[DBTech] DragonByte Security

[DBTech] DragonByte Security [Paid] 4.6.8

No permission to buy ($14.95)
Does your add-on offer a country-lock feature? As in, allowing the user to lock their account access to a specific region. This is a pretty light but effective security measure as the vast majority of account hijacks are done via VPN's, and it's much harder to find and then spoof their location to the actual users. I see it offers country-blocking which is a useful feature but much different and isn't designed for the same purpose.

Also, any estimates on the Session Management feature-set? These two questions are the only thing holding me back from buying.
 
Does your add-on offer a country-lock feature? As in, allowing the user to lock their account access to a specific region. This is a pretty light but effective security measure as the vast majority of account hijacks are done via VPN's, and it's much harder to find and then spoof their location to the actual users. I see it offers country-blocking which is a useful feature but much different and isn't designed for the same purpose.
Country blocking works on an IP address level, and work by adding the filtered countries' IP address ranges to XF's IP ban list. There's no VPN detection, but if they do use VPNs hosted in a blocked country that VPN will still be blocked.

There's also Tor exit node blocking if you so desire.

Also, any estimates on the Session Management feature-set? These two questions are the only thing holding me back from buying.
Not yet, I've been busy with the new eCommerce mod for the past 3 months. I need to finish up the tools needed for DBTech to move to XF2, then actually complete the move, before I can go back to work on things like that feature.

Because things always change in terms of when we receive contract work and such, I do not provide ETAs for anything, ever :P


Fillip
 
Because things always change in terms of when we receive contract work and such, I do not provide ETAs for anything, ever :p
That's understandable. Just to clarify my first question, country-locking is not the same as country-blocking. Country-blocking would be blocking account access from a specific region. Country-locking would block all access to the account unless it's from a specific region. For example, if I was a user and I set a country-lock to France, I would only be able to log into my account from within France. This is not an uncommon feature, and very useful for the reasons I mentioned in my previous reply. I don't see this listed anywhere after a deeper search, but would heavily recommend it as a feature suggestion given your prioritization for security.
 
Just to clarify my first question, country-locking is not the same as country-blocking. Country-blocking would be blocking account access from a specific region.
Ah I see, my bad sorry!

To be honest though, I see this feature as having limited use due to the two-factor authentication feature in XF, doubly so when considering this mod has the option of extending the device trust from 30 days to indefinite (thus eliminating the "it's inconvenient to fill out this code every 30 days" aspect). The only way I can conceivably see country lock being useful is if the person uses email authentication and the email account has also been breached.

If the person has not configured 2FA, then chances are they would also not bother configuring a country lock system, as 2FA is infinitely more secure than country locks. Furthermore, it doesn't prevent an attacker from spoofing an IP address to belong to that region via VPNs or other means.

This is not an uncommon feature, and very useful for the reasons I mentioned in my previous reply.
Personally, I have never seen this feature on any website I have visited, ever. I do know that certain sites like Gmail will block a login attempt if you use no 2FA and your account is logged in to from a region you've never logged in from before, but I have never seen this user-configurable.

If you disagree with any of these points I am very much open to having my mind changed, please don't take this as me saying "this is why it'll never happen" :)


Fillip
 
I do know that certain sites like Gmail will block a login attempt if you use no 2FA and your account is logged in to from a region you've never logged in from before, but I have never seen this user-configurable.
Thanks for the quick and friendly responses, and the misconception is completely understandable. I don’t believe this country-lock feature has been created for XenForo, but it exists in add-ons for other forum softwares such as the single largest MyBB forum (not referenced for obvious reasons).

With that said, what you mentioned here caught my attention as an evolved version of what I mentioned. Personally I disagree with your 2FA point: I would argue that the majority of users won’t use 2FA, as while it offers the best security options, is also very tedious when compared to typing in a password. I believe only very active users who care about their security will enter their phone number and spend time with this, and that your add-on can strive in protecting the non-2FA users as a default. If that makes sense.

That aside, your mention of the gmail-style watcher seems like a better idea than a region-lock. This wouldn’t require the users to opt-in or configure anything, which means it will help those users who don’t care as much about security. It would prevent users from getting locked out of their own accounts by the lock, and incoincidentally notify them that they are facing a security issue. The feature you mentioned here is also far more common, and likely desirable to other potential customers.

Again, thanks for your great attitude and open-mind towards feedback. I purchased two of your add-ons (three month license) over a year ago and barely got a chance to use them, but what I did experience was pure quality. I’ll likely need to purchase them again since I’ve switched to XF2 and they expired, but I may pick up this and one other thing on the way out. :) Have a fantastic rest of your day regardless.
 
Personally I disagree with your 2FA point: I would argue that the majority of users won’t use 2FA, as while it offers the best security options, is also very tedious when compared to typing in a password. I believe only very active users who care about their security will enter their phone number and spend time with this, and that your add-on can strive in protecting the non-2FA users as a default. If that makes sense.
Sort of, but I don't know of any 2FA method in XF that requires entering your phone number. I do know Twilio is a thing, but I don't know if any 3rd party add-ons on XF have integrated with it and it's probably not as popular because you have to pay monthly and per SMS your forum sends out as a result.

By default, XF1 and XF2 only supports Google Authenticator (scan a QR code with your phone, or copy the secret key into a password manager like 1Password which can generate the OTP) and email verification.

Email verification doesn't require any input other than copying the code from your email address :)

I don't have any data on 2FA vs non-2FA users so I can't argue for or against the commonality of using that feature, but I sure do wish the usage was 100% :P

That aside, your mention of the gmail-style watcher seems like a better idea than a region-lock. This wouldn’t require the users to opt-in or configure anything, which means it will help those users who don’t care as much about security. It would prevent users from getting locked out of their own accounts by the lock, and incoincidentally notify them that they are facing a security issue. The feature you mentioned here is also far more common, and likely desirable to other potential customers.
Agreed :)

Feel free to remind me of this again after DBTech has been moved to XF2, I won't be able to dedicate the time or resources to developing this feature until we're all set up with a better system ON a better system.

(Currently writing the importer from our vBulletin eCommerce system, working with 7 year data structures that slowly evolved over time is so much fun... :P)

I’ll likely need to purchase them again since I’ve switched to XF2 and they expired, but I may pick up this and one other thing on the way out. :)
Nope, all you have to do is renew and the XF2 version is included :D

Currently, when you download the latest Beta versions, you get the XF1 and XF2 versions bundled in one big folder, but once DBTech is set up on XF2 with the new eCommerce tool, you will be able to choose which version to download.


Fillip
 
@DragonByte Tech Password Requires are not showing in Register. About Minimum Password Length or other if Requires.

ScreenShot00038.webp

Example this :


unbenannt-2-jpg.114142
 
Have you tried this on a default (unmodified) skin? Also try disabling all other modifications.


Fillip

Same issue, We enabled Unregistered / Unconfirmed for new Register but does not showing in Register. Also getting lot of Server error log.

Code:
TypeError: Argument 1 passed to DBTech\Security\Model\Watcher::execBreachCheck() must be of the type array, object given, called in /home/nadda/public_html/src/addons/DBTech/Security/XF/Service/User/Login.php on line 53 src/addons/DBTech/Security/Model/Watcher.php:1174

Generated by: Unknown account Mar 3, 2018 at 10:36 AM

Stack trace

#0 src/addons/DBTech/Security/XF/Service/User/Login.php(53): DBTech\Security\Model\Watcher->execBreachCheck(Object(DBTech\Shop\XF\Entity\User))
#1 src/XF/Service/User/Login.php(124): DBTech\Security\XF\Service\User\Login->recordFailedAttempt()
#2 src/XF/Pub/Controller/Login.php(79): XF\Service\User\Login->validate('nirjonmela2018', NULL)
#3 src/XF/Mvc/Dispatcher.php(249): XF\Pub\Controller\Login->actionLogin(Object(XF\Mvc\ParameterBag))
#4 src/XF/Mvc/Dispatcher.php(88): XF\Mvc\Dispatcher->dispatchClass('XF:Login', 'Login', 'html', Object(XF\Mvc\ParameterBag), '', Object(XF\Pub\Controller\Login), NULL)
#5 src/XF/Mvc/Dispatcher.php(41): XF\Mvc\Dispatcher->dispatchLoop(Object(XF\Mvc\RouteMatch))
#6 src/XF/App.php(1889): XF\Mvc\Dispatcher->run()
#7 src/XF.php(328): XF\App->run()
#8 index.php(13): XF::runApp('XF\\Pub\\App')
#9 {main}

Request state

array(4) {
  ["url"] => string(12) "/login/login"
  ["referrer"] => string(23) "/"
  ["_GET"] => array(0) {
  }
  ["_POST"] => array(4) {
    ["login"] => string(10) "nirjonmela"
    ["password"] => string(8) "********"
    ["remember"] => string(1) "1"
    ["_xfToken"] => string(8) "********"
  }
}
 
I've applied a hot fix to Beta 4 that should resolve this.


Fillip

Not fixed.

Code:
TypeError: Argument 1 passed to DBTech\Security\Model\Watcher::execBreachCheck() must be of the type array, object given, called in /home/nadda/public_html/src/addons/DBTech/Security/XF/Service/User/Login.php on line 53 src/addons/DBTech/Security/Model/Watcher.php:1174

Generated by: Unknown account Mar 4, 2018 at 5:18 PM

Stack trace

#0 src/addons/DBTech/Security/XF/Service/User/Login.php(53): DBTech\Security\Model\Watcher->execBreachCheck(Object(Datio\AllowedEmails\XF\Entity\User))
#1 src/XF/Service/User/Login.php(124): DBTech\Security\XF\Service\User\Login->recordFailedAttempt()
#2 src/XF/Pub/Controller/Login.php(79): XF\Service\User\Login->validate('kinglara#500', NULL)
#3 src/XF/Mvc/Dispatcher.php(249): XF\Pub\Controller\Login->actionLogin(Object(XF\Mvc\ParameterBag))
#4 src/XF/Mvc/Dispatcher.php(88): XF\Mvc\Dispatcher->dispatchClass('XF:Login', 'Login', 'html', Object(XF\Mvc\ParameterBag), '', Object(XF\Pub\Controller\Login), NULL)
#5 src/XF/Mvc/Dispatcher.php(41): XF\Mvc\Dispatcher->dispatchLoop(Object(XF\Mvc\RouteMatch))
#6 src/XF/App.php(1889): XF\Mvc\Dispatcher->run()
#7 src/XF.php(328): XF\App->run()
#8 index.php(13): XF::runApp('XF\\Pub\\App')
#9 {main}

Request state

array(4) {
  ["url"] => string(12) "/login/login"
  ["referrer"] => string(23) "/"
  ["_GET"] => array(0) {
  }
  ["_POST"] => array(3) {
    ["login"] => string(6) "mofijj"
    ["password"] => string(8) "********"
    ["_xfToken"] => string(8) "********"
  }
}

e7c38773-4aa0-4887-92fc-965c609e5752.png
 
Server issue with the code deployment, has been taken care of now and the files should have updated correctly.


Fillip

Sorry now getting one more Server error log.

Code:
ErrorException: [E_NOTICE] Undefined index: userid src/addons/DBTech/Security/XF/Service/User/Login.php:53

Generated by: Unknown account Mar 4, 2018 at 7:11 PM

Stack trace

#0 src/addons/DBTech/Security/XF/Service/User/Login.php(53): XF::handlePhpError(8, '[E_NOTICE] Unde...', '/home/nadda/pub...', 53, Array)
#1 src/XF/Service/User/Login.php(124): DBTech\Security\XF\Service\User\Login->recordFailedAttempt()
#2 src/XF/Pub/Controller/Login.php(79): XF\Service\User\Login->validate('02021984', NULL)
#3 src/XF/Mvc/Dispatcher.php(249): XF\Pub\Controller\Login->actionLogin(Object(XF\Mvc\ParameterBag))
#4 src/XF/Mvc/Dispatcher.php(88): XF\Mvc\Dispatcher->dispatchClass('XF:Login', 'Login', 'html', Object(XF\Mvc\ParameterBag), '', Object(XF\Pub\Controller\Login), NULL)
#5 src/XF/Mvc/Dispatcher.php(41): XF\Mvc\Dispatcher->dispatchLoop(Object(XF\Mvc\RouteMatch))
#6 src/XF/App.php(1889): XF\Mvc\Dispatcher->run()
#7 src/XF.php(328): XF\App->run()
#8 index.php(13): XF::runApp('XF\\Pub\\App')
#9 {main}

Request state

array(4) {
  ["url"] => string(12) "/login/login"
  ["referrer"] => string(23) "/"
  ["_GET"] => array(0) {
  }
  ["_POST"] => array(3) {
    ["login"] => string(4) "Amio"
    ["password"] => string(8) "********"
    ["_xfToken"] => string(8) "********"
  }
}
 
@DragonByte Tech Getting Server error logs.

Code:
ErrorException: [E_NOTICE] Undefined index: dbtech_security_is_user_locked src/addons/DBTech/Security/Action/Lock.php:202

Generated by: Porichito59 Mar 16, 2018 at 5:29 AM

Stack trace

#0 src/addons/DBTech/Security/Action/Lock.php(202): XF::handlePhpError(8, '[E_NOTICE] Unde...', '/home/nadda/pub...', 202, Array)
#1 src/addons/DBTech/Security/Action/Lock.php(31): DBTech\Security\Action\Lock->_assertIsLocked()
#2 src/addons/DBTech/Security/ActionAbstract.php(87): DBTech\Security\Action\Lock->_preDispatch('Unlock')
#3 src/addons/DBTech/Security/Application/Core.php(172): DBTech\Security\ActionAbstract->preDispatch('Unlock', 'DBTech\\Security...')
#4 src/addons/DBTech/Security/Pub/Controller/Route.php(36): DBTech\Security\Application\Core->runAction('DBTech\\Security...')
#5 src/XF/Mvc/Dispatcher.php(249): DBTech\Security\Pub\Controller\Route->actionIndex(Object(XF\Mvc\ParameterBag))
#6 src/XF/Mvc/Dispatcher.php(88): XF\Mvc\Dispatcher->dispatchClass('DBTech\\Security...', 'Index', 'html', Object(XF\Mvc\ParameterBag), 'forums', Object(DBTech\Security\Pub\Controller\Route), NULL)
#7 src/XF/Mvc/Dispatcher.php(41): XF\Mvc\Dispatcher->dispatchLoop(Object(XF\Mvc\RouteMatch))
#8 src/XF/App.php(1891): XF\Mvc\Dispatcher->run()
#9 src/XF.php(328): XF\App->run()
#10 index.php(13): XF::runApp('XF\\Pub\\App')
#11 {main}

Request state

array(4) {
  ["url"] => string(73) "/dbtech-security/lock?action=unlock&hash=3e84c5591ff2fc498bb803ae828abe83"
  ["referrer"] => string(95) "/dbtech-security/lock?action=unlock&hash=3e84c5591ff2fc498bb803ae828abe83"
  ["_GET"] => array(2) {
    ["action"] => string(6) "unlock"
    ["hash"] => string(32) "3e84c5591ff2fc498bb803ae828abe83"
  }
  ["_POST"] => array(0) {
  }
}

Code:
ErrorException: [E_NOTICE] Undefined index: dbtech_security_is_admin_locked src/addons/DBTech/Security/Action/Lock.php:203

Generated by: Porichito59 Mar 16, 2018 at 5:29 AM

Stack trace

#0 src/addons/DBTech/Security/Action/Lock.php(203): XF::handlePhpError(8, '[E_NOTICE] Unde...', '/home/nadda/pub...', 203, Array)
#1 src/addons/DBTech/Security/Action/Lock.php(31): DBTech\Security\Action\Lock->_assertIsLocked()
#2 src/addons/DBTech/Security/ActionAbstract.php(87): DBTech\Security\Action\Lock->_preDispatch('Unlock')
#3 src/addons/DBTech/Security/Application/Core.php(172): DBTech\Security\ActionAbstract->preDispatch('Unlock', 'DBTech\\Security...')
#4 src/addons/DBTech/Security/Pub/Controller/Route.php(36): DBTech\Security\Application\Core->runAction('DBTech\\Security...')
#5 src/XF/Mvc/Dispatcher.php(249): DBTech\Security\Pub\Controller\Route->actionIndex(Object(XF\Mvc\ParameterBag))
#6 src/XF/Mvc/Dispatcher.php(88): XF\Mvc\Dispatcher->dispatchClass('DBTech\\Security...', 'Index', 'html', Object(XF\Mvc\ParameterBag), 'forums', Object(DBTech\Security\Pub\Controller\Route), NULL)
#7 src/XF/Mvc/Dispatcher.php(41): XF\Mvc\Dispatcher->dispatchLoop(Object(XF\Mvc\RouteMatch))
#8 src/XF/App.php(1891): XF\Mvc\Dispatcher->run()
#9 src/XF.php(328): XF\App->run()
#10 index.php(13): XF::runApp('XF\\Pub\\App')
#11 {main}

Request state

array(4) {
  ["url"] => string(73) "/dbtech-security/lock?action=unlock&hash=3e84c5591ff2fc498bb803ae828abe83"
  ["referrer"] => string(95) "/dbtech-security/lock?action=unlock&hash=3e84c5591ff2fc498bb803ae828abe83"
  ["_GET"] => array(2) {
    ["action"] => string(6) "unlock"
    ["hash"] => string(32) "3e84c5591ff2fc498bb803ae828abe83"
  }
  ["_POST"] => array(0) {
  }
}
 
Top Bottom