Mod Name / Version: Security Code to Prevent Automated Login Attempts
Description: Recently there have been some brute force attempts to crack passwords on my BB. These attacks are automated, and work simply by trying every possible password (starting with common words and phrases). In order to protect our members from having their accounts compromised, I created a security code feature which prevents automated login attempts. I don't know how many other administrators have this same problem, but for those that do this modification is relatively easy to install and provides reasonably strong protection against automated login attempts.
The security code is a standard CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart). It generates an image of a 4 digit number which must be typed in correctly for the login to succeed. Here is an
example of what it looks like on my BB.
Working Under: UBB.Threads 6.4
Mod Status: Finished
Any pre-requisites: PHP compiled with
GD library support.
Author(s): Ythan
Date: 07/05/04
Credits: Thomas Jacob for the
Captcha PHP Script.
Files Altered: /login.php
/logout.php
/start_page.php
/ubbt.inc.php
/templates/login.tmpl
New Files: /includes/captcha/captcha_func.php
/includes/captcha/captcha_pic.php
Database Altered: No, but if your server doesn't support sessions you will have to create a new table.
Info/Instructions: First, download and extract the new files you will need (they are attached to this post).
Captcha_func.php contains the configuration information for the script. If your server supports sessions, you should not need to alter any settings. Otherwise, you will need to configure the script to use mySQL. Instructions can be found on the
script's web page.
After verifying the configuration settings are correct, make a new directory called 'captcha' in your /forums/includes directory, and upload the two new files to that location. (You can use another location if you like, but you will have to update the code manually.)
Next, open login.php and logout.php. In
both files, find the line which reads:
require ("main.inc.php");
Directly beneath it, add the following:
// BEGIN CAPTCHA MOD <br /> header ("Expires: ".gmdate("D, d M Y H:i:s", time())." GMT"); <br /> header ("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); <br /> header ("Cache-Control: no-cache, must-revalidate"); <br /> header ("Pragma: no-cache"); <br /> if(!session_id()) session_start(); <br /> require ("$thispath/includes/captcha/captcha_func.php"); <br /> if ($_GET['new']) { <br /> captcha_delete(); <br /> } <br /> if (!captcha_avail()) { <br /> captcha_create(false, 4, 0, 0, false); <br /> } <br /> // END CAPTCHA MOD
Open start_page.php. Find the line which reads:
$rememberme = get_input("rememberme","post");
Directly beneath this add:
$Code = get_input("code","post");
Find the line which reads:
$html -> do_login ($Cat,$Username,$Password,$rememberme);
Change it to:
$html -> do_login ($Cat,$Username,$Password,$rememberme,$Code);
Open ubbt.inc.php. Find the part which reads:
function do_login($Cat = "",$Username="",$Password="",$rememberme="") {
Change it to:
function do_login($Cat = "",$Username="",$Password="",$rememberme="",$Code="") {
Find the part that reads:
if ( ($approved != "no") && ($approved != "yes") ) { <br /> $this -> not_right($ubbt_lang['UNVERIFIED'],$Cat); <br /> }
Directly beneath this, add:
// BEGIN CAPTCHA MOD <br /> if(!session_id()) session_start(); <br /> require ("$thispath/includes/captcha/captcha_func.php"); <br /> if (captcha_code() != $Code) { <br /> $this -> not_right("The security code you entered is incorrect.",$Cat); <br /> } else { <br /> captcha_delete(); <br /> } <br /> // END CAPTCHA MOD
Finally, open login.tmpl. Find the part which reads:
{$ubbt_lang['PASSWORD_TEXT']}<br> <br /><input type="password" name="Loginpass" class="formboxes"> <br /><br> <br /><br>
Directly beneath this, add:
<!-- BEGIN CAPTCHA MOD //--> <br />Your security code is:<br> <br /><img src="{$config['phpurl']}/includes/captcha/captcha_pic.php" alt="Security Code" border="1"> <br /><br> <br />Type in security code:<br> <br /><input type="text" name="code" value="" maxlength="4"><br> <br /><a href="$PHP_SELF?new=1">I can't read it!</a> <br /><br> <br /><br> <br /><!-- END CAPTCHA MOD //-->
That's all there is to it, the security code feature is now installed.
Hope some people find this useful!
-Y
Disclaimer: Please backup every file that you intend to modify.
If the modification modifies the database, it's a good idea to backup your database before doing so.
Note: If you modify your UBB.Threads code, you may be giving up your right for "official" support from Infopop.If you need official support, you'll need to restore unmodified files.