Here's my site,:

http://dragboatalley.com/cgi-bin/ultimatebb.cgi

it's running on a Win2k server that I co-lease, so I have complete remote control of the box (No ISP to jerk you around), and i managed to get php installed and the accelerator working if that matters. I've also gotten pretty good at translating unix/linux instructions to windows and can assist someone thats not strong in Win32 environments. Only weird thing about my setup is I do use sendmail instead of SMTP (note2self - dang i forgot to mention that gripe on 6.8 feature request topic). Oh yeah, and I do have one hack currently in place... the banner ad engine I use refused to play nicely when setup in a template and other front-end java applets caused to much trouble for aol users.

I'll be upgrading from 6.6 classic to 6.7 this weekend. After which I'm interested in possibly hiring someone to do some mods for me.

Fair Warning - I'm one tough cookie, very picky about details, and an old school windows developer who could do this stuff myself, if A) I didnt hate perl so intensely; and B) I didnt have so much other work on my plate right now that generates revenue (this site is a personal interest project... and initial investment from advertisers is long gone). So my budget is limited and I might not be the easiest person to work with; but the upside is I understand geek speak, I'll definitely be a repeat customer as time goes by, and I can effectively take the reins for maintaining these mods when the job is done with little-to-no followup required (my daily life includes tightly managed source code libraries and beyond compare tedium).

So if you need work, your availability will be open sometime in next 30 days, and you got the patience to deal with a very anal-retentive developer like me, Here's what I'm interested in getting done...

1) Urgent Priority - Login process doctoring. My site has a competitor with a long dirty history of nasty tricks and abusing their members, and I got big target on my back for launching a site that's run professionally. We've already had 3 or 4 episodes where a password crack hacker tool was used to compromise user accounts. And it took just under two hours to crack a password on an account that didnt have Publicly Displayed Name set to hide the login name.

So I'm looking for some kind of safety net... customized flood protection would suffice if thats the best that can be done without serious brain surgery. But I'd really be interested in some way to temporarily lock an account after X number of failed attempts. I'm also open for other suggestions if you have any regarding preventing brute force login hacks.

2) Slightly-urgent priority - it sure would be nice to lock down Publicly Displayed Name abit more if possible. Like making it a required field and forcing it to be different from login name.

3) Medium Priority - I could do great things on my site with the Calendar mod!!

4) Low Priority - hit hack sure would make my members happy. Personally, I'm not too keen on it myself... I'd a bought threads if I was. But I'm real tired of hearing about hit counts on topics

Depending on the price, I may wanna do these mods in phases, and/or I may eventually have the time to do the last two issues myself. But I definitely need issues 1 and 2 done in the near future. If your interested in this work, please send me a private message or email thru this board. If that doesnt get you a fast enough response (my clients like to keep me tied to my chair), pick up the phone and call me at 717-985-9191.

thanks!

Oi! I'll have to cure you of that.

1) Adding a simple (broken) floodcheck to the login process is simple. ultimatebb.cgi, find:

Add under:

Do note that this will block any multiple login attempts, even if the attempt will be successful, so expect users that make lots of typos to be very, very annoyed.

Locking an account is a few degrees more complex.

2) PDN uniqueness... Mm. Okay, this is somewhat easy.

First thought. Untested code.

ubb_registration.cgi. Find:

Add under:

Replace "Error message here" with your error of choice, of course.

You'll note that there's no blank PDN check - that's because $lc_public_name will be equal to $lc_username if there's no PDN.

Now, for the profile edit form. Edit ubb_profile.cgi. Find:

Add under:

Replace the error as required, etc, etc.

Again, this is untested code, written on the fly.

Now, a warning. We've found that many common usernames and PDNs are used over the life of a board. Users that choose two different names have twice the chance of hitting a reserved name. Users tend not to read the error message that tells them which of their names is taken, which will be a support issue for you.

3) Here's the calendar for 6.7: http://www.ubbdev.com/ubb/ultimatebb.php/topic/33/99.html

4) This is the hit hack for 6.4, which may well work in 6.7: http://www.ubbdev.com/ubb/ultimatebb.php/topic/33/18.html

(sits shell-shocked with admiration)

thank you charles... this will take a bit to digest. I think I can bite off #1 myself, however I'd still gladly hire someone to spare me the stress on the other stuff.

So just looking at #1 for now; I dont think blocking multiple login attempts will cause too much complaints, most of my members are happy to let the cookie keep them logged in. But just so I understand what I'm getting myself into, if I put this simple (broken??) flood check on login like this, does that mean the floodcheck interval I set in the CP would get applied on login? or some different behavior?

That's exactly what will happen. It doesn't do that cool cumulative thing I talked about over on UBBCentral. (

I've got the page views mod working on 6.7, I may post it soon

lol... the more time i spend on this site the more i wanna wrastle this stuff myself.

thanks much for the help charles, I will apply this simple flood protection when i get 6.7 loaded this weekend.

and big thanks to Allen also for heads-up on pageview mod coming soon, there's a real good chance my advertisers will gladly cough up extra funds for that one.

GOOD!

Repeat after me: Perl is good.

Do it Roxanne, he gives you a cookie everytime you say it.


btw: Perl is good. *waits for cookie*

Hmmmmmm your site reminds me of Thunderboat Road in Miami

*cough* asp.net *cough*

*gag-sputter-spit* asp.net *croak*

please i was just starting to like you guys. there is no ".net" in old school

UBB is good. but perl hurts my head so much I'd never be able to see that cookie to enjoy it

(ducks)

dang hackers busted into my login again last nite. So I just tried to load above tweak on 6.6 and ran into problem...

I get this error message:
Undefined subroutine &main::floodcheck called at C:websitesubb6_dragboatalleycgi-binultimatebb.cgi line 399.

here's what the code looks like:

did i stick this floodcheck line in the wrong place maybe???

ahhhh ok, I got it right now

note2self... if I ever dive into doing mods, tweak my trusty code indexer utility to run on the ubb codebase so i got cheat sheet of which subs are where.

There are lots...

yeah i know... but i got a ready made developer tool I use for VFP codebases that would generate a nice pretty word document sybroutine index in a few minutes. All I need to do is tweak a couple of filename extensions, and build a new exe... spread it around... and batta bing, folks new to doing ubb mods would have easily built code library doc. then offer it up for free public consumption as my contribution to this community (since i sure as heck aint never gonna write my own mod).

big wow - this worked great

i just ran a webtrends report for last 6 hrs since i made this hack, and login url is no longer getting slammed! not even a blip on the chart after said fix, <50 in the time period. Where as it was avg'ing 100-300 hits per hour once i changed my password this morning's after hacker got me good.

so ok, rounding full circle with next question from my original issues. My list of hacks to re-apply after tonights 6.7 upgrade is nice and short. So I think I need one more little tweak - how do I make publicly displayed name a required field?

Pssssssssssst, In case you didn't know, Charles is the lead programmer on 'classic

oh geeze... ummm... did i mention i get dangerously inspired? :rolleyes:

You should add "Dangerously Inspired ™ " to your sig.


LOL

s/the lead/the only/g;

I think I answered your PDN required field question above... the code to check uniqueness will also check that it's filled in and isn't the login name.