Topic: md5 (?) encoded ip addresses

Hello,
For some reasons I would like to encode (just like passwords) IP addreses. What i want to do is to leave IP addresses unknown for everybody, even admins, and in place of it generate some kind of indentification code. In general, would it be possible? If yes, I believe it wouldn't be easy smile. Which file is responsible for placing ip adresses to database?

Re: md5 (?) encoded ip addresses

PunBB has some features based on users' IP. For example, moderators can ban users by IP. I think replacing IP with an indentification code isn't quite a simple task. Do a search of 'IP' text over all forum files to find where processing of IP is, if you want to make changes by yourself. Or maybe someone of community members will help you.

Re: md5 (?) encoded ip addresses

I have started working on this. In register.php and functions.php changed get_remote_address to sha1(get_remote_address) ant it works fine, but there is one problem: when I am trying to ban encoded ip, it just doesnt work. Ban put, but you can register from that ip again.

Re: md5 (?) encoded ip addresses

have you made sure when you do a check for banned IPs its encoded?

Sorry. Unactive due to personal life.

5 (edited by Head_lice 2009-03-13 20:06)

Re: md5 (?) encoded ip addresses

Still facing same problem
I think it's fine (function.php):

//
// Check whether the connecting user is banned (and delete any expired bans while we're at it)
//
function check_bans()
{
    global $db, $pun_config, $lang_common, $pun_user, $pun_bans;

    // Admins aren't affected
    if ($pun_user['g_id'] == PUN_ADMIN || !$pun_bans)
        return;

    // Add a dot at the end of the IP address to prevent banned address 192.168.0.5 from matching e.g. 192.168.0.50
    $user_ip = sha1(get_remote_address());

All IPs in ban table are sha1 encrypted.

Re: md5 (?) encoded ip addresses

Maybe it's something wron with that line:
if (substr($user_ip, 0, strlen($cur_ban_ips[$i])) == $cur_ban_ips[$i]) ?

Re: md5 (?) encoded ip addresses

Ok, I've changed $cur_ban_ips[$i] = $cur_ban_ips[$i].'.'; to į $cur_ban_ips[$i] = $cur_ban_ips[$i]; and it seems work fine.

8 (edited by Parpalak 2009-03-14 11:17)

Re: md5 (?) encoded ip addresses

Have you got the desirable results?

Could you shortly describe here the list of changes (or post diff) you have made, please? Maybe this will help somebody else.

By the way, what about banning the range of IP adresses? Seems like this feature must be disabled while moving to md5(IP) values.

9 (edited by Head_lice 2009-03-14 11:49)

Re: md5 (?) encoded ip addresses

First of all, I encoded old data in registration_ip, poster_ip, and ip (bans table) and changed VARCHAR lenght of those rows to 40. Even ip row in bans table, because baning range of sha1 encoded IP adresses is not possible (IMO). Then in registrer.php changed both get_remote_address() to sha1(get)remote_address(). In funtions.php also changed all get_remote_address() to sha1(get)remote_address() except for the

 function get_remote_address()

at line 725. Changing $cur_ban_ips[$i] = $cur_ban_ips[$i].'.'; to į $cur_ban_ips[$i] = $cur_ban_ips[$i]; was done in punbb 1.2.21. In 1.3.2 it's changed already. In search_funtions.php also all get_remote_address() changed to sha1(get_remote_address()). Than in admin/bans.php
at line 279 removed those lines:

                    if ($c > 3 || !ctype_digit($octets[$c]) || intval($octets[$c]) > 255)
                        message($lang_admin_bans['Invalid IP message']);

and at line 190:

                        <span class="fld-input"><input type="text" id="fld<?php echo $forum_page['fld_count'] ?>" name="ban_ip" size="45" maxlength="255" value="<?php if (isset($ban_ip)) echo $ban_ip; ?>" /></span>

changed to

                    
                       <span class="fld-input"><input type="text" id="fld<?php echo $forum_page['fld_count'] ?>" name="ban_ip" size="43" maxlength="40" value="<?php if (isset($ban_ip)) echo $ban_ip; ?>" /></span>

And I think that's it for basic stuff. Other changes are "cosmetical", because sha1 encoded IP addresses are 40 symbols long, so for exampe in viewtopic.php it would be out of range.

Re: md5 (?) encoded ip addresses

I forgot to mention about post.php. But it is simple - all get_remote_address() to sha1(get_remote_address())

11

Re: md5 (?) encoded ip addresses

1) Wouldn't it be better to simply implement a hook for fn_get_remote_address_start that returns sha1($_SERVER['REMOTE_ADDR'])?

2) As it is now, it is pretty pointless to actually hash the addresses - it does not prevent people from detecting the IP address (IP address space is so small it is quite feasible to simply hash all possible values until you get the right hash). You would need to use either IPv6 or domain names for this modification to have a significant effect.

Re: md5 (?) encoded ip addresses

1) Yes, it would be much easier smile

2) And what about using sha1 at first, and then encrypt it with md5? For example md5(sha1($_SERVER['REMOTE_ADDR']))?

13

Re: md5 (?) encoded ip addresses

Head_lice wrote:

2) And what about using sha1 at first, and then encrypt it with md5? For example md5(sha1($_SERVER['REMOTE_ADDR']))?

That wouldn't solve anything. The reason why hashes are considered "safe" for private data is that there are usually way to many possible inputs to try them all - stored hash of a password is difficult to break because there are so many possible passwords. With IPv4 addresses there are only 2**32 addresses at most, quite a few of whose can't appear. If I wanted to discover real IP address from the hash, I could simply start with 0.0.0.0, do a MD5 (or SHA1, or SHA1(MD5)), or whatever) and compare the hashes; if not found, increase the address and try again. In worst case, I would need 2**32 hash operations; the slowest benchmarks I found cite something around 100000 checks per second on modern hardware - I would need 12 hours to find the IP address.

Re: md5 (?) encoded ip addresses

Thanks for advice.
function get_remote_address()

{
    return md5(sha1(gethostbyaddr($_SERVER['REMOTE_ADDR'])));
}

That should be fine?

15

Re: md5 (?) encoded ip addresses

Yes. But if you used the hooks, you could avoid any change in the source files - your modification would hqave a form of extension then.
extensions/HashedIP/manifest.xml

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE extension SYSTEM "ext-1.0.dtd">
    <extension engine="1.0">
    <id>HashedIP</id>
    <title>HashedIP</title>
    <version>0.1</version>
    <description>Don't store IP addresses but their hashes.</description>
    <author>Head_Lice</author>
    <minversion>1.3dev</minversion>
    <maxtestedon>1.3</maxtestedon>
    <hooks>
        <hook id="fn_get_remote_address_start"><![CDATA[
return md5(sha1(gethostbyaddr($_SERVER['REMOTE_ADDR'])));
        ]]></hook>
    </hooks>
</extension>

16

Re: md5 (?) encoded ip addresses

You may need to implement a few more hooks (I didn't actually check what's needed to be done to work with hashed IP addresses), but the simple XML above solves all calls to function get_remote_address without having to modify any source code of PunBB.

Re: md5 (?) encoded ip addresses

I would like to encode the ip adresses in database too, but i dont understand what above posts are about.

can some one please make a detailed explanation on how to do that.

MyFootballCafe.com  is Now Online!

18

Re: md5 (?) encoded ip addresses

SuperMAG wrote:

I would like to encode the ip adresses in database too, but i dont understand what above posts are about.

can some one please make a detailed explanation on how to do that.

Try learning for once instead of always expecting someone else to do it for you.

19 (edited by SuperMAG 2009-06-02 10:52)

Re: md5 (?) encoded ip addresses

pepak wrote:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE extension SYSTEM "ext-1.0.dtd">
    <extension engine="1.0">
    <id>HashedIP</id>
    <title>HashedIP</title>
    <version>0.1</version>
    <description>Don't store IP addresses but their hashes.</description>
    <author>Head_Lice</author>
    <minversion>1.3dev</minversion>
    <maxtestedon>1.3</maxtestedon>
    <hooks>
        <hook id="fn_get_remote_address_start"><![CDATA[
return md5(sha1(gethostbyaddr($_SERVER['REMOTE_ADDR'])));
        ]]></hook>
    </hooks>
</extension>

Is that it, do i don't need to edit anything else, do i. And what about old users ip adress, will their ip adress be changed automathecally.

And To Core Developers: This should be added to Core i think For Security Purpose.

MattF wrote:

Try learning for once instead of always expecting someone else to do it for you.

How do u expect me to understand the php stuff without having courses or something like that. i do understand html and css a little, but php is very hard to understand.

MyFootballCafe.com  is Now Online!

20

Re: md5 (?) encoded ip addresses

SuperMAG wrote:
MattF wrote:

Try learning for once instead of always expecting someone else to do it for you.

How do u expect me to understand the php stuff without having courses or something like that. i do understand html and css a little, but php is very hard to understand.

The same way as anyone else. As you yourself noted the other week, when did we both join this board? In that time, (and neither of us had ever touched PHP back then), which one of us has never bothered to learn even the most basic of things regarding PHP? I damned well learned PHP from scratch, so you have no valid excuse whatsoever.

Re: md5 (?) encoded ip addresses

SuperMAG wrote:

And To Core Developers: This should be added to Core i think For Security Purpose.

Why do you think that the current code is unsecure?

Re: md5 (?) encoded ip addresses

Parpalak wrote:
SuperMAG wrote:

And To Core Developers: This should be added to Core i think For Security Purpose.

Why do you think that the current code is unsecure?

its not unsecure, its like (just to be safe).
If some one hacks ur database, ands gets ur ip, he can hack ur pc too.

MattF wrote:
SuperMAG wrote:
MattF wrote:

Try learning for once instead of always expecting someone else to do it for you.

How do u expect me to understand the php stuff without having courses or something like that. i do understand html and css a little, but php is very hard to understand.

The same way as anyone else. As you yourself noted the other week, when did we both join this board? In that time, (and neither of us had ever touched PHP back then), which one of us has never bothered to learn even the most basic of things regarding PHP? I damned well learned PHP from scratch, so you have no valid excuse whatsoever.

I start going to w3schools.com and when i see stuff this is what minds thinks (??? hmm ???), i end up having no clue what it is and how to learn it and i don't like it, i have no interest in it. i cant just learn every language that i need. not the most genius guy around that. i mean how do u get interest in php, i was interested in html somehow, but i don't get interest in php.

MyFootballCafe.com  is Now Online!

23

Re: md5 (?) encoded ip addresses

SuperMAG wrote:

Is that it, do i don't need to edit anything else, do i. And what about old users ip adress, will their ip adress be changed automathecally.

I specifically wrote:

pepak wrote:

You may need to implement a few more hooks (I didn't actually check what's needed to be done to work with hashed IP addresses)

SuperMAG wrote:

And To Core Developers: This should be added to Core i think For Security Purpose.

As I said above, this doesn't increase security significantly.

SuperMAG wrote:

How do u expect me to understand the php stuff without having courses or something like that. i do understand html and css a little, but php is very hard to understand.

How about studying it? There are literally millions of tutorials on the net.

SuperMAG wrote:

If some one hacks ur database, ands gets ur ip, he can hack ur pc too.

You may want to add "computer security" to your list of subjects to study. This is pretty much a nonsense (it may happen in the right circumstances, but the chances are very low - it would be far more economical from the attacker's point of view to simply try all possible addresses than finding an address from a forum...)

SuperMAG wrote:

i cant just learn every language that i need. not the most genius guy around that.

Most computer languages are very similar. If you learn one, you can at least read most others.

24 (edited by SuperMAG 2009-06-03 09:53)

Re: md5 (?) encoded ip addresses

So that extension code is complete, if i use it now, will it damage anything.

About the ip, i heard alot of people in some forums say that its very dangerious for other people to have ur ip addresses, donno exactly why, but it may be related to hacking etc. And besides, why would devs actully not do it, even it does increase security "significantly. Wouldn't little more security over some thing is a good thing. unless it takes alot of work, which i don't know if it does.

About the study etc: As i said i cant just learn every language that comes upon me. Web Designing is not good enough for me, i just have one website with punbb in it, that i want to work on it as a hobby.

And besides, This is a PUNBB SUPPORT forum. which means i can ask support for their Open Source Forums Software. You cant ask me to learn Php, xml (whatever other lang) etc to work just few stuff, that actually other members can find it helpful too.

And about those tutorials, i checked them out as i posted above, but cant understand it cuz, no one talking to me from that internet page, cuz i cant just read the codes if they are written like this means (?>"!£_VQ) big_smile i can only learn if there is flash tutorial or which talks LOL. But there isn't. And learning a language takes alooot of time.

MyFootballCafe.com  is Now Online!

25

Re: md5 (?) encoded ip addresses

SuperMAG wrote:

So that extension code is complete, if i use it now, will it damage anything.

That's a rather liberal translation of "You may need to implement a few more hooks (I didn't actually check what's needed to be done to work with hashed IP addresses)"

why would devs actully not do it, even it does increase security "significantly.

Because it:
1) has some drawbacks (e.g. impossible to filter networks)
2) leads users into false sense of security

Wouldn't little more security over some thing is a good thing.

No.

And besides, This is a PUNBB SUPPORT forum. which means i can ask support for their Open Source Forums Software.

You can ask, but that's about it - you are certainly not entitled to get an answer.

Also, consider this: you are making lots of requests without giving anything in return and without even trying to find the solution yourself. Why should anyone want to help you?