[DBTech] DragonByte Security [Paid] 4.7.0

[DragonByte Tech]

Is there a way to remove this from the list of two-step verification providers? I cannot find an option to turn it off. (I use another addon which adds a "Passkeys" entry in the list which we are using.)

View attachment 280641

If I have to go into developer mode, or create a template modification to remove it, either way would be acceptable.

You may be able to get this done by disabling the TFA provider in the xf_tfa_provider table. Something like UPDATE xf_tfa_provider SET active = 0 WHERE provider_id = 'dbtech_security_authn'.

That being said, Passkeys is not the same as a hardware security key. It's a pure-software implementation of physical security keys, so users who prefer physical security keys would - to my knowledge - not be satisfied with only Passkeys.

 

[Wildcat Media]

That worked. Thanks!

 

[DragonByte Tech]

DragonByte Tech updated [DBTech] DragonByte Security with a new update entry:

4.6.5

Update highlights

This version changes some internal functions to no longer rely on deprecated XenForo functions, and fixes a server error that could occur with certain maliciously crafted URLs.


Complete Change Log

Change: Change UTF-8 related functions
Fix: Certain URLs could cause a server error in dispatcherPostRender

Read the rest of this update entry...

 

[DragonByte Tech]

DragonByte Tech updated [DBTech] DragonByte Security with a new update entry:

4.6.6

Update highlights

This version fixes an issue where a server setup using replication could experience performance degradation on a guest's first visit.

Furthermore, an issue where the BadBehavior integration could cause a server error has been addressed.


Complete Change Log

Change: Improve compatibility with databases setup for replication
Fix: Fix "Constant BB2_CORE already defined" error in the Bad Behavior logs

Read the rest of this update entry...

 

[DragonByte Tech]

DragonByte Tech updated [DBTech] DragonByte Security with a new update entry:

4.6.7

Update highlights

This version fixes an issue where an old, unused block of code could be used to delete other users' "Remember Me" records.


Complete Change Log

Fix: Fixed an issue where it was possible to delete other users' "Remember Me" records

Read the rest of this update entry...

 

[Nirjonadda]

@DragonByte Tech Forums are broken with this update. Like admincp login CAPTCHA verification aren't showing and can't login.

 

[DragonByte Tech]

@DragonByte Tech Forums are broken with this update. Like admincp login CAPTCHA verification aren't showing and can't login.

Nothing has changed w.r.t. CAPTCHA in this update.

 

[JackieChun]

Does this allow searching existing users by country? I am looking for an add-on that will allow that.

 

[ENF]

Does this allow searching existing users by country? I am looking for an add-on that will allow that.

It does not.

 

[NickH]

Will this do much to prevent duplicate accounts / banned users trying to sign back up?

 

[ENF]

Will this do much to prevent duplicate accounts / banned users trying to sign back up?

No. You need something like Xon's tool: https://xenforo.com/community/resources/signup-abuse-detection-and-blocking.6812/

 

[Nirjonadda]

@DragonByte Tech Getting lot of Server error log:

Assert\InvalidArgumentException: Invalid data src/addons/DBTech/Security/vendor/beberlei/assert/lib/Assert/Assertion.php:2723

Generated by: Unknown account Aug 21, 2023 at 10:52 PM

Stack trace

#0 src/addons/DBTech/Security/vendor/beberlei/assert/lib/Assert/Assertion.php(319): Assert\Assertion::createException(0, 'Invalid data', 33, NULL, Array)
#1 src/addons/DBTech/Security/vendor/web-auth/webauthn-lib/src/PublicKeyCredentialLoader.php(78): Assert\Assertion::eq(0, 4, 'Invalid data')
#2 src/addons/DBTech/Security/vendor/web-auth/webauthn-lib/src/Server.php(221): Webauthn\PublicKeyCredentialLoader->load('')
#3 src/addons/DBTech/Security/Tfa/WebAuthn.php(264): Webauthn\Server->loadAndCheckAssertionResponse('', Object(Webauthn\PublicKeyCredentialRequestOptions), Object(Webauthn\PublicKeyCredentialUserEntity), Object(Nyholm\Psr7\ServerRequest))
#4 src/XF/Service/User/Tfa.php(129): DBTech\Security\Tfa\WebAuthn->verify('login', Object(OzzModz\EmailWhitelist\XF\Entity\User), Array, Object(XF\Http\Request))
#5 src/XF/ControllerPlugin/Login.php(123): XF\Service\User\Tfa->verify(Object(XF\Http\Request), 'dbtech_security...')
#6 src/XF/Pub/Controller/Login.php(148): XF\ControllerPlugin\Login->runTfaCheck('https://nirjonm...')
#7 src/XF/Mvc/Dispatcher.php(352): XF\Pub\Controller\Login->actionTwoStep(Object(XF\Mvc\ParameterBag))
#8 src/XF/Mvc/Dispatcher.php(258): XF\Mvc\Dispatcher->dispatchClass('XF:Login', 'TwoStep', Object(XF\Mvc\RouteMatch), Object(xenMade\LAU\XF\Pub\Controller\Login), NULL)
#9 src/XF/Mvc/Dispatcher.php(115): XF\Mvc\Dispatcher->dispatchFromMatch(Object(XF\Mvc\RouteMatch), Object(xenMade\LAU\XF\Pub\Controller\Login), NULL)
#10 src/XF/Mvc/Dispatcher.php(57): XF\Mvc\Dispatcher->dispatchLoop(Object(XF\Mvc\RouteMatch))
#11 src/XF/App.php(2487): XF\Mvc\Dispatcher->run()
#12 src/XF.php(524): XF\App->run()
#13 index.php(20): XF::runApp('XF\\Pub\\App')
#14 {main}

Request state

array(4) {
  ["url"] => string(15) "/login/two-step"
  ["referrer"] => string(92) "/two-step?_xfRedirect=https%3A%2F%2Fmysite.com%2F&remember=1"
  ["_GET"] => array(0) {
  }
  ["_POST"] => array(11) {
    ["_xfToken"] => string(8) "********"
    ["publicKeyCredential"] => string(0) ""
    ["trust"] => string(1) "1"
    ["trust_permanent"] => string(1) "1"
    ["confirm"] => string(1) "1"
    ["provider"] => string(21) "dbtech_security_authn"
    ["remember"] => string(1) "1"
    ["_xfRedirect"] => string(23) "/"
    ["_xfRequestUri"] => string(70) "/login/two-step?_xfRedirect=https%3A%2F%2Fmysite.com%2F&remember=1"
    ["_xfWithData"] => string(1) "1"
    ["_xfResponseType"] => string(4) "json"
  }
}

 

[Anomandaris]

anyone have this problem where it just redirects over and over again when you use the User Lock feature of this plugin?



It's impossible to unlock the account by resetting the password because it just redirects them over and over again until they leave.

Seems this feature was added to Xenforo core, and using that is the better way to go.

 

[Joe Link]

@DragonByte Tech

We enabled device fingerprinting on September 13th and as of today xf_dbtech_security_fingerprint_log.ibd is 10.2GB. Does this get purged automatically at some point?

No, as it's required to power the fingerprint watcher features.

@DragonByte Tech

Is there a safe way to remove this data (and regain our disk space) if we've disabled this feature?

 

[DragonByte Tech]

@DragonByte Tech

Is there a safe way to remove this data (and regain our disk space) if we've disabled this feature?

If you've disabled that watcher you can purge the table.

 

[TimWilson]

The feature I'm most interested in is in the Mass Password Reset section -- "Can be limited to only reset passwords for users who have been inactive for X days" -- but I'm not finding that in the settings. I'm seeing that I can force someone to reset if they've visited within a specific calendar span, but wouldn't that mean that I would need to reset it every day?

That is, if they're coming to the site regularly, then they're going to notice if somebody has tried to overtake their account, whereas the two breaches we've recently seen have come from accounts that hadn't visited the site for the past couple of years. Those are the ones I want to force a reset the next time they try to log in.

Also, where do I edit the message that people see when they're required to reset their passwords?

Thanks for any help anyone can suggest! I looked all over the DB website and all through the readme, and I'm just not getting it.

 

[Forsaken]

The feature I'm most interested in is in the Mass Password Reset section -- "Can be limited to only reset passwords for users who have been inactive for X days" -- but I'm not finding that in the settings. I'm seeing that I can force someone to reset if they've visited within a specific calendar span, but wouldn't that mean that I would need to reset it every day?

That is, if they're coming to the site regularly, then they're going to notice if somebody has tried to overtake their account, whereas the two breaches we've recently seen have come from accounts that hadn't visited the site for the past couple of years. Those are the ones I want to force a reset the next time they try to log in.

Also, where do I edit the message that people see when they're required to reset their passwords?

Thanks for any help anyone can suggest! I looked all over the DB website and all through the readme, and I'm just not getting it.

Mass Password Reset is meant to be run manually; you would just set the range of time you would want them to reset their password within.

For password expiration (eg password is older than 90 days) you would set that in usergroup permissions (Look for expiry).

 

[TimWilson]

For password expiration (eg password is older than 90 days) you would set that in usergroup permissions (Look for expiry).

I'm confused, though. That makes it sound like the password will expire in 90 or 365 days or whatever I put in that box.

The issue for me, though, isn't the age of the password itself. It's the time since the password has been used. If they're logging in every day, I don't want to force them to change their password EVER, but if they haven't logged in for six months or a year, then I definitely DO want to force them to reset their password.

Or are you saying that that's what that language means?

Related, can I force everyone who hasn't logged in since X (probably Jan 1, 2023) to reset?

Thanks so much for your help!

 

[Forsaken]

I'm confused, though. That makes it sound like the password will expire in 90 or 365 days or whatever I put in that box.

The issue for me, though, isn't the age of the password itself. It's the time since the password has been used. If they're logging in every day, I don't want to force them to change their password EVER, but if they haven't logged in for six months or a year, then I definitely DO want to force them to reset their password.

Or are you saying that that's what that language means?

Related, can I force everyone who hasn't logged in since X (probably Jan 1, 2023) to reset?

Thanks so much for your help!

You could possibly achieve what you're wanting to do with group promotions; if someone has not been active in x days (90 for example) they will be moved to inactive users. You can then apply a password expiry to that user group and it would force them to change password upon logging in.

You can force people to change their password with the Force Password Change tool.

Changing the password is not going to change anything if the current password has been compromised unless a temporary password is being sent to their email. If you want accounts to be secure, force 2FA (even just email).

 

[TimWilson]

You could possibly achieve what you're wanting to do with group promotions; if someone has not been active in x days (90 for example) they will be moved to inactive users. You can then apply a password expiry to that user group and it would force them to change password upon logging in.

Now we're getting into some aspects of basic XF management that are over my head, so I'll do some homework after I ask one last question: I like moving them to Inactive after X days, but after they log in again, will they still show as being members of "Inactive", or can the act of logging in restore them to their previous group with the permissions associated with that group?

Thanks again!