Add-on Login Security

[xIsabel38]

I'd like to make a request for an Add-on. I'm not sure the entire process of making the request but here we go.

First, the reason behind this. Sit down around the campfire and grab those Marshmallows because it's Storytime.

A couple of years ago my forum was attacked by a malicious user whom set up a bot to begin attempting to gain access to all administrator accounts.

The bot was a constant presence always attempting to login. I had gotten so many Admin Errors in the logs about user failed login attempts on not only my account, but on all of my other Administrators too. The bot wasn't set on my members, it was trying for the admin panel.

It's a constant concern to come to your own website and see a bot there attempting to break in. Regardless of all the bans, it kept coming back due to hiding behind proxy servers. In the end, we had to stop banning it for fear of banning someone legitimate.

I went as far as to file a legal complaint and seek out professional help with proxies and the removal of malicious entities. But it really wasn't any good.

And then we found the answer we were looking for in 2 mods.

The first mod, is called Bad Behavior and is a way to stop forum spam and people from registering from known spam blacklists.

-This wasn't a direct help of course because the bot was set to simply attempt to login to our accounts. It wasn't trying to register for spamming purposes. But it was nice to have.

The real mod that completely stopped this attack was called Login Security.

The mod didn't remove the bot or anything like that, it simply allows users to set up an IP address (or Multiple IPs) from which they authorize. All other login attempts through different IP settings are restricted.

In this case, even if an outside user did manage to get the password of an account, they would also have to be using an authorized IP address to log-in.

It's additional security and some may say peace of mind goes a long way. We made a public announcement about the new mods and how users can protect their own accounts using it.

About 2 days after we installed this mod, the bot script was halted and it left the website. I believe it was because one of our users was actually behind it and saw the announcement of the new security we added.

So I'm asking if anyone might possibly be interested in creating an Add-on like this.
Here's the features from the one I used before:

• It will E-Mail the user on a failed login attempt and in-form them from which IP address that login attempt came from.
• After a preset amount of failed attempts (set up by the administrator), the account becomes locked for X amount of minutes or hours.
• Each user has permission to utilize this mod. And the system is either enabled or disabled.
• All users can set up multiple IP addresses by simply putting a comma between each one.
• Users trying to access their account from an un-authorized IP can e-mail themselves a Secure Link which expires in 7 minutes. This Secure Link can be used by the user to log in.
• Users go to their profile to set up their IP protection.

Some features I would like to see that weren't included.

• Allow the implementation of this feature beginning as soon as the registration page. There can be a lock icon with a blank text field. Below the field is a small description to what the field is used for as well as a link to Whatismyip.com or a pop-up they can click to find out their current IP. (Not a required registration field)
• A new field right next to the moderation center that says failed login attempts. Moderators and Admins can view this, see which account was attempted access, and which IP address attempted the access as well as if that IP is associated with another user. Basically allowing mods and admins to see whom tried to get into whom's account.

• A permission to auto-ban a user that does attempt to access someone else's account.

This is pretty much all I could think of for now.

 

[EQnoble]

I would say while your at letting more than one ip get added make it able to use ranges so people who get random ip addresses from their isp with the first two octets remaining the same can allow themselves a broad array of addresses so in the event of an ip change they don't have to always do the password recovery.

 

[tenants]

Brute forcing the admin area... it's such an easy game, often deployed by script kiddies


If there is no time-out after x attempts (which there isn't with xenForo, we simply add the security question after 5 attempts, which is easy to script against if you are targeting a single forum that uses questions and answer... or even image captcha) then they can keep trying with a very basic script (1st trying the top 10,000 most common passwords: http://xato.net/files/10k most common.zip

There is an issue with one of the points above

After a preset amount of failed attempts (set up by the administrator), the account becomes locked for X amount of minutes or hours.

If the scripter was maliciously targeting you, just for the sake of being malicious, you have provide a mechanism to lock every single one of your accounts including the admin accounts. He could then set up a script to keep doing this once they become active again..(they could continuously keep locking your admin accounts, which could be very frustrating)

Where did they brute force, was it just the admin login area (ACP), or the front end forum login area?

=> This actually looks interesting to me for a possible plug-in to develop

I think turning off the ACP is a must (but then again, removing the superAdmins from the config should affectively do this... I think)
I also think that the admin account username to access the ACP should never be known (so should not post on the forum with it / be visible to forum members) ... I think this is a security design issue for most forum software

Locking login for the admin user on the fourm and the ACP unless they are on a white list ip address wouldn't be that hard to do

make it able to use ranges

Actually, yes.. ranges and individual white lists seems sensible (for those with network ranges)

Hmmm... I might consider this once I finish a few other things, unless someone else starts it

Allowing this for each user seems a bit strange, since many users will not know they're on a variable IP address. If they set it up, they may never be allowed to log back in again, it should surely be restricted to admins and mods

Edit: Ah.. I didnt read this bit

• Users trying to access their account from an un-authorized IP can e-mail themselves a Secure Link which expires in 7 minutes. This Secure Link can be used by the user to log in.

Thats quite a smart idea of working around the above issue... it is an added complication that most forum members probably wont want to use (most are use to using the same session with FB and never even bothering typing their pw again). But who gets this exrtra login security could be defined by group permissions with the ACP

A permission to auto-ban a user that does attempt to access someone else's account.

How could you really be certain of this, I think this one will cause more user grief than prevent malicious users.. .since as you've already said, the malicious users will use proxies, but an harmless user that tries to innocently login from outside their allowed network white list could be banned (I think this one just gives admins the false hope of security and "revenge" , but is not really user-friendly for users of the forum and actually does nothing to the scripter)

 

[xIsabel38]

There is an issue with one of the points above

If the scripter was maliciously targeting you, just for the sake of being malicious, you have provide a mechanism to lock every single one of your accounts including the admin accounts. He could then set up a script to keep doing this once they become active again..(they could continuously keep locking your admin accounts, which could be very frustrating)

Where did they brute force, was it just the admin login area (ACP), or the front end forum login area?

=> This actually looks interesting to me for a possible plug-in to develop

I think turning off the ACP is a must (but then again, removing the superAdmins from the config should affectively do this... I think)
I also think that the admin account username to access the ACP should never be known (so should not post on the forum with it / be visible to forum members) ... I think this is a security design issue for most forum software
...

How could you really be certain of this, I think this one will cause more user grief than prevent malicious users.. .since as you've already said, the malicious users will use proxies, but an harmless user that tries to innocently login from outside their allowed network white list could be banned (I think this one just gives admins the false hope of security and "revenge" , but is not really user-friendly for users of the forum and actually does nothing to the scripter)

The first point is very valid. I didn't even think of them to able to continuously lock out accounts like that.

They tried brute force on the frontend but only targeting the administrator accounts which can result in access to the backend.

The problem with the super admin account here is that the super admin is always assigned to member ID 1. And it's very easy to find. Even if you didn't know the username of the super admin, and there was 2 million registered users, you can simply go to anyone's profile page and replace the ID number in the URL with 1. This will always redirect you to the Super Admins profile.

As for the final point you make, regarding the auto-ban. I mean if say someone attempts to access a different users account. The system can check the IP address of the requestor (the person that made the failed login attempt) and relate any accounts associated with that IP (if they are registered). The system can then also save the account entry field which would be the useraccount they tried to access. Perhaps it shouldn't do the auto-ban, but it could generate this information in the mod report. In this case, we'd be able to see who tried to access who's account and take the necessary manual steps.

The report could look something like this:
Login Error: *IP address* associated with *username* failed login attempt. Account Entry: *username2*

In the above. The type of error is a "Login Error"
The *IP address* is the IP of the computer that performed the failed login.
The associated username is the account registered to that IP address or N/A if it isn't registered.
And the Account Entry is the username they entered to login as.

So if I tried to login to your account it could read out as
Login Error: *MyIP* associated with xIsabel38 failed login attempt. Account Entry: tenants

 

[EQnoble]

but then potentially anyone who fished another users ip.....could spoof their addy and make them look as if they were trying to wrongfully gain access to someones account...just saying that is something to keep in mind....abuse comes in many flavors

 

[tenants]

The first point is very valid. I didn't even think of them to able to continuously lock out accounts like that.

They would have to continuously run a script every time the time-lock unlocked the accounts, so small timelocks (of 5-30 seconds) are effective and not as user unfriendly as large timelocks. With small timelocks, it would probably be easier for them to just DOS attack the forum, which there is rarely anything you can do unless you have an expensive server set up

As for the final point you make, regarding the auto-ban. I mean if say someone attempts to access a different users account. The system can check the IP address of the requestor (the person that made the failed login attempt) and relate any accounts associated with that IP (if they are registered). The system can then also save the account entry field which would be the useraccount they tried to access. Perhaps it shouldn't do the auto-ban, but it could generate this information in the mod report. In this case, we'd be able to see who tried to access who's account and take the necessary manual steps.

but then potentially anyone who fished another users ip.....could spoof their addy and make them look as if they were trying to wrongfully gain access to someones account...just saying that is something to keep in mind....abuse comes in many flavors

I also agree, an auto ban might not be a good idea, and in very rare cases, could be used against an account (you would need access to the forum users network, but I doubt there are many hackers that will sit out side a house with a laptop, just to ban a forum user account)

Information in the logs might be misleading, but I suppose any information could be helpful ????
I imagine that someone attacking an individual forum to bring it down, doesn't really care about their content / user status on the forum, so I'm still thinking this "banning" option through

However, with any ban option (auto or manual via the logs), you might convict the innocent via this following scenario:

1) 2 people are at work
2) Person at desk A has one IP address, and at Desk B a person has another
3) Both people are registered to your forum, but person A attempts to login with their own username on persons B computer (to show them.. an image/conversation/private forum?) => opps a typo => Banned

That cost might be a scenrio forum admins can live with, (with the reward of banning an account the attacker probably doesnt care about) <= I'm still not convinced yet, I need to think it through

 

[xIsabel38]

Yeah, after this discussion, it's clear an auto-ban is a bad idea. Banning, suspending, contacting users, etc... should really be left to the discretion of the staff.

But I do think it should generate a report to the mod/admin team about it.

Mind you, most issues are of course going to be simple errors and because of this, it needs to easily have an option to delete the report outright after a manual review so it's not taking up any space or room. But an unusual amount of failed logins in a short time may be evidence of a potential attack and in this case, the reports generated can help the staff identify and remove the threat before it manages to actually gain access to a user or worse, admin.

Of course if we're talking about proxy attacks now we're talking about something different entirely and there really isn't much any mod can do about that. I am mostly talking about 1 user trying to access another user's account. And of course, having the main option to set up an authorized IP.

In fact, now that I think about it. There's a website I use to hire developers called oDesk.com that has a sort of login security feature but in a different way then what I said. It is a viable and possibly easier option. It works as follows:

Users are allowed to set up a "Security Question and Answer". When they attempt to log in to their account via a computer (IP Address) that isn't authorized, they are asked this Security question. If they get it right, they are asked if they wish to authorize the new computer or not. If they get the Answer wrong, they aren't allowed access and are locked out from being able to attempt to log in again for 15 minutes (From that specific computer).

There are also links like "Forgot my Security Answer" and stuff which acts like a password reset form. In the case of a legitimate accidental lock-out, this can be used to gain access and reset the question and answer.

 

[EQnoble]

I also agree, an auto ban might not be a good idea, and in very rare cases, could be used against an account (you would need access to the forum users network, but I doubt there are many hackers that will sit out side a house with a laptop, just to ban a forum user account)

you don't need to sit outside someones house to get their ip....you could simply send them an email and view the full header when they reply...and that's just one of the million obvious ways to gain that information. And then you surely don't need to use somebody's wifi to make it look like they are malicious. That was the whole point of what I was saying. http://en.wikipedia.org/wiki/IP_address_spoofing

 

[tenants]

view the full header when they reply

That's getting the IP address, but yes once it's been snatched headers can be forged .. yup, when it comes to IP address, they can't be used with certainty for banning individuals, particularly malicious attackers. There is practically nothing a client machine sends to a server that cant be forged

 

[tenants]

okay, I've done this add on..

Your 3 features here, I'm not completely sure about:

• Allow the implementation of this feature beginning as soon as the registration page. There can be a lock icon with a blank text field. Below the field is a small description to what the field is used for as well as a link to Whatismyip.com or a pop-up they can click to find out their current IP. (Not a required registration field)
• A new field right next to the moderation center that says failed login attempts. Moderators and Admins can view this, see which account was attempted access, and which IP address attempted the access as well as if that IP is associated with another user. Basically allowing mods and admins to see whom tried to get into whom's account

• A permission to auto-ban a user that does attempt to access someone else's account.

I don't really know what the 1st one means
I think the 2nd one would be better done with logs in the ACP (when a user attempts to login from an aunauthorised IP, this is logged, I will just expose the information in the ACP area, Tools > XenLoginSecurity Logs
I think we agreed to avoid auto IP banning

Additional, account locks will be a separate plug-in (I'm working on this now, since I believe account locks should be in all login areas, and you should not need this plugin to apply that)

The rest of the features are all available... will upload it now

You can let me know what you think / what needs changing

 

[tenants]

Added Here: http://xenforo.com/community/resources/xenloginsecurity.1194/

 

[Jon W]

The problem with the super admin account here is that the super admin is always assigned to member ID 1. And it's very easy to find. Even if you didn't know the username of the super admin, and there was 2 million registered users, you can simply go to anyone's profile page and replace the ID number in the URL with 1. This will always redirect you to the Super Admins profile.

This is not necessarily the case. You can edit your super administrators IDs in config.php, so you could remove Super Administrator access from ID = 1 and set up a new user account with some obscure username.

 

[tenants]

I partially agree with you, but the super admin username is still very easy to retrieve. The account its not hidden from the members area, so this is not enough to obscure the admin username

The members names in the user area can then be used as a hit list on the ACP area (run script to try each username)

Since a different response is given for non admins, its then very easy to gain the admin username (Your account does not have admin privileges <= this is bad design, a different response for incorrect username / password should never be given unless you don't care about exposing usernames with admin privileges)
I simply recommend taking all super admins out of the config file once you have finished with the ACP area (if you are truly worried about it)

Even if the username wasn't present in the members area, simply brute forcing the ACP with list of usernames will get you the admin username (which can be very quick if you use a common list in your attack first, the user locks in the ACP area do not prevent this attack since it only needs to test it once with each username)

 

[Jon W]

I partially agree with you, but the super admin username is still very easy to retrieve. The account its not hidden from the members area, so this is not enough to obscure the admin username

The members names in the user area can then be used as a hit list on the ACP area (run script to try each username)

Since a different response is given for non admins, its then very easy to gain the admin username (Your account does not have admin privileges.)
I simply recommend taking all super admins out of the config file once you have finished with the ACP area (if you are truly worried about it)

Even if the username wasn't present in the members area, simply brute forcing the ACP with list of usenames will get you the admin username (which can be very quick if you use a common list in your attack first)

How about something like:

if($_SERVER['REMOTE_ADDR'] == 'xx.xx.xx.xx') $config['superAdmins'] = '1';

where xx.xx.xx.xx is your ip address.

I'm not trying to suggest your add-on isn't useful by the way -- I think it's a great idea but noticed that you were admitting yourself that it is still only half a battle won if someone is really insistent.

 

[tenants]

yes, I can see that that would work for the ACP area (slightly annoying to update for variable IP addresses)

However, this plugin and request isn't just for the ACP area, it is also for the front end Admins / Mods (and any other accounts you need protected)

 

[tenants]

I've provided a separate plug-in for the account locks, since after investing it, I believe this is a real security issue that should be applied in the core for all forums(or at least everyone should be able to download it separately) :

http://xenforo.com/community/resources/loginuserlocks-security-fix.1195/

However, this has not been deemed a high enough security risk to fix now (although I belive it is), and it is unlikely a fix will be made outside of a 1.2 release

 

[xIsabel38]

Hey tenants, just wanted to respond here and let you know I just saw that this was complete. Unfortunately hurricane Sandy hit pretty hard here so I haven't been around and have had other priorities. I have to go so I'm going to have to take a look at this later on.

 

[tenants]

Hey tenants, just wanted to respond here and let you know I just saw that this was complete. Unfortunately hurricane Sandy hit pretty hard here so I haven't been around and have had other priorities. I have to go so I'm going to have to take a look at this later on.

That's okay, I just hope every thing is okay you're end

I've had a few users download this and I use it my self, so when ever you want you can let me know if there are any other requirements (even years from now, I "should" still be around)

 

[xIsabel38]

Hey tenants,

Things are finally getting back in order around here. I now have internet access and all that back. Right now I can't really focus on websites, forums, or add-ons but I'm hoping to be able to within the next two to three weeks and then I'll be able to really take a look at this. I appreciate the work you have done thus far and I'm sorry for the inconvenience. Hurricane Sandy was an inconvenience to us all.

I'll keep in touch and be back soon!

EDIT:
I took a quick look at the resource page and I want to clear the air on something.

Feel free to Donate. Originally this was a paid add-on, but it's suspected this might now be being exploited.

I can't control mother nature and unfortunately doing renovations to an entire home takes priority over websites, forums, and add-ons. I'm sorry you feel this way, it's not my intention to make you perform work for exploitation purposes.

When I get more settled and start up this new job I have, I'll revisit the whole web design stuff, forums, and this add-on.

 

[tenants]

The exploitation wasn't you silly (at least I hope it wasn't), it was suspected that a "hacker" / "script kiddy" was making use that XenForo does not have user locks on the front end login. (exploited in security terms: To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness)



So... I made the user locks plugin free, since I believe it's a security a bug in XenForo (and I don't feel people should pay for real security bugs)
Login User Locks: http://xenforo.com/community/resources/loginuserlocks-prevent-brute-force-security.1347/
(It prevents users from trying to brute force via the front end, by stopping multiple attempts within a few seconds)

But this one covers everything you asked for in this thread (much more than just user locks)
Login Security: http://xenforo.com/community/resources/xenloginsecurity-ip-address-account-login-security.1194/
It blocks users from ever accessing a users account, by only allowing certain accounts (controlled by permissions) accessible via the IP addresses you define


I think you've had far more pressing issues to deal with, rather than worry about plugins (where do you fit in the time to hack other people sites ..tsh ).

We're glad you're okay