this is carried over from:
https://github.com/mybb/mybb/issues/4088
text:
mybb should consider adding some code that'll generate an email when someone logs in to the admin cp. most sites that handle customer data do this and include some information such as this in the email it sends out:
Dear Andrew,
Someone has recently logged into your website account.
Username : me
IP Address : 1.2.3.4
Hostname : me.com
Time : 2020-06-21 02:50 PM
If this is not you we highly recommend you change your details and inform a
staff member immediately.
You can modify the settings of this alert under your profile.
Regards,
website
Great idea.
And send mail only if it's a new (not used in the last 2 months ?) IP for this username
Such kind of notification would be a beneficial security addon.
(2020-06-22, 10:31 PM)Crazycat Wrote: [ -> ]Great idea.
And send mail only if it's a new (not used in the last 2 months ?) IP for this username
Many ISPs do a forced IP change to customers at intervals. So I would not rely on IP addresses.
Another improvement would be to log and mail any attempt of usernames not being member of Administrators group.
Mind that bots and web spiders/crawlers may use forms for login attempts as well, so a mail notification could end up in a bunch of emails.
Login check can also be tied to a counter on login attempts with the same IP address.
There are a lot of ideas to consider and achieve such a security feature with mail notification.
Nevertheless...
the best way to secure the ACP is to rename (hide) the ./admin directory and using an additional honeypot login page instead
Be careful: Never visit a new website from the same ACP browser tab - the webserver of the new called website will see the ACP URL as referrer in it's logs files.
[ExiTuS]
I highly recommend for right now stop coming up with new features for the first release of 1.9
Get the basics done and get it released, then release these new features as part of updates.
By continuing to come up with things to throw into the code now is just going to delay more and more.
(2020-06-29, 04:20 PM)Furious Wrote: [ -> ]I highly recommend for right now stop coming up with new features for the first release of 1.9
Get the basics done and get it released, then release these new features as part of updates.
By continuing to come up with things to throw into the code now is just going to delay more and more.
Agreed on the one hand... diasgreed on the other.
Developing and waiting for the next release, does not mean to suppress ideas for future improvements.
Indeed there are a lot of improvements for future updates to gain board security as well as some dispensable stuff to just keep on hold for future. That's okay as long as developers meet and follow priorities
[ExiTuS]
PS.
Right okay, this primary suggestion is low priority.
Ok so I came across this thread on the Github issue - a couple of things:
- There is some concern about bloating the core, but emails already get sent. I don't think it's too much of a stretch to add this as well. At worst, people don't get the emails because their mail relays are broken. In which case, I see this as a win because people need to learn how to set up their mail relays properly.
- There is some discourse here about whether we should send emails for all (or just new) IPs: I believe that we should send for all logins. Less logic to potentially break.
Don't you think it would add up security added but on the other hand it seems like it might not be suitable for all the users as there are people who are not satisfied by too many security questions?
Do let me know if there is any correction. This is what I have experience and seen and shared.
Do share your views too
Administrators would get the option to disable this feature. It would be more of a notification alert than a security wall.