Previous Thread
Next Thread
Print Thread
Rate Thread
Joined: Feb 2003
Posts: 179
Member
Member
Offline
Joined: Feb 2003
Posts: 179
Here's my site,:

http://dragboatalley.com/cgi-bin/ultimatebb.cgi

it's running on a Win2k server that I co-lease, so I have complete remote control of the box (No ISP to jerk you around), and i managed to get php installed and the accelerator working if that matters. I've also gotten pretty good at translating unix/linux instructions to windows and can assist someone thats not strong in Win32 environments. Only weird thing about my setup is I do use sendmail instead of SMTP (note2self - dang i forgot to mention that gripe on 6.8 feature request topic). Oh yeah, and I do have one hack currently in place... the banner ad engine I use refused to play nicely when setup in a template and other front-end java applets caused to much trouble for aol users.

I'll be upgrading from 6.6 classic to 6.7 this weekend. After which I'm interested in possibly hiring someone to do some mods for me.

Fair Warning - I'm one tough cookie, very picky about details, and an old school windows developer who could do this stuff myself, if A) I didnt hate perl so intensely; and B) I didnt have so much other work on my plate right now that generates revenue (this site is a personal interest project... and initial investment from advertisers is long gone). So my budget is limited and I might not be the easiest person to work with; but the upside is I understand geek speak, I'll definitely be a repeat customer as time goes by, and I can effectively take the reins for maintaining these mods when the job is done with little-to-no followup required (my daily life includes tightly managed source code libraries and beyond compare tedium).

So if you need work, your availability will be open sometime in next 30 days, and you got the patience to deal with a very anal-retentive developer like me, Here's what I'm interested in getting done...

1) Urgent Priority - Login process doctoring. help My site has a competitor with a long dirty history of nasty tricks and abusing their members, and I got big target on my back for launching a site that's run professionally. We've already had 3 or 4 episodes where a password crack hacker tool was used to compromise user accounts. And it took just under two hours to crack a password on an account that didnt have Publicly Displayed Name set to hide the login name.

So I'm looking for some kind of safety net... customized flood protection would suffice if thats the best that can be done without serious brain surgery. But I'd really be interested in some way to temporarily lock an account after X number of failed attempts. I'm also open for other suggestions if you have any regarding preventing brute force login hacks.

2) Slightly-urgent priority - it sure would be nice to lock down Publicly Displayed Name abit more if possible. Like making it a required field and forcing it to be different from login name.

3) Medium Priority - I could do great things on my site with the Calendar mod!!

4) Low Priority - hit hack sure would make my members happy. Personally, I'm not too keen on it myself... I'd a bought threads if I was. But I'm real tired of hearing about hit counts on topics wink

Depending on the price, I may wanna do these mods in phases, and/or I may eventually have the time to do the last two issues myself. But I definitely need issues 1 and 2 done in the near future. If your interested in this work, please send me a private message or email thru this board. If that doesnt get you a fast enough response (my clients like to keep me tied to my chair), pick up the phone and call me at 717-985-9191.

thanks!

Sponsored Links
Joined: Jan 2000
Posts: 5,073
Admin Emeritus
Admin Emeritus
Joined: Jan 2000
Posts: 5,073
Quote
quote:
...I didnt hate perl so intensely...
Oi! I'll have to cure you of that. wink

1) Adding a simple (broken) floodcheck to the login process is simple. ultimatebb.cgi, find:

Code
if ($ubb eq 'do_login') {
Add under:

Code
&RequireCode("$vars_config{CGIPath}/ubb_lib_posting.cgi");
&floodcheck;
Do note that this will block any multiple login attempts, even if the attempt will be successful, so expect users that make lots of typos to be very, very annoyed.

Locking an account is a few degrees more complex.

2) PDN uniqueness... Mm. Okay, this is somewhat easy.

First thought. Untested code.

ubb_registration.cgi. Find:

Code
	&CheckForExistingNames($lc_username);
&CheckForExistingNames($lc_public_name);
Add under:

Code
if($lc_username eq $lc_public_name) {
&StandardHTML("Error message here");
}
Replace "Error message here" with your error of choice, of course.

You'll note that there's no blank PDN check - that's because $lc_public_name will be equal to $lc_username if there's no PDN.

Now, for the profile edit form. Edit ubb_profile.cgi. Find:

Code
	#die $public_name;
Add under:

Code
if(($lc_old_public_name ne $lc_new_public_name) && ($lc_new_public_name eq $lc_un)) {
&StandardHTML("Don't DO that!");
}
Replace the error as required, etc, etc.

Again, this is untested code, written on the fly.

Now, a warning. We've found that many common usernames and PDNs are used over the life of a board. Users that choose two different names have twice the chance of hitting a reserved name. Users tend not to read the error message that tells them which of their names is taken, which will be a support issue for you.

3) Here's the calendar for 6.7: https://www.ubbdev.com/ubb/ultimatebb.php/topic/33/99.html

4) This is the hit hack for 6.4, which may well work in 6.7: https://www.ubbdev.com/ubb/ultimatebb.php/topic/33/18.html


UBB.classic: Love it or hate it, it was mine.
Joined: Feb 2003
Posts: 179
Member
Member
Offline
Joined: Feb 2003
Posts: 179
(sits shell-shocked with admiration)

thank you charles... this will take a bit to digest. I think I can bite off #1 myself, however I'd still gladly hire someone to spare me the stress on the other stuff.

So just looking at #1 for now; I dont think blocking multiple login attempts will cause too much complaints, most of my members are happy to let the cookie keep them logged in. But just so I understand what I'm getting myself into, if I put this simple (broken??) flood check on login like this, does that mean the floodcheck interval I set in the CP would get applied on login? or some different behavior?

Joined: Jan 2000
Posts: 5,073
Admin Emeritus
Admin Emeritus
Joined: Jan 2000
Posts: 5,073
That's exactly what will happen. It doesn't do that cool cumulative thing I talked about over on UBBCentral. wink (


UBB.classic: Love it or hate it, it was mine.
Joined: Mar 2000
Posts: 21,080
Likes: 3
I type like Navaho
I type like Navaho
Joined: Mar 2000
Posts: 21,080
Likes: 3
I've got the page views mod working on 6.7, I may post it soon smile


- Allen wavey
- What Drives You?
Sponsored Links
Joined: Feb 2003
Posts: 179
Member
Member
Offline
Joined: Feb 2003
Posts: 179
lol... the more time i spend on this site the more i wanna wrastle this stuff myself.

thanks much for the help charles, I will apply this simple flood protection when i get 6.7 loaded this weekend.

and big thanks to Allen also for heads-up on pageview mod coming soon, there's a real good chance my advertisers will gladly cough up extra funds for that one.

Joined: Jan 2000
Posts: 5,073
Admin Emeritus
Admin Emeritus
Joined: Jan 2000
Posts: 5,073
Quote
quote:
the more time i spend on this site the more i wanna wrastle this stuff myself.
GOOD!

Repeat after me: Perl is good. smile


UBB.classic: Love it or hate it, it was mine.
Joined: Jan 2003
Posts: 3,456
Likes: 2
Master Hacker
Master Hacker
Offline
Joined: Jan 2003
Posts: 3,456
Likes: 2
Do it Roxanne, he gives you a cookie everytime you say it.


btw: Perl is good. *waits for cookie*

Joined: Aug 2000
Posts: 1,290
Addict
Addict
Offline
Joined: Aug 2000
Posts: 1,290
Hmmmmmm your site reminds me of Thunderboat Road in Miami smile


- Custom Web Development
http://www.JCSWebDev.com
Joined: Jun 2001
Posts: 2,848
Spotlight Winner
Spotlight Winner
Offline
Joined: Jun 2001
Posts: 2,848
*cough* asp.net *cough*

Sponsored Links
Joined: Feb 2003
Posts: 179
Member
Member
Offline
Joined: Feb 2003
Posts: 179
*gag-sputter-spit* asp.net *croak*

please i was just starting to like you guys. there is no ".net" in old school

Quote
quote:
btw: Perl is good. *waits for cookie*
UBB is good. but perl hurts my head so much I'd never be able to see that cookie to enjoy it wink

(ducks)

Joined: Feb 2003
Posts: 179
Member
Member
Offline
Joined: Feb 2003
Posts: 179
Quote
Originally posted by Charles Capps:

1) Adding a simple (broken) floodcheck to the login process is simple. ultimatebb.cgi, find:

Code
if ($ubb eq 'do_login') {
Add under:

Code
&RequireCode("$vars_config{CGIPath}/ubb_lib_posting.cgi");
&floodcheck;
dang hackers busted into my login again last nite. So I just tried to load above tweak on 6.6 and ran into problem...

I get this error message:
Undefined subroutine &main::floodcheck called at C:websitesubb6_dragboatalleycgi-binultimatebb.cgi line 399.

here's what the code looks like:

Code
if ($ubb eq 'do_login') {
&GetOrPost("POST");
my $ip_number = &GetIPAddress;
&check_ip_bans($ip_number);

$skip_cookie_check = 'true';

&RequireCode("$vars_config{CGIPath}/ubb_lib_2.cgi");
&floodcheck;

my @user_info = &verify_id("$in{username}", "$in{password}"); # -> lib_2!
did i stick this floodcheck line in the wrong place maybe???

Joined: Feb 2003
Posts: 179
Member
Member
Offline
Joined: Feb 2003
Posts: 179
ahhhh ok, I got it right now

Code
&RequireCode("$vars_config{CGIPath}/ubb_lib_posting.cgi");
&floodcheck;
note2self... if I ever dive into doing mods, tweak my trusty code indexer utility to run on the ubb codebase so i got cheat sheet of which subs are where.

Joined: Jan 2000
Posts: 5,073
Admin Emeritus
Admin Emeritus
Joined: Jan 2000
Posts: 5,073
There are lots...


UBB.classic: Love it or hate it, it was mine.
Joined: Feb 2003
Posts: 179
Member
Member
Offline
Joined: Feb 2003
Posts: 179
yeah i know... but i got a ready made developer tool I use for VFP codebases that would generate a nice pretty word document sybroutine index in a few minutes. All I need to do is tweak a couple of filename extensions, and build a new exe... spread it around... and batta bing, folks new to doing ubb mods would have easily built code library doc. then offer it up for free public consumption as my contribution to this community (since i sure as heck aint never gonna write my own mod).

Joined: Feb 2003
Posts: 179
Member
Member
Offline
Joined: Feb 2003
Posts: 179
big wow - this worked great

Code
&RequireCode("$vars_config{CGIPath}/ubb_lib_2.cgi");
&floodcheck;
i just ran a webtrends report for last 6 hrs since i made this hack, and login url is no longer getting slammed! not even a blip on the chart after said fix, <50 in the time period. Where as it was avg'ing 100-300 hits per hour once i changed my password this morning's after hacker got me good.

so ok, rounding full circle with next question from my original issues. My list of hacks to re-apply after tonights 6.7 upgrade is nice and short. So I think I need one more little tweak - how do I make publicly displayed name a required field?

Joined: Aug 2000
Posts: 1,290
Addict
Addict
Offline
Joined: Aug 2000
Posts: 1,290
Pssssssssssst, In case you didn't know, Charles is the lead programmer on 'classic wink


- Custom Web Development
http://www.JCSWebDev.com
Joined: Feb 2003
Posts: 179
Member
Member
Offline
Joined: Feb 2003
Posts: 179
eek oh geeze... ummm... did i mention i get dangerously inspired? :rolleyes:

Joined: Aug 2000
Posts: 1,290
Addict
Addict
Offline
Joined: Aug 2000
Posts: 1,290
You should add "Dangerously Inspired ™ " to your sig.


LOL


- Custom Web Development
http://www.JCSWebDev.com
Joined: Jan 2000
Posts: 5,073
Admin Emeritus
Admin Emeritus
Joined: Jan 2000
Posts: 5,073
s/the lead/the only/g;

I think I answered your PDN required field question above... the code to check uniqueness will also check that it's filled in and isn't the login name.


UBB.classic: Love it or hate it, it was mine.
Joined: Aug 2000
Posts: 1,290
Addict
Addict
Offline
Joined: Aug 2000
Posts: 1,290
"s/the lead/the only/g;" hehehehe true...


- Custom Web Development
http://www.JCSWebDev.com

Link Copied to Clipboard
Donate Today!
Donate via PayPal

Donate to UBBDev today to help aid in Operational, Server and Script Maintenance, and Development costs.

Please also see our parent organization VNC Web Services if you're in the need of a new UBB.threads Install or Upgrade, Site/Server Migrations, or Security and Coding Services.
Recommended Hosts
We have personally worked with and recommend the following Web Hosts:
Shock Hosting
Stable Host
bluehost
InterServer
Visit us on Facebook
Member Spotlight
AllenAyres
AllenAyres
Texas
Posts: 21,080
Joined: March 2000
Forum Statistics
Forums63
Topics37,583
Posts293,955
Members13,824
Most Online151,614
Nov 14th, 2025
Today's Statistics
Currently Online 701
Topics Created 0
Posts Made 0
Users Online 0
Birthdays 13
Top Posters
AllenAyres 21,080
JoshPet 10,369
LK 7,394
Lord Dexter 6,708
Gizmo 5,834
Greg Hard 4,625
Top Posters(30 Days)
Top Likes Received
isaac 82
Gizmo 20
Brett 7
WebGuy 2
Morgan 2
Top Likes Received (30 Days)
None yet
The UBB.Developers Network (UBB.Dev/Threads.Dev) is ©2000-2026 VNC Web Services

 
Powered by UBB.threads™ PHP Forum Software 8.1.0
(Snapshot build 20260108)