Re: PunBB 1.2.11
I know it matters i'm saying its extremely rare that 2 people using the same ip address will register within 1 hour therefore the message will never be seen by people english speaking or otherwise.
You are not logged in. Please login or register.
PunBB Forums → News → PunBB 1.2.11
I know it matters i'm saying its extremely rare that 2 people using the same ip address will register within 1 hour therefore the message will never be seen by people english speaking or otherwise.
Yes, I will move the message out into the language files for 1.3.
For those of you looking for a little more light registration lockdown, You can use this code to limit 1 registration per ip per 15 minutes:
$result = $db->query('SELECT 1 FROM '.$db->prefix.'users WHERE registration_ip=\''.get_remote_address().'\' AND registered>'.(time() - 900)) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
The language isn't really that important, the chances of 2 users registering with the same IP address within the space of an hour is extremely slim.
I get schools on my website - hundreds of people all with the one IP, and usually a whole class at one time!
But I certainly don't want malicious floods, so this update is much appreciated, thanks Rickard.
Probably irrelevant, but you spelled malicious wrong in the announcement.
Connorhd wrote:The language isn't really that important, the chances of 2 users registering with the same IP address within the space of an hour is extremely slim.
I get schools on my website - hundreds of people all with the one IP, and usually a whole class at one time!
But I certainly don't want malicious floods, so this update is much appreciated, thanks Rickard.
How often do people register though?
Probably irrelevant, but you spelled malicious wrong in the announcement.
Thanks. Fixed.
I have upgraded from 1.2.10 to 1.2.11 by replacing the three changed files:
header.php
install.php
register.php
I also modfied the value of o_cur_version in the database to 1.2.11.
However, if I login to the admin, under Index > Statistics > Version it still says 1.2.10. I'd like to change this to avoid any confusion. What else do I need to edit in order for the correct version number to appear here (and anywhere else I am unaware of)?
cheers
SAM
You manually updated it, which didn't delete the config cache file
Check out the cache folder, delete the cache_config.php file
Cool! Thank you so much for your quick and helpful reply. I didn't realize that config values were cached. All is good now.
cheers
SAM
I can imagine several legitimage uses that would be severly hindered by this simple anti-flooding technique. Large groups of users sharing an IP is one of them. My message board is used for an RPG and users often have a different account for each role play character. It is not uncommon for a user to set up 2 or 3 accounts at once.
Making the timeout configurable is one step towards making this more flexible. Another would be to add a configurable "number of acceptable registrations within a given time" variable. In other words, you might want to only allow 1 registration per IP every 30 minutes. Or you might want to allow 4 registrations per IP every 60 minutes.
By allowing for a small number of registrations to happen before the user is affected by the timeout period, you greatly diminish the chances of legitimate users being affected. But you still prevent the DDOS type registration attacks from being effective.
Well, it's easy enough to do.
*goes off to write yet another mod*
EDIT: Here it is PunRes link for v1.0
Wow, I haven't even had time to install the patch, and you've already modded it to do what I want. Thanks. I'm sure some others will appreciate it as well.
Perhaps something similar might make it into the core in a future revision?
You manually updated it, which didn't delete the config cache file
Check out the cache folder, delete the cache_config.php file
I delete everything in cache directory, but still doesn't work.
Any suggestion?
Smartys wrote:You manually updated it, which didn't delete the config cache file
Check out the cache folder, delete the cache_config.php fileI delete everything in cache directory, but still doesn't work.
Any suggestion?
So you manually updated the version in the database and then deleted config_cache.php? Then try clearing the cache on your computer
So you manually updated the version in the database and then deleted config_cache.php? Then try clearing the cache on your computer
Yeah, you're right!
Thanks for your help.
I don't know much about DoS but wouldn't it be easier to add a simple CAPCHA to the registration form?
That way the legitimate reasons for multiple users using the same IP (some mentioned above) would not cause any problems.
Perhaps a conditional CAPCHA? First user pr IP/hour will get in as usual, additional users from the same IP will get the CAPCHA :-)
I don't know much about DoS but wouldn't it be easier to add a simple CAPCHA to the registration form?
That way the legitimate reasons for multiple users using the same IP (some mentioned above) would not cause any problems.
Except then Rickard would have to code a CAPTCHA
Plus, a popular thing now seems to be mass requesting CAPTCHAs and using it as a DoS attack on the site (since it's so busy generating the CAPTCHAs, which take a lot of CPU)
Plus, a popular thing now seems to be mass requesting CAPTCHAs and using it as a DoS attack on the site (since it's so busy generating the CAPTCHAs, which take a lot of CPU)
CAPTCH 22 ?
Graphic CAPTCHAs are out of the question anyway as they don't meet accessibility guidelines.
I can imagine several legitimage uses that would be severly hindered by this simple anti-flooding technique. Large groups of users sharing an IP is one of them. My message board is used for an RPG and users often have a different account for each role play character. It is not uncommon for a user to set up 2 or 3 accounts at once.
Making the timeout configurable is one step towards making this more flexible. Another would be to add a configurable "number of acceptable registrations within a given time" variable. In other words, you might want to only allow 1 registration per IP every 30 minutes. Or you might want to allow 4 registrations per IP every 60 minutes.
By allowing for a small number of registrations to happen before the user is affected by the timeout period, you greatly diminish the chances of legitimate users being affected. But you still prevent the DDOS type registration attacks from being effective.
I agree. I will look into different methods of solving the problem. What you suggest would not be an option for 1.2.* though as it would require a lot more code and perhaps even some database schema changes.
What about spoofed IP DDoS attacks?
it was nice
i translate punbb to persian(farsi) what am i doing
Graphic CAPTCHAs are out of the question anyway as they don't meet accessibility guidelines.
Exactly. And the fact they are terrible to begin with.
/me PWND by Register.php DoS attack. Oops, that's what I get for not regularly looking for updates.
PunBB Forums → News → PunBB 1.2.11
Powered by PunBB, supported by Informer Technologies, Inc.