Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 17 Jul 2001, 17:24
Ruth Ruth is offline
 
Join Date: Oct 2001
Question prevent password (account) sharing

Could someone help me with this hack please, i am trying to prevent password sharing in vB, the hack is based on:

(a) limiting access to a specific account per one ip adress at the same time.

(b) if there are more than one ip adress, for the same account at the same time, the account will be reported to the administrator.

(c) limiting access to one account to a number of ips/day, for example if the there are more than 10 ips/account/day the account is reported &/or deleted.

Thanks
Reply With Quote
  #2  
Old 17 Jul 2001, 17:39
AaronB
Guest
 
You could present problems with IP restrictions. I, for example, login from home and work each day... so I have 2 IP's that I would come from and be reported every day.

Most modem users and all AOL users will get a different IP each time they log on. So if I have to get on and off because a family member needs the phone, I could have umteen IP's each day as a result.

I'm not positive on this one, but I think you can actually switch IP's with AOL while in a session. They can change you IP from just clicking from page to page.
Reply With Quote
  #3  
Old 17 Jul 2001, 17:55
Ruth Ruth is offline
 
Join Date: Oct 2001
, for example, login from home and work each day...
true but you wouldn't be using this at the same time i.e you will not be at home and work at the same time.


Dynamic ips
i myself use a dynamic ip, thats why i asked for this option to be reported at least if not deleted, so that i can compare the ip adresses, dynamic ips will result in the last 3 numbers to change...

111.222.333.444 (444 in this case and sometimes 333) but it will be under the same company which is AOL for example.

also if you can set the number of ips/day to a certain number say 10/15/20 ips depending on the nature of users, before an account that can be deleted (if you want this option, otherwise reporting in dynamic ip community)

cheers,
Reply With Quote
  #4  
Old 17 Jul 2001, 19:49
JGraham9382
Guest
 
If someone made this I would DEFINATELY implement this in my board...plus I would kiss their feet...lol...
Reply With Quote
  #5  
Old 17 Jul 2001, 20:35
BradC
Guest
 
I always thought that.. all ISP and everyone had a common ip..

lets say I have 207.1.7.222..

I always thought that atleast 207.*.*... was the same, it was the number after that..
Reply With Quote
  #6  
Old 17 Jul 2001, 21:07
MrLister's Avatar
MrLister MrLister is offline
 
Join Date: Oct 2001
it is. users on cable almost always start with 24.*.*.*
Reply With Quote
  #7  
Old 17 Jul 2001, 21:16
GameCrash GameCrash is offline
 
Join Date: Oct 2001
Real name: Andreas
Why don't you work with cookies? It would be easier and better (I think)...
Reply With Quote
  #8  
Old 17 Jul 2001, 21:45
Ruth Ruth is offline
 
Join Date: Oct 2001
There are 2 type of IPs:

(1) Static IP
where the whole ip is the same...this is found on cable users...

(2) Dynamic IP
where the last few numbers change, but the DNS of the ip will show the same company (ISP), this is found on most dial up connections, and it changes with every new connection.

(3) Nevermind IP Spoofing

Why don't you work with cookies? It would be easier and better (I think)...
GameCrash, i can't understand exactly how you want to use cookies for that purpose.

The idea of this hack is very protective for vB, for a simple question which is "what would be the case if 2 users logged to the same account in vB at the same time with 2 different ips?

Is there any security in vB for that?
Will it report this to the admin?
Will it delete the account?

All this will result in the account being abused, especially when it is not that easy to be a member of a certain vB, like mine

cheers,
Reply With Quote
  #9  
Old 17 Jul 2001, 22:45
dabean dabean is offline
 
Join Date: Oct 2001
You shouldn't assume that the first section of IP address will not change because most of the larger ISPs have IP allocations in completely different blocks. For example the US cable co roadrunner could dynamically allocate you a 24.x or a 65.x another example is aol where you could get 152.x or a 205.x or 172.x etc....

Secondly if the isp or the person browsing is using a proxy there is always the risk of recording the proxy address not the actual users address. In theory all proxies should forward the user ip but in reality many don't including some "transparent" proxies used by ISPs.
Reply With Quote
  #10  
Old 17 Jul 2001, 23:02
Ruth Ruth is offline
 
Join Date: Oct 2001
For example the US cable co roadrunner could dynamically allocate you a 24.x or a 65.x another example is aol where you could get 152.x or a 205.x or 172.x etc....
as i mentioned before in this case the DNS will show the same for the company or ISP

the person browsing is using a proxy
Again, each user will have a limit of 10/15/or 20 ips/day, and after at least a week of recording the ips, you will know if thats a regular ip (or proxy) used by that user.

And why are you making it so complicated, take life easy, how many people will use a proxy? and if you find someone using a proxy s/he will probably use it forever (instead of showing the regular ip) not only for my vB!

take the idea of the script easy...start by understanding the need for detecting 2 users logging at the same time with the same account...don't go further...at least for now

cheers,
Reply With Quote
  #11  
Old 19 Jul 2001, 15:17
Ruth Ruth is offline
 
Join Date: Oct 2001
Anyone?
Reply With Quote
  #12  
Old 19 Jul 2001, 15:37
VirtueTech VirtueTech is offline
 
Join Date: Oct 2001
This hack would be very very useful.

I too would implement this on my boards in a heart beat.
__________________
PaintballCity.com
VB Board of the Month: October
Reply With Quote
  #13  
Old 19 Jul 2001, 17:28
dabean dabean is offline
 
Join Date: Oct 2001
You could achieve (a) by firstly modifying the session table to contain a field called “active”. Then with the new field added it becomes as simple as setting active to 1 every time a new session is created and most importantly setting “active” of all other sessions for that userid that have a different IP address to 0. e.g. (UPDATE session SET active =0 WHERE userid=’$bbuserinfo[userid]’ AND host!=’$REMOTE_ADDR’)

Now for the really clever part when a user requests anything you just check to see if the session they are using has been deactivated, if it’s been deactivated you’ve caught simultaneous browsing from different IP addresses.


To achieve (b) Create two new tables (master/detail relationship) called say abuseevent and abusedetail. The reason for using a master detail relationship is it allows for any number of simultaneous sessions.
In abuseevent record the actual abuse e.g. userid, time & abuseid (auto increment)
In abusedetail record each of the IP addresses that where active at the time e.g. abuseid, IP address & abusedetailid (auto increment)

I’ll leave part (c) for someone else to figure out as the solution is extremely involved, personally I would write the code necessary to do parts (a), (b) before even thinking about all extra logic needed for part (c).
Reply With Quote
  #14  
Old 20 Jul 2001, 16:52
Ruth Ruth is offline
 
Join Date: Oct 2001
Thanks for your reply dabean,

i like your theory, but due to the fact that i lack complete knowledge about php, i am unable to decide how to modify tables, and what templates and php files to change.

About part (c) , there is an already made hack about mass delete users (made by Blue2000) and can be found at

http://www.vbulletin.com/forum/showt...5&pagenumber=1

i asked for these option to be added
i am wondering if someone canm add these 2 options to this hack:

(1) instead of deleting users, you may have the option to transfer them to another group (say inactive users)

(2) Delete users that have a number of IPs/day, for example if someone has 30 ips/day, the account is more liklely to be a bused, therfore it can delete the account.
which would be easier i think to add the option (C)

so the theory is there for the script, only professional coders needed now

please coders support this script by sharing your codes, and those who are not coders, support the script by saying that you want this script so bad

cheers,
Reply With Quote
  #15  
Old 20 Jul 2001, 18:26
VirtueTech VirtueTech is offline
 
Join Date: Oct 2001
Originally posted by Ruth
(1) instead of deleting users, you may have the option to transfer them to another group (say inactive users)

Kier made this hack to mass move users in and out of usergroups:
http://www.vbulletin.com/forum/showt...threadid=13687
__________________
PaintballCity.com
VB Board of the Month: October
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 04:23.

Layout Options | Width: Wide Color: