[DBTech] DragonByte Security 4.0.1

Feature: "Bad Behavior" (http://bad-behavior.ioerror.us/) integration

Change: Improved performance by implementing phrase caching
Change: Back-end changes to make pages, error messages and redirects more compliant with XenForo standards
Fix: Setting password expiry to Unlimited could result in a password changing loop in certain circumstances

Change: Added caching for templates that are loaded via template hooks

New Features:

Email Recovery Criteria: Paid Subscription Transaction ID

• Users who can provide a valid paid subscription / user upgade transaction ID will by default receive a very high score, letting their recovery pass through
• Score can be configured in the AdminCP

Email Recovery Criteria: Region

• If the user's current IP is in the same region (e.g. state within the USA), a positive score can be applied to their request
• Score can be configured in the AdminCP

New Features:

Email Recovery

• Users who have forgotten or lost access to their email accounts can recover access to their account and change their email address via a page similar to "Lost Password"
• Requires you to fill out an email address to receive these reports in the Options for this mod (receives separate emails for successful and unsuccessful email recovery attempts)
• Adds itself next to every "Lost Password" link
• Configurable scoring criteria to judge how likely it is that this person's request is legitimate
• Browsable logs of all email recovery attempts and their outcomes

Bug Fixes:

• Fixed a couple of cases where a "Invalid class" error could be displayed
• Attempting to log in with an incorrect username / email will no longer cause a server error
• Resolved multiple issues with the "Compromised Account Alert" feature
• Resolved an issue where using the "Admin Unlock" action would generate an email to administrators with incorrect language

Changed Features:

Password Reset

• The created password is now based on the user’s password rule requirements
• The Mass Password Reset action now creates a random password based on the user’s password rule requirements

New Features:

Search IP Addresses: Find Potential Intruder IP Addresses

• Displays a list of IP addresses who have failed to login to valid member accounts more than once
• Also displays any successful logins from these IP addresses

Country Blocking

• You can now block any country from your forum easily by selecting the country via the new AdminCP page
• Uses XenForo's IP Ban system to ban the IP ranges assigned to each country

Browser Fingerprinting

• You can enable browser fingerprinting and have this logged alongside a member's user ID and IP address
• Used in two new security watchers
• Defaults to off

Security Watcher: New Device Fingerprints (Member Accounts)

• Triggers when a member's account is accessed from a new fingerprint
• Allows locking the member's account asking them to unlock it
• Has the same options as "Failed Logins" security watcher

Security Watcher: New Device Fingerprints (Staff Accounts)

• Triggers when a staff member's account is accessed from a new fingerprint
• Allows locking the staff member's account asking them to unlock it
• Allows locking the staff member's account asking admins to unlock it
• Has the same options as "Failed Staff Logins" security watcher

Security Watcher: New Device Fingerprints (Staff Accounts)

• Triggers when a staff member's account is accessed from a new fingerprint
• Allows locking the staff member's account asking them to unlock it
• Allows locking the staff member's account asking admins to unlock it
• Has the same options as "Failed Staff Logins" security watcher

Fingerprint Log Viewer

• Browsable log of all fingerprints
• Filtering / Sorting options

Changed Features:

• When a user is deleted, all relevant data is now also deleted to prevent broken displays and errors
• "Failed Logins" watcher can now ban the user in question
• "Failed Staff Logins" watcher can now email the user in question

Bug Fixes:

• Two event listeners for DragonByte Credits were inadvertently left in this product
• The Config Tamper action could cause a PHP error when triggered
• The email sent when a potentially compromised account is detected would not have the correct contents
• The Password Change action would not respect the "last active threshold" choice
• The "Password Rules" checkboxes would not update if the user pasted their password via the right click menu
• Browsing to the second page of any log view that was limited by date would disregard the date limitations

New Features:

Compromised Account Lock

• Ability to lock an account if it's detected as compromised
• Prevents any action on the forum
• The user whose account was logged in to will need to click a link in their email inbox to unlock their account

Compromised Account Alert

• Alert staff when an account has potentially been compromised

Security Watcher: Failed Staff Logins

• Identical to "Failed Logins" watcher, except only for staff accounts
• Allows you to set stricter rules for staff accounts, or optionally only alert the webmaster if a staff account is broken into
• Failed Staff Logins can lock the account in one of two ways; User Unlock or Admin Unlock. Admin Unlock requires an administrator (other than the affected user) to unlock the account.

Suspect IP Range Search

• Collates IPs from various DB Security logs and matches partial IPs to detect suspicious IP ranges
• Shows the suspected range(s) along with the number of "hits" this range has generated
• Located on the "Search IP Addresses" screen

Password Generator

• Generate a random password or use your own
• Fill out username and password to encrypt it for use in Basic Authentication auth files

Mass Password Reset

• Can be limited to only reset passwords for users without 2FA enabled
• Can be limited to only reset passwords for users who have been inactive for X days

Force Password Change

• Can be limited to only force password change for users without 2FA enabled
• Can be limited to only force password change for users who have been inactive for X days

Changed Features:

• The "Maintenance" page (Mass Password Reset and Force Password Change) has been split into separate pages to make it easier to find these features
• The "Failed Logins" watcher no longer triggers for staff accounts

Bug Fixes:

• The Mass Password Reset maintenance action would not check if the "confirm action" was set to Yes
• The "Find Multi-Account IPs" tool would not work as intended
• The "Close Forum" action would not set the correct close message
• The "Alert Webmaster" action would not work as intended