| Author |
 Topic  |
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
 Posted - 08 December 2002 : 20:28:57
|
| We do not have IP blocking here, it is a standard Snitz forum |
 |
|
|
David K
Junior Member
494 Posts |
Posted - 09 December 2002 : 06:27:54
|
| I know it is, I just thought you hardcoded the block for these two IPs in order to block these hackers, why won't you, considering you know they always use the same set of two IPs? |
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 09 December 2002 : 06:33:55
|
| Because they could use an anonymous proxy or other means of spoofing their IP address so it's not effective to block an IP Address. |
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 09 December 2002 : 07:30:50
|
| Interesting, the same person tried to sign up for my webhosting on the weekend. I don't activate any account unless It's someone I know until payments been confirmed anyway. |
Kiwihosting.Net - The Forum Hosting Specialists
|
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 09 December 2002 : 07:42:01
|
| and other people are usining that same IP who have nothing to do with the hackers |
|
|
|
MichaelA
Junior Member
USA
222 Posts |
Posted - 09 December 2002 : 11:07:06
|
quote:
Originally posted by BWJM
Investigate the suggestion of hard-coding Admins into config.asp similar to how the SuperAdmin is defined. This will likely make negligible the threat of users being able to elevate their own privledges without proper authorization. This may make it more of a hassle for Admins to promote users, but in most cases, the only Admins with the authority to promote someone else to Admin rank would usually have access to the source files. "Jr. Admins" do not have such access in most cases.
But that, currently, is the problem. ANYONE can download the source code, study it, and make changes to corrupt another forum. That is why I suggested registration in order to download. A small deterrent to be sure, but a deterrent to be sure. Plus it will help Richard and Company to know if a person downloaded code when a specific IP address gets malicious. That would help to know how a person is getting in.
It is a shame that a person has to do this type of thing to be know but a blessing in that Snitz will become an even more security solid application.
Mike
|
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 09 December 2002 : 15:15:26
|
| They did register and download the code, so your suggestion wouldn't help very much |
|
|
|
David K
Junior Member
494 Posts |
Posted - 09 December 2002 : 19:13:51
|
| and it doesn't matter, people can get Snitz anywhere, not only here, that's what GPL is all about! |
|
|
|
BWJM
Junior Member
Canada
193 Posts |
Posted - 11 December 2002 : 00:15:17
|
| That's not what I was suggesting. Who cares if someone downloads the code. Having the Admins' IDs hard-coded into config.asp means that barring the attackers knowing the passwords, they cannot elevate the privledges on their own account. |
 |
|
|
|
@tomic
Senior Member
USA
1790 Posts |
Posted - 11 December 2002 : 05:09:19
|
61.11.245.5 - On my forum right now
Registration disabled for now.
@tomic |
SportsBettingAcumen.com |
|
|
|
Reinsnitz
Snitz Forums Admin
USA
3545 Posts |
Posted - 11 December 2002 : 18:54:02
|
quote:
Originally posted by @tomic
Wouldn't it be more secure to have admins hard coded on config.asp or inc_header.asp?
@tomic
That would not be as secure. And would also be more complicated for the end user. |
Reinsnitz (Mike) |
|
|
|
Reinsnitz
Snitz Forums Admin
USA
3545 Posts |
Posted - 11 December 2002 : 18:55:27
|
quote:
Originally posted by HuwR
plus with the free services, you can just go and get another emal address if we lock your account and register again.
With almost any pay service, it's just a phone call or an email to request your account name be changed, or to get a new email. And if you own a domain, there is no limits. I guess this is chalked up with IP banning too :) |
Reinsnitz (Mike) |
|
|
|
@tomic
Senior Member
USA
1790 Posts |
Posted - 11 December 2002 : 20:30:49
|
quote:
--------------------------------------------------------------------------------
Originally posted by @tomic
Wouldn't it be more secure to have admins hard coded on config.asp or inc_header.asp?
@tomic
--------------------------------------------------------------------------------
That would not be as secure. And would also be more complicated for the end user.
How is this less secure if you would have to actually get at the files to elevate your mLev?
As far as easy or hard if you do it right it's as easy as, no easier, than the database connection. In config.asp you have something like this:
'-------------------------------------------------------------
' Primary Administrator UserID and Password
'-------------------------------------------------------------
const adminUser = "admin"
const adminPass = "admin"
'-------------------------------------------------------------
' Administrator2 UserID and Password
'-------------------------------------------------------------
const adminUser2 = "admin2"
const adminPass2 = "admin2"
If you set it up right you could probably have as many admins as you want. This way SQL injection is not going to get someone the admin password. It's not perfect but at least one way of grabbing passwords is completely removed since they are not in the database.
@tomic |
SportsBettingAcumen.com |
|
|
|
GauravBhabu
Advanced Member
4288 Posts |
Posted - 11 December 2002 : 20:47:13
|
| @tomic for that to do primary admin has to know the passwords of other admins, which may not be desireable and partly defeats the purpose of encryption |
|
|
|
@tomic
Senior Member
USA
1790 Posts |
Posted - 11 December 2002 : 20:49:05
|
They don't call it the primary Admin for nothing.
@tomic |
SportsBettingAcumen.com |
|
|
|
Topic |
|
Topic Locked
