[DBTech] DragonByte Security [Paid] 4.0.1

[Alpha1]

After some significant debugging of problematic performance issues we found that this addon does not add indexes to tables that have hundreds of thousands of entries:

alter table xf_dbtech_security_compromisedlog add index userid (userid);
alter table xf_dbtech_security_fingerprintlog add index userid (userid);
alter table xf_dbtech_security_session add index user_id (user_id);

Can you please fix this?

 

[DragonByte Tech]

Can you please fix this?

"Fix" implies there's a bug

That being said, I do rely on feedback when it comes to performance for very large databases, so thank you for sharing your findings

I'll add this to the installer in XF1 and the upcoming XF2 version.


Fillip

 

[Alpha1]

I would like to buy another license once the above indexes are added.
Also: if I buy another lifetime license then will this be usable for XF2? Or is it best to buy a 3 months license?

 

[DragonByte Tech]

if I buy another lifetime license then will this be usable for XF2? Or is it best to buy a 3 months license?

I'll refer to this post: https://xenforo.com/community/threads/dbtech-dragonbyte-credits-paid.112884/post-1176705


Fillip

 

[Alpha1]

Thank you. Something weird happens when I add a lifetime license + BFO to the cart. The lifetime license is advertised as $49:


But when added to the cart its $99.


The same issue happened when I bought the first license. I didn't mind paying more because you are providing a good product. But I would rather not pay double for the second time.

 

[DragonByte Tech]

There is no bug there, you had 2 Lifetime versions of DB Security in your cart. I've updated your cart to only have 1 copy, and the price is now $49.95


Fillip

 

[Alpha1]

Where is the best place to post feature requests? On your site there is a place for vbSecurity but I am not seeing it for the XF version.

We are currently dealing with an annoying hacker using Xrumer + TOR to try brute force accounts. IP's are getting blocked. However, they keep cycling though hundreds of new IPs. Ranges and hosts are not being blocked by DBT Security. The hacker has been going on for weeks.
The most problematic issue is that there is no option to select a security watcher for using different IPs for the same account. Clearly if an account login is being attempted from 10 IPs an hour there is a problem and all IPs need to be banned. But DBT security does not seem to cater to this.

 

[DragonByte Tech]

Where is the best place to post feature requests? On your site there is a place for vbSecurity but I am not seeing it for the XF version.

I've renamed the DragonByte Security support forums for you, alternatively you can use the New Ticket button and choose Feature Request and it will put the thread in the correct forum

The most problematic issue is that there is no option to select a security watcher for using different IPs for the same account. Clearly if an account login is being attempted from 10 IPs an hour there is a problem and all IPs need to be banned. But DBT security does not seem to cater to this.

You can setup a security watcher that bans an IP after X failed login attempts, but it would be incredibly risky and counter-productive to ban ALL IPs that tried to access any account. How can we know for certain that one of them wasn't a legitimate hit?

Sure, by manually analysing the logs and manually looking up the IPs, you may be able to determine that in 100% of cases you've encountered, all the IPs are false and do not belong to any legitimate forum user. Is it feasible to do this programmatically? IMO, no. I do not feel comfortable creating a piece of functionality that I know full well has the very real potential to create false positives, requiring manual unbanning by administrators.

I do apologise if it seems like I'm shooting you down. Part of my job is to find every way something can go wrong, that includes both "how could someone break this?" and "how could this break someone?" - this feature would fall squarely within the latter category.


Fillip

 

[Alpha1]

No worries. I appreciate that you are thinking along with me. I don't feel being shot down.

it would be incredibly risky and counter-productive to ban ALL IPs that tried to access any account. How can we know for certain that one of them wasn't a legitimate hit?

This is true. If I understand correctly this is how it currently works. If I select 'ANY IP' then it will just count X logins from whatever IPs.
I would like to have a more narrow selection: 'DIFFERENT IPs'. This would cause login attempts on the same account from X different IP addresses within Y hours to be flagged.
I would also like to have another selection, but it seems that the hacker is aware that I am using this addon. Probably because the addon clearly advertises the name 'DragonByte Security' in messages to users:
The hacker has set up dummy accounts to test out what happens when a login attempt is detected. This addon then emails users with the name of the security addon which makes the attacker aware of the protection mechanism. A simple google search leads here.

This allows the hacker to test exactly what the settings of this addon are and adjust his attacks to the settings. The brute force are mostly under the set thresholds.

Where can I find the text that is sent out by email? I cant find it in phrases.

Sure, by manually analysing the logs and manually looking up the IPs, you may be able to determine that in 100% of cases you've encountered, all the IPs are false and do not belong to any legitimate forum user.

I find that there are a few things missing that would allow me to do this:
On IP ban log, login strikes viewer, watcher log there is no filter for login strikes or type of login strikes. This makes it very hard to analyse logs.
Here it would be very valuable to display which accounts have been accessed under that IP banned address: /admin.php?dbtech-security/search&action=get-host&ip=xxx
This would immediately show additional potentially compromised or malicious accounts.

The functionality of DragonByte Security seems to be designed to protect against attackers accessing accounts of legitimate members. It does not seem to be designed to protect against malicious accounts registered by the attacker. i.e. the accessed accounts are malicious themselves.

I've renamed the DragonByte Security support forums for you, alternatively you can use the New Ticket button and choose Feature Request and it will put the thread in the correct forum

Thanks. I am hope that you will be able to implement @NixFifty tickets + XFPM. I think it will be a good enhancement to your support. The old vb site is always giving me login issues (Im logged in but its asking me for my login) and 'invalid redirect' errors.

 

[Alpha1]

The functionality of DragonByte Security seems to be designed to protect against attackers accessing accounts of legitimate members. It does not seem to be designed to protect against malicious accounts registered by the attacker. i.e. the accessed accounts are malicious themselves.

Please add multiple account detection watchers to DBT security. I know there are other addons, but a combination of the detection methods already in DBT security as well as a few other methods would make it possible to deal with malicious accounts and ban attackers.

Also: please hotlink the user names in watcher logs so that we see which accounts exist and which do not. This also makes it easy to go to the account.

 

[DragonByte Tech]

Where can I find the text that is sent out by email? I cant find it in phrases.

The phrases start with dbtech_security_security_alert, as far as I can tell.

On IP ban log, login strikes viewer, watcher log there is no filter for login strikes or type of login strikes.

I am not sure I understand. The login strikes table does not log what caused the strike, so displaying that in a log viewer would not be possible. The Watcher Log does allow you to filter by watcher.

Here it would be very valuable to display which accounts have been accessed under that IP banned address: /admin.php?dbtech-security/search&action=get-host&ip=xxx

That is already a feature. DB Security logs all IPs addresses used to access each account, and there is already a specific search tool for finding IPs that have accessed multiple accounts.

Thanks. I am hope that you will be able to implement @NixFifty tickets + XFPM. I think it will be a good enhancement to your support. The old vb site is always giving me login issues (Im logged in but its asking me for my login) and 'invalid redirect' errors.

I do really want us to move to XF2 in the future, and I am hoping I'll be able to use those tools in order to cut down on the amount of work I'll have to do to move

Also: please hotlink the user names in watcher logs so that we see which accounts exist and which do not. This also makes it easy to go to the account.

The reason why user names aren't hotlinked at the moment is the fact that these links would be vastly different between XF and vB. It's something I can look into improving in the framework in a future version, for now I am focused on having the products as-is ready for XF2.


Fillip

 

[Alpha1]

The Watcher Log does allow you to filter by watcher.

Yes, but there is no filter for login strikes.
What about the IP ban log?

That is already a feature. DB Security logs all IPs addresses used to access each account, and there is already a specific search tool for finding IPs that have accessed multiple accounts.

To put this into perspective: I have 4.2 million users per month and many thousands of members per month. The tool you mention is not very useful because it lists a very large number of legit hosts like ATT which constantly reassigns IP addresses. Some IP addresses have 1000 hits. It does not whitelist valid hosts.

It would be useful to see which Banned IP Addresses have accessed accounts and which accounts these are. Its possible (stock XF feature) to search every IP address banned by DBT Security one by one to see if any of those have accessed account(s), but this is very tedious to do for hundreds of IPs.
Mind that I am not looking for just multiple accounts accessed from the banned IP but also a single account accessed from a banned IP needs to be known.

 

[Alpha1]

The Watcher Log does allow you to filter by watcher.

Its not possible to filter on mass login attempts. The tens of thousands of fingerprints in the watcher log are making it impossible to find anything. Yet, this is crucial to deal with attackers. I have mentioned this before. This feature does not work unless fingerprinting is off.
While this is not a technical bug, practically the feature is broken.
Could you please address this?

 

[DragonByte Tech]

Its not possible to filter on mass login attempts. The tens of thousands of fingerprints in the watcher log are making it impossible to find anything.

I don't understand what you are reporting. I am looking through the Security Watchers, and I am not seeing anything related to fingerprinting there, nor am I seeing anything related to fingerprinting in the Watcher Log Viewer.

The Fingerprint feature has its own entirely separate log viewer.

Can you please post a screenshot of the Watcher Log Viewer that contains fingerprinting information?


Fillip

 

[Alpha1]

Yes, I can do so but maybe it is clearer when I explain the following: The table xf_dbtech_security_watcherlog includes the action failedmasslogon, failedmasslogonbogus, newfingerprint, etc.
When I got to: /admin.php?dbtech-security/watcherlog&action=view&orderby=date&direction=DESC&perpage=15&page=1883
In this log there are tens of thousands of entries relate to fingerprints.
What I need if a filter to expose all entries relating to failed (mass) logons.

Do you still need a screenshot?

 

[DragonByte Tech]

Yes, I can do so but maybe it is clearer when I explain the following: The table xf_dbtech_security_watcherlog includes the action failedmasslogon, failedmasslogonbogus, newfingerprint, etc.
When I got to: /admin.php?dbtech-security/watcherlog&action=view&orderby=date&direction=DESC&perpage=15&page=1883
In this log there are tens of thousands of entries relate to fingerprints.
What I need if a filter to expose all entries relating to failed (mass) logons.

I've had another look at the code and it seems like certain watcher categories were being left out of the filtering drop-down in the past, as they never generated any watcher log entries. Since this has now changed, future versions will re-enable those filtering options, so you would be able to view any watcher category log entry or any single watcher category log entry.


Fillip

 

[Alpha1]

Almost every day of the week someone gets IP banned and opens a support ticket for it. Then we need to try to find out which IP was banned and why. This addons has several logs that need to be checked:

• admin strikes log
• login strikes log
• IP ban log
• compromised log
• watcher log
• IP log

In some we can search on username. Others we cannot. For example the IP ban log has no search and does not list users. So we first need to find out which IP was banned before we can use the IP ban log. I am currently trying to find it for a user that has 70 IP addresses and it seems the best is to just give up on it.

What I need to know is what IP address is banned for this user and why.
It would safe us a lot of time if the user account would have this information visible. i.e.:
/admin.php?users/username.385957/edit

For example in the user Change Log.

 

[DragonByte Tech]

Almost every day of the week someone gets IP banned and opens a support ticket for it. Then we need to try to find out which IP was banned and why.

The reason why some pages do not have searchable usernames is because those areas are not user-specific. For instance, if a guest user triggers an IP Ban action, then there is no user name to search for.

I'm not saying there aren't ways of improving this in the future (once the existing portfolio is established on XF2), I'm merely explaining why it works the way it works right now


Fillip

 

[Alpha1]

I paid close to $300 for two BFO licenses and would have bought a lot more for corporate use. I find DBT security a very valuable highly complex/configurable addon, but its also lacking a lot of refinements and things that would make it more effective, cost less time and confusion for admins and end user. While I highly recommend this addon to other admins (for non-corporate use) I find it disappointing that there has been no feature release since February and not even maintenance releases.

Its great that you are working on XF2 releases, and that will be of much use when we upgrade our sites in 2019. I do hope that you will consider to update this product for XF1. Your last line seems to indicate this and I am hoping that I am understanding this correctly.

 

[Floyd R Turbo]

IP banning I think needs to be combined with type in order to work. You can't ban cellular-based IP addresses in the US. You will get false positives all over the board. For the same reason, you can't use a User Map addon that uses IP addresses for locations in the US. It doesn't work.