[DBTech] DragonByte Security [Paid] 4.0.1

[adwade]

• File health is checked every 15 minutes via a cron job

• Receive an email when core files are altered

• Uses XenForo's file health check to check all core XenForo files

• Shows a list of altered files in the email

Quick question: If an admin has modified a file and it appears on the File Health report as a Potential Problem, is there anyway to approve it as being OK (i.e. using the presently-modified checksum value of the file), so you won't get repetitive reports telling you the file is not as distributed? In other words I'm wondering if you have altered any of your files, do you just have to leave this feature turned OFF?

 

[DragonByte Tech]

Quick question: If an admin has modified a file and it appears on the File Health report as a Potential Problem, is there anyway to approve it as being OK (i.e. using the presently-modified checksum value of the file), so you won't get repetitive reports telling you the file is not as distributed? In other words I'm wondering if you have altered any of your files, do you just have to leave this feature turned OFF?

It will not continuously email you. Once it has detected a file has been modified, it stores the list of files it detected as modified and will only alert you if any other files are modified.


Fillip

 

[DragonByte Tech]

DragonByte Tech updated DragonByte Security with a new update entry:

3.0.0 Beta 4

Changed Features:

Password Reset

• The created password is now based on the user’s password rule requirements
• The Mass Password Reset action now creates a random password based on the user’s password rule requirements

Read the rest of this update entry...

 

[MattW]

TypeError: Argument 1 passed to DBTech_Security_Model_Watcher::execLoginStrikes() must be of the type array, boolean given, called in /home/nginx/domains/mattwservices.co.uk/public/library/DBTech/Security/XenForo/ControllerPublic/Login.php on line 28 - library/DBTech/Security/Model/Watcher.php:904
Generated By: Unknown Account, 3 minutes ago
Stack Trace
#0 /home/nginx/domains/mattwservices.co.uk/public/library/DBTech/Security/XenForo/ControllerPublic/Login.php(28): DBTech_Security_Model_Watcher->execLoginStrikes(false, 'sunkunucnh@sogo...')
#1 /home/nginx/domains/mattwservices.co.uk/public/library/XenForo/FrontController.php(351): DBTech_Security_XenForo_ControllerPublic_Login->actionLogin()
#2 /home/nginx/domains/mattwservices.co.uk/public/library/XenForo/FrontController.php(134): XenForo_FrontController->dispatch(Object(XenForo_RouteMatch))
#3 /home/nginx/domains/mattwservices.co.uk/public/index.php(13): XenForo_FrontController->run()
#4 {main}
Request State
array(3) {
  ["url"] => string(39) "https://mattwservices.co.uk/login/login"
  ["_GET"] => array(1) {
    ["/login/login"] => string(0) ""
  }
  ["_POST"] => array(7) {
    ["login"] => string(20) "sunkunucnh@sogou.com"
    ["register"] => string(1) "0"
    ["password"] => string(8) "********"
    ["remember"] => string(1) "1"
    ["cookie_check"] => string(1) "1"
    ["redirect"] => string(1) "/"
    ["_xfToken"] => string(8) "********"
  }
}

Getting a lot of these errors since updating to 3.0.0b4

 

[DragonByte Tech]

Getting a lot of these errors since updating to 3.0.0b4

Sorry about that It's been patched in a hotfix.


Fillip

 

[adwade]

If you were to venture a guess, any idea as to when this might come out of Beta?

 

[DragonByte Tech]

If you were to venture a guess, any idea as to when this might come out of Beta?

If all goes as planned, this upcoming Monday

I'm currently working on updates to the core framework and I plan to have a bit of a test-a-thon during the weekend, which will hopefully iron out the rest of the bugs


Fillip

 

[DragonByte Tech]

DragonByte Tech updated DragonByte Security with a new update entry:

3.0.0 Gold

Bug Fixes:

• Fixed a couple of cases where a "Invalid class" error could be displayed
• Attempting to log in with an incorrect username / email will no longer cause a server error
• Resolved multiple issues with the "Compromised Account Alert" feature
• Resolved an issue where using the "Admin Unlock" action would generate an email to administrators with incorrect language

Read the rest of this update entry...

 

[adwade]

Two quick questions:
1)Can this add-on be disabled by any Admin -or- only a Super Admin?
2)Is this add-on compatible with Template Security add-on?

I ask because from what I've read it seems the TS add-on prevents Restricted Template Modifications, whereas the DB Security add-on just reports changes.

 

[DragonByte Tech]

1)Can this add-on be disabled by any Admin -or- only a Super Admin?

I've not made any changes to the mechanic someone would use to disable a mod's event listeners, so if you gave an administrator the permission to manage add-ons then they would also be able to disable this mod.

I'm extremely uneasy with the notion of making this mod only un-installable and disable-able by Super Administrators. Considering the debacle with a certain other mod developer whose name is censored here and shall not be mentioned, the very last thing I want is for this mod (or my company) to be mentioned anywhere close to the same breath as their shady practice of preventing full uninstall.

To be clear; I agree that it would be a good security feature, but I'm not sure if it would be user-friendly enough to warrant putting it in. Our Managing Director has the final say on that though, so you may very well see it included after all

2)Is this add-on compatible with Template Security add-on?

I ask because from what I've read it seems the TS add-on prevents Restricted Template Modifications, whereas the DB Security add-on just reports changes.

I see no reason why they wouldn't be compatible. My mod extends the save action and lets other mods go first (execution order notwithstanding) so assuming we both extend the same save action and the TS mod has execution order of 1, then it should in theory present the error message before my mod runs.

However, if that ends up not being the case, the worst thing that happens is that you as the webmaster will receive an email about a template modification that did not actually save in the database. You could argue that's a feature, not a problem, since you can see if a dangerous template edit was attempted


Fillip

 

[adwade]

First of all, Thanxx for your detailed reply. I'm still fairly new at XF and thus kinda learning the ropes.

...so if you gave an administrator the permission to manage add-ons then they would also be able to disable this mod.

Just this statement alone taught me something. The fact there was a separate permission for Add-ons within each User Group Permissions set…

​

and sure enough, mine was set to Allow for the Adminstrative group. So after I peeked at the Edit Users/Adminstrators menu and noticed it was set there for Super Admins, I revised the Addons Permission above to Not Set (No).

However, if that ends up not being the case, the worst thing that happens is that you as the webmaster will receive an email about a template modification that did not actually save in the database.

Excellent!

 

[DragonByte Tech]

DragonByte Tech updated [DBTech] DragonByte Security with a new update entry:

3.0.1

New Features:

Email Recovery

• Users who have forgotten or lost access to their email accounts can recover access to their account and change their email address via a page similar to "Lost Password"
• Requires you to fill out an email address to receive these reports in the Options for this mod (receives separate emails for successful and unsuccessful email recovery attempts)
• Adds itself next to every "Lost Password" link
• Configurable scoring criteria...

Read the rest of this update entry...

 

[Fred.]

When XF2 is released are you going to update this add-on to XF2 or release a new add-on for XF2?
If I buy a lifetime licence now and next month they release XF2 and this is not updated / I have to buy another add-on, lifetime licence that woudn't be fun.
I assume you update this add-on to XF2? Just want to be sure I spend my money wise.

 

[adwade]

Email Recovery

• Users who have forgotten or lost access to their email accounts can recover access to their account and change their email address via a page similar to "Lost Password"

Just a quick question, if someone has been away from a forum so long that their email has changed, how many of those users are going to be able to answer: "Last Non-Administrator You Private Messaged:_____"

Not that I have any better idea, but it would surprise me if someone did remember this.

On a sidenote, I too purchased the Lifetime Option for this add-on and finally got around to installing it tonight. Most impressive!

 

[DragonByte Tech]

When XF2 is released are you going to update this add-on to XF2 or release a new add-on for XF2?
If I buy a lifetime licence now and next month they release XF2 and this is not updated / I have to buy another add-on, lifetime licence that woudn't be fun.
I assume you update this add-on to XF2? Just want to be sure I spend my money wise.

The short, honest answer is; I have no idea yet.

Before I elaborate, I should point out that if XenForo 2 ends up requiring massive sweeping changes, there would be an upgrade path that would cost a fraction of a full license (I believe our vB3/vB4 -> vB5 upgrades are 25% of the cost of a new license, but don't quote me on that).

The longer and more complex answer is that this mod (and in fact, all our XenForo mods except for Avatars and Signatures) is written using a custom middleware I've developed that will assist me not only porting from our vBulletin versions, but also run on multiple platforms simultaneously. In theory, this will mean that there will be minimal amount of work required to port this mod to XF2.
If this theory turns out to be correct, and all I have to do is update the middleware to add a separate conditional check for XF2, then it's certainly possible that we will be in a situation similar to our vBulletin versions, where vB3 and vB4 are interchangeable with identical PHP code. The only difference between the products are different product XML files, both XML versions included with every product.

I can only apologise that I can't give you a categorical "yes it will be free" or "no you will need to pay X amount to upgrade"
When I get my hands on XenForo 2 developer's beta code, I'll have a much clearer idea of what exactly is needed to update our mods.

The only thing I can say for 100% certain is that we plan to hit the ground running when it comes to XenForo 2

Just a quick question, if someone has been away from a forum so long that their email has changed, how many of those users are going to be able to answer: "Last Non-Administrator You Private Messaged:_____"

Not that I have any better idea, but it would surprise me if someone did remember this.

It's just one of 10 criteria, although it is one of the only "positive scoring" ones. It's fully possible to set it up in such a way that failing to remember this will not block the automated email change

On a sidenote, I too purchased the Lifetime Option for this add-on and finally got around to installing it tonight. Most impressive!

Thank you for the kind words, much appreciated


Fillip

 

[Fred.]

Thanks for your honest and elaborated answer Filip
I have to think about it.

 

[adwade]

It's fully possible to set it up in such a way that failing to remember this will not block the automated email change

Where can I read more about how to do this? Also, good to know it's just one-of-ten possible challenges.

 

[DragonByte Tech]

Where can I read more about how to do this? Also, good to know it's just one-of-ten possible challenges.

On the Manage Criteria page, you can enable/disable each individual criteria as well as update the scores they give when they are triggered.

In the Options for this mod, you can click the Email Recovery tab and set the score threshold.

So what you'd do is adjust the scores and/or the thresholds so that those who fail the criteria you hold really important get their request sent to the support email


Fillip

 

[adwade]

On the Manage Criteria page, you can enable/disable each individual criteria...

Sorry-so-stupid, but where is this page you are referring to? I've looked all through the AdminCP and can't turn up anything about it.

 

[DragonByte Tech]

Sorry-so-stupid, but where is this page you are referring to? I've looked all through the AdminCP and can't turn up anything about it.

There should be a "Manage Criteria" link in the admincp menu, is there not?

I'll double-check locally to see if it accidentally got added to the wrong product.


Fillip