Admin Protect - A IP / PIN protection plugin for the AdminCP
#1
Some might have seen various posts from me over the time about adding this as a feature to the current version / 2.0 version of MyBB. In that time KevinVR helped me create the first version which was a purely IP based protection system which required to add quite a a lot of code to the index.php file of the /admin/

Then somebody suggested simply making a plugin from it and only have to insert one line to the index.php file so that is what i did. After some additional feedback i also added the option for a PIN security for people with a dynamic IP and who would still like to add an additional protection system. To the current ACP which will tell the admin if somebody has obtained their password/username combination to gain access to the ACP. The goal of this plugin is to prevent this from happening and at the same time alert the admin user that this has happened.

This is done by simply only running the plugin after a user already has successfully logged into the ACP. And comparing it to the information in the database. (only for IP protection)

The PIN though does not offer this protection. This only ads a pin to be inserted every X amount of days (can be set in the options) to gain access to the ACP.

Now i would like feedback on the current code and how it looks / functions.

Modification of admin/index.php (line 413). Insert below this line of code:
$page->add_breadcrumb_item($lang->home, "index.php");

The following line:
$plugins->run_hooks("admin_security");

Then upload the adminProtect.php to inc/plugins/ and the adminProtect.lang.php to inc/language/english/admin/

If you want to try / help me test it.
For people who want to test it locally ( i would not recommend running this on any live site!! ) with xampp (or similar) you will need to enable the local mailing option following this guide:

http://roshanbh.com.np/2007/12/sending-e...nment.html

It then is able to send a mail to the email linked to the account.

Hopefully somebody can give feedback / look at the code etc and say what i need to improve / fix etc. any feedback is greatly appreciated.

Images:

Pin input box:
[Image: uwy7A.png]

Pin mail received:
[Image: dVwpV.png]

IP information box:
[Image: sJKOy.png]

IP mail received:
[Image: oIXph.png]

Confirmation:
[Image: mLI95.png]

Options:
[Image: kuaXE.png]

Files:

.php   adminProtect.php (Size: 12.88 KB / Downloads: 164)

.php   adminProtect.lang.php (Size: 3.01 KB / Downloads: 202)
Reply
#2
admin accounts are rarely stolen...it's normally sql injection that occurs and in such cases hiding the admincp does nothing

While basic procedures should be taken like htaccess authentication I don't see the need to have core file edits.

Reviewing your code it appears to be a decent method for those that do want this.
Reply
#3
(2012-12-12, 11:01 PM)labrocca Wrote: admin accounts are rarely stolen...it's normally sql injection that occurs and in such cases hiding the admincp does nothing

While basic procedures should be taken like htaccess authentication I don't see the need to have core file edits.

Reviewing your code it appears to be a decent method for those that do want this.

No i fully agree that htaccess authentication is better. But this is meant as a basic security enhancement. Which when IP based will also notify a user if somebody is trying to get access to the ACP unauthorized.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)