashing algorithm (SHA256) we never did find
a neat & tidy solution. I proposed everything from password complexity requirements and PIN codes to multifactor authentication. Our Sophos UTM
security appliance with WAF adds another layer of intrusion prevention, exploit mitigation and session hardening, but of course this isn't bulletproof
either.
For us, a key security measure is frequent backups. Every time we move code into the production environment, we take a full backup. Backups are also
conducted three times per day, using Windows scheduled tasks and saved to a shared network location. This location is backed up once daily to physical
disk.
Fortunately I have physical server access which makes this process much easier. On that same note, we have plenty of extra space on the server and
gigabit bandwidth if anybody needs a place to host an XMB instance! Also can accommodate your own domain provided you can point them at our
nameservers.
|
|
miqrogroove
|
|
What would be an appropriate version number for the next patch then? If it requires a schema upgrade and PHP upgrade, would it become 1.9.12?
|
|
bfgadmin
Member
Posts: 52
Registered: 5-7-2020
Location: Pittsburgh, PA
Member Is Offline
Mood: Technical
|
|
Quote: Originally posted by miqrogroove | What would be an appropriate version number for the next patch then? If it requires a schema upgrade and PHP upgrade, would it become 1.9.12?
|
Sounds right to me!
Exciting times
So whats the plan Micro?
|
|
miqrogroove
|
|
I'm just thinking big picture. If I overhaul the session handler and bump the PHP requirement to 7+ then we can also unfreeze features and text. But
I don't think it will be anything more than bug fixes.
|
|
miqrogroove
|
|
Are there any existing hacks that should get baked into 1.9.12?
I was thinking our new user moderation system has become such a vital anti-spam tool that it would have even more value as an integrated feature set.
https://sourceforge.net/p/xmb-forum/code/HEAD/tree/hacks/tru...
The code has been stable for years, and just needs some refinement to make it look more official.
|
|
lottos
Administrator
Posts: 479
Registered: 6-3-2002
Member Is Offline
Mood: pass me a TimTam
|
|
After reviewing the list of existing hacks, I think the moderation system is a great and most appropriate candidate to be baked in.
|
|
miqrogroove
|
|
Agreed then. I'm open to more suggestions. Even if new-user moderation is the only major new feature, I think it's a realistic and understandable
roadmap.
I've got about 400 lines of the new session handler written so far here at home. I'm trying to make the impact on existing files as little as
possible. I committed one significant change to the functions.inc.php because we will soon need a function to go between the session handler and the
IP banning logic. Having that part separated out now should help keep that part stable when I start tearing out the old cookie commands.
|
|
lottos
Administrator
Posts: 479
Registered: 6-3-2002
Member Is Offline
Mood: pass me a TimTam
|
|
I'm assuming you mean existing hacks such as those listed here:
https://www.xmbforum2.com/modifications/
which has these two, not sure of the difference between them
google-rdf-breadcrumbs.zip
rdfa-breadcrumbs.zip
Maybe a contender?
If you also mean possible new hacks, tagging members in a post eg. @miqrogroove would be cool, with a u2u notification to the tagged member with u2u
message linking to the relevant post.
[edit: ignore the paragraph above as I reread your first post that does say existing.]
Would it worthwhile for the 1.9.12 alpha version you have on the SVN to be implemented on this forum for testing before making the new session
handler?
|
|
miqrogroove
|
|
Yes those hacks. Should be the same ones as in SVN.
The breadcrumbs hacks are obsolete AFAIK. I wrote one of them based on the standard that was current at the time, and I believe that language is no
longer supported by Google.
I added a subdomain alpha dot. I'm using it for syntax checks and dev testing only. You can try it but it's only 1.9.11 with a bunch of minor bug
patches so far.
We can eventually upgrade the production site when the first beta is released. I think that's how we've done it in the past.
|
|
lottos
Administrator
Posts: 479
Registered: 6-3-2002
Member Is Offline
Mood: pass me a TimTam
|
|
Not existing hacks but perhaps the last post date and time could be a link to the actual last post? Could be more intuitive for some ?
[edit: saw a nifty implementation of something similar from forum provider microcosm where they have for example:
@Ken replied 3 hours ago
Broken down:
'@Ken' is hyperlink to member profile
'replied' is the hyperlink to the last post
'3 hours ago' is clickable and changes to the date and time posted]
|
|
miqrogroove
|
|
I would think bigger. Maybe the entire table cell in each Forum / Subject / Last Post column could be clickable. Would you care to add that as a
feature request in the bug tracker?
Today I'm trying to work out the details of automatic session token regeneration. It adds a lot of complexity to the new session handler. I'll try
to make it possible to switch that off or remove it in case we find problems in testing.
|
|
miqrogroove
|
|
Going to take a second look at this.
Beta 2 is up.
|
|
lottos
Administrator
Posts: 479
Registered: 6-3-2002
Member Is Offline
Mood: pass me a TimTam
|
|
Question re Quarantine - is there a log of deleted users/ip's?
|
|
miqrogroove
|
|
The quarantine panel allows an Admin to ban. It will delete posts, not users. So the original registration IP stays in the user record. Currently
it does not create any extra logs.
|
|
lottos
Administrator
Posts: 479
Registered: 6-3-2002
Member Is Offline
Mood: pass me a TimTam
|
|
Thanks. That way admins can see if there are repeat offenders for those that don't mask their ip.
|
|
lottos
Administrator
Posts: 479
Registered: 6-3-2002
Member Is Offline
Mood: pass me a TimTam
|
|
Wondering how difficult it would be to alter search.php to allow multiple user names in the user name field, perhaps in same format as sending
multiple u2us, ie: user1, user2, user3
|
|
miqrogroove
|
|
Quote: Originally posted by lottos | Wondering how difficult it would be to alter search.php to allow multiple user names in the user name field, perhaps in same format as sending
multiple u2us, ie: user1, user2, user3 |
Sounds like an interesting feature or modification.
Seems like beta testing is wrapped up. I don't know how much serious testing happened, but it's what we got. I'll try to package up the 1.9.12
release today or tomorrow.
|
|
lottos
Administrator
Posts: 479
Registered: 6-3-2002
Member Is Offline
Mood: pass me a TimTam
|
|
Quote: Originally posted by miqrogroove | Seems like beta testing is wrapped up. I don't know how much serious testing happened, but it's what we got. I'll try to package up the 1.9.12
release today or tomorrow. |
I did as much as possible, topicadmin was an area I spent some time on and with the admin rights I have, all seemed to function as expected.
Awesome work miqrogroove, I've peeked at much of the code and the effort you have put into this is commendable.
p.s. Don't forget to update https://www.xmbforum2.com/ after the release
|
|
miqrogroove
|
|
Found too many bugs this week. I will try again next week. If any lurkers here are willing to install the beta or even the trunk version and report
bugs, it will help immensely to prepare the release version 1.9.12.
|
|
Pages:
1
2
3 |