Re: PunBB 1.2.11

I know it matters i'm saying its extremely rare that 2 people using the same ip address will register within 1 hour therefore the message will never be seen by people english speaking or otherwise.

Re: PunBB 1.2.11

Yes, I will move the message out into the language files for 1.3.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

28

Re: PunBB 1.2.11

For those of you looking for a little more light registration lockdown, You can use this code to limit 1 registration per ip per 15 minutes:

$result = $db->query('SELECT 1 FROM '.$db->prefix.'users WHERE registration_ip=\''.get_remote_address().'\' AND registered>'.(time() - 900)) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());

29 (edited by MathsIsFun 2006-03-01 23:49)

Re: PunBB 1.2.11

Connorhd wrote:

The language isn't really that important, the chances of 2 users registering with the same IP address within the space of an hour is extremely slim.

I get schools on my website - hundreds of people all with the one IP, and usually a whole class at one time!

But I certainly don't want malicious floods, so this update is much appreciated, thanks Rickard.

Re: PunBB 1.2.11

Probably irrelevant, but you spelled malicious wrong in the announcement. wink

I don't HAVE a signature, ok?

Re: PunBB 1.2.11

MathsIsFun wrote:
Connorhd wrote:

The language isn't really that important, the chances of 2 users registering with the same IP address within the space of an hour is extremely slim.

I get schools on my website - hundreds of people all with the one IP, and usually a whole class at one time!

But I certainly don't want malicious floods, so this update is much appreciated, thanks Rickard.

How often do people register though?

Re: PunBB 1.2.11

creaturecorp wrote:

Probably irrelevant, but you spelled malicious wrong in the announcement. wink

Thanks. Fixed.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: PunBB 1.2.11

I have upgraded from 1.2.10 to 1.2.11 by replacing the three changed files:

header.php
install.php
register.php

I also modfied the value of o_cur_version in the database to 1.2.11.

However, if I login to the admin, under Index > Statistics > Version it still says 1.2.10. I'd like to change this to avoid any confusion. What else do I need to edit in order for the correct version number to appear here (and anywhere else I am unaware of)?

cheers
SAM smile

Re: PunBB 1.2.11

You manually updated it, which didn't delete the config cache file tongue
Check out the cache folder, delete the cache_config.php file

Re: PunBB 1.2.11

Cool! Thank you so much for your quick and helpful reply. I didn't realize that config values were cached. All is good now.
cheers
SAM smile

36 (edited by Squeg 2006-03-03 19:41)

Re: PunBB 1.2.11

I can imagine several legitimage uses that would be severly hindered by this simple anti-flooding technique. Large groups of users sharing an IP is one of them.  My message board is used for an RPG and users often have a different account for each role play character.  It is not uncommon for a user to set up 2 or 3 accounts at once.

Making the timeout configurable is one step towards making this more flexible.  Another would be to add a configurable "number of acceptable registrations within a given time" variable.  In other words, you might want to only allow 1 registration per IP every 30 minutes.  Or you might want to allow 4 registrations per IP every 60 minutes.

By allowing for a small number of registrations to happen before the user is affected by the timeout period, you greatly diminish the chances of legitimate users being affected.  But you still prevent the DDOS type registration attacks from being effective.

37 (edited by elbekko 2006-03-03 20:35)

Re: PunBB 1.2.11

Well, it's easy enough to do.
*goes off to write yet another mod*

EDIT: Here it is big_smile PunRes link for v1.0

38

Re: PunBB 1.2.11

Wow, I haven't even had time to install the patch, and you've already modded it to do what I want.  Thanks.  I'm sure some others will appreciate it as well.

Perhaps something similar might make it into the core in a future revision?

Re: PunBB 1.2.11

Smartys wrote:

You manually updated it, which didn't delete the config cache file tongue
Check out the cache folder, delete the cache_config.php file

I delete everything in cache directory, but still doesn't work. tongue

Any suggestion?

40 (edited by Smartys 2006-03-04 03:19)

Re: PunBB 1.2.11

licheng wrote:
Smartys wrote:

You manually updated it, which didn't delete the config cache file tongue
Check out the cache folder, delete the cache_config.php file

I delete everything in cache directory, but still doesn't work. tongue

Any suggestion?

So you manually updated the version in the database and then deleted config_cache.php? Then try clearing the cache on your computer wink

Re: PunBB 1.2.11

Smartys wrote:

So you manually updated the version in the database and then deleted config_cache.php? Then try clearing the cache on your computer wink

Yeah, you're right! tongue

Thanks for your help. smile

Re: PunBB 1.2.11

I don't know much about DoS but wouldn't it be easier to add a simple CAPCHA to the registration form?

That way the legitimate reasons for multiple users using the same IP (some mentioned above) would not cause any problems.

Re: PunBB 1.2.11

Perhaps a conditional CAPCHA? First user pr IP/hour will get in as usual, additional users from the same IP will get the CAPCHA :-)

Re: PunBB 1.2.11

agraddy wrote:

I don't know much about DoS but wouldn't it be easier to add a simple CAPCHA to the registration form?

That way the legitimate reasons for multiple users using the same IP (some mentioned above) would not cause any problems.

Except then Rickard would have to code a CAPTCHA
Plus, a popular thing now seems to be mass requesting CAPTCHAs and using it as a DoS attack on the site (since it's so busy generating the CAPTCHAs, which take a lot of CPU)

45

Re: PunBB 1.2.11

Smartys wrote:

Plus, a popular thing now seems to be mass requesting CAPTCHAs and using it as a DoS attack on the site (since it's so busy generating the CAPTCHAs, which take a lot of CPU)

CAPTCH 22 ?
wink

New Friendly web-shop! • SO happy with PunBB! • Now punBB 1.4.x on ALL forums (won't tell how many or their addresses to avoid spam-regs)

46

Re: PunBB 1.2.11

Graphic CAPTCHAs are out of the question anyway as they don't meet accessibility guidelines.

Re: PunBB 1.2.11

Squeg wrote:

I can imagine several legitimage uses that would be severly hindered by this simple anti-flooding technique. Large groups of users sharing an IP is one of them.  My message board is used for an RPG and users often have a different account for each role play character.  It is not uncommon for a user to set up 2 or 3 accounts at once.

Making the timeout configurable is one step towards making this more flexible.  Another would be to add a configurable "number of acceptable registrations within a given time" variable.  In other words, you might want to only allow 1 registration per IP every 30 minutes.  Or you might want to allow 4 registrations per IP every 60 minutes.

By allowing for a small number of registrations to happen before the user is affected by the timeout period, you greatly diminish the chances of legitimate users being affected.  But you still prevent the DDOS type registration attacks from being effective.

I agree. I will look into different methods of solving the problem. What you suggest would not be an option for 1.2.* though as it would require a lot more code and perhaps even some database schema changes.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: PunBB 1.2.11

What about spoofed IP DDoS attacks?

Re: PunBB 1.2.11

it was nice
i translate punbb to persian(farsi) what am i doing

50

Re: PunBB 1.2.11

Paul wrote:

Graphic CAPTCHAs are out of the question anyway as they don't meet accessibility guidelines.

Exactly. And the fact they are terrible to begin with.

/me PWND by Register.php DoS attack. Oops, that's what I get for not regularly looking for updates.