UBB.Dev
Mod Name / Version: Security Code to Prevent Automated Login Attempts

Description: Recently there have been some brute force attempts to crack passwords on my BB. These attacks are automated, and work simply by trying every possible password (starting with common words and phrases). In order to protect our members from having their accounts compromised, I created a security code feature which prevents automated login attempts. I don't know how many other administrators have this same problem, but for those that do this modification is relatively easy to install and provides reasonably strong protection against automated login attempts.

The security code is a standard CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart). It generates an image of a 4 digit number which must be typed in correctly for the login to succeed. Here is an example of what it looks like on my BB.

Working Under: UBB.Threads 6.4

Mod Status: Finished

Any pre-requisites: PHP compiled with GD library support.

Author(s): Ythan

Date: 07/05/04

Credits: Thomas Jacob for the Captcha PHP Script.

Files Altered:
/login.php
/logout.php
/start_page.php
/ubbt.inc.php
/templates/login.tmpl

New Files:
/includes/captcha/captcha_func.php
/includes/captcha/captcha_pic.php

Database Altered: No, but if your server doesn't support sessions you will have to create a new table.

Info/Instructions: First, download and extract the new files you will need (they are attached to this post).

Captcha_func.php contains the configuration information for the script. If your server supports sessions, you should not need to alter any settings. Otherwise, you will need to configure the script to use mySQL. Instructions can be found on the script's web page.

After verifying the configuration settings are correct, make a new directory called 'captcha' in your /forums/includes directory, and upload the two new files to that location. (You can use another location if you like, but you will have to update the code manually.)

Next, open login.php and logout.php. In both files, find the line which reads:
Code
require ("main.inc.php");

Directly beneath it, add the following:
Code
  // BEGIN CAPTCHA MOD <br />  header ("Expires: ".gmdate("D, d M Y H:i:s", time())." GMT"); <br />  header ("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); <br />  header ("Cache-Control: no-cache, must-revalidate"); <br />  header ("Pragma: no-cache"); <br />  if(!session_id()) session_start(); <br />  require ("$thispath/includes/captcha/captcha_func.php"); <br />  if ($_GET['new']) { <br />  	captcha_delete(); <br />  } <br />  if (!captcha_avail()) { <br />  	captcha_create(false, 4, 0, 0, false); <br />  } <br />  // END CAPTCHA MOD

Open start_page.php. Find the line which reads:
Code
$rememberme = get_input("rememberme","post");

Directly beneath this add:
Code
$Code = get_input("code","post");

Find the line which reads:
Code
$html -> do_login ($Cat,$Username,$Password,$rememberme);

Change it to:
Code
$html -> do_login ($Cat,$Username,$Password,$rememberme,$Code);

Open ubbt.inc.php. Find the part which reads:
Code
function do_login($Cat = "",$Username="",$Password="",$rememberme="") {

Change it to:
Code
function do_login($Cat = "",$Username="",$Password="",$rememberme="",$Code="") {

Find the part that reads:
Code
       if ( ($approved != "no") && ($approved != "yes") ) { <br />         $this -> not_right($ubbt_lang['UNVERIFIED'],$Cat); <br />       }

Directly beneath this, add:
Code
       // BEGIN CAPTCHA MOD <br />       if(!session_id()) session_start(); <br />  	   require ("$thispath/includes/captcha/captcha_func.php"); <br />  	   if (captcha_code() !=  $Code) { <br />  	   	 $this -> not_right("The security code you entered is incorrect.",$Cat); <br />       } else { <br />       	 captcha_delete(); <br />       } <br />       // END CAPTCHA MOD

Finally, open login.tmpl. Find the part which reads:
Code
{$ubbt_lang['PASSWORD_TEXT']}<br> <br /><input type="password" name="Loginpass" class="formboxes"> <br /><br> <br /><br>

Directly beneath this, add:
Code
<!-- BEGIN CAPTCHA MOD //--> <br />Your security code is:<br> <br /><img src="{$config['phpurl']}/includes/captcha/captcha_pic.php" alt="Security Code" border="1"> <br /><br> <br />Type in security code:<br> <br /><input type="text" name="code" value="" maxlength="4"><br> <br /><a href="$PHP_SELF?new=1">I can't read it!</a> <br /><br> <br /><br> <br /><!-- END CAPTCHA MOD //-->

That's all there is to it, the security code feature is now installed.

Hope some people find this useful!

-Y

Disclaimer: Please backup every file that you intend to modify.
If the modification modifies the database, it's a good idea to backup your database before doing so.

Note: If you modify your UBB.Threads code, you may be giving up your right for "official" support from Infopop.If you need official support, you'll need to restore unmodified files.


Attached File
116399-captchamod.zip  (35 downloads)
Good work!
Thanks!
You want more?
Image verification
Does this work on 6.5 ?
It should work fine in 6.5.x with small changes, but if you're thinking of using this mod you should know that I've updated it a bit. The biggest change is that now it only asks for a security code after 2 failed login attempts in a row. I also fixed some browser-specific bugs so I recommend you use this new version instead of the one above. Please download captchamod.zip attached to the first post in this thread, but then follow the instructions attached to this reply. Let me know if you have any problems.

-Y

Attached File
126693-captcha.txt  (86 downloads)
This new captcha.txt makes mention of a ubbt_captcha.tmpl file. Where is it?
The contents of that file is at the bottom of the updated instructions.

Peace,

-Y
Thx for the update!
© UBB.Developers