| security and users, hacker script, forum user list [message #167630] |
Sat, 11 August 2012 11:03  |
 |
Atomicrun
Messages: 54
Registered: November 2010
Location: Lund
Karma: 0
|
Member |
|
|
I have some set of bots, who constantly is working the user list, and also try to register new users on the list. I have set admin-approval for new users.
A) If the bot fail to pass the e-mail approval, or if the e-mail is bad, so no approval is reached, I don't like to have these bogus accounts listed on Accounts Pending Approval (3). they should list only after the account has passed the e-mail verification.
B) I don't like the /adm directory. There will be special bots that will try to access files in such directory constantly. I would like to rename this drectory "greenie_458263", include a new fresh /adm directory, that is empty, and load a php script "admadministratorlogin.php", that simply put the IP on the block-list for a few days.
On my server the Apache restrict IP access to internal local network, and there is also an Apache password on this directory.
So I don't really have a problem, and I don't even think that there could be any security issue, but if some intermediate version, a short while, once have a problem, it can not be exploited unless the hacker can figure our the name of the adm directory on the target server.
|
|
|
|
| Re: security and users, hacker script, forum user list [message #167633 is a reply to message #167630] |
Sat, 11 August 2012 11:49  |
|
Atomicrun
Messages: 54
Registered: November 2010
Location: Lund
Karma: 0
|
Member |
|
|
Another thing about the users-list, list of forum members:
I would prefer, that a "Logged in" user is defined as a user that:
1) performed registration
2) OK on the e-mail verification
3) Passed the admin approval of the account. (if any)
If the user is not "Logged-in", according to above, he should count as "anonymous" when the forum decide on forums.
I would also like the list of forum members, to be inaccessible as long as the user is not "Logged-in".
It is not so that I have any problem with this, but my Apache log gets filled up with many user-list searches, log in attempts and similar.
|
|
|
|
|
|
| Re: security and users, hacker script, forum user list [message #167683 is a reply to message #167633] |
Thu, 30 August 2012 02:56 |
NeXuS
Messages: 121
Registered: July 2010
Location: South Korea
Karma: 5
|
Senior Member
Contributing Core Developer |
|
|
Atomicrun wrote on Sat, 11 August 2012 20:49Another thing about the users-list, list of forum members:
I would prefer, that a "Logged in" user is defined as a user that:
1) performed registration
2) OK on the e-mail verification
3) Passed the admin approval of the account. (if any)
AFAIK a user is "logged in" only if the login has been correctly performed. This also means that the account has to be verified and approved (otherwise one cannot conclude the login process).
Atomicrun wrote on Sat, 11 August 2012 20:49
I would also like the list of forum members, to be inaccessible as long as the user is not "Logged-in".
It is not so that I have any problem with this, but my Apache log gets filled up with many user-list searches, log in attempts and similar.
Modify your theme to show the list only to logged in users, it should be pretty easy.
|
|
|
|
|
|
|
|
| Re: security and users, hacker script, forum user list [message #167837 is a reply to message #167633] |
Fri, 19 October 2012 05:39 |
 |
Geraldinehenry
Messages: 2
Registered: October 2012
Karma: 0
|
Junior Member |
|
|
Atomicrun wrote on Sat, 11 August 2012 07:49Another thing about the users-list, list of forum members:
I would prefer, that a "Logged in" user is defined as a user that:
1) performed registration
2) OK on the e-mail verification
3) Passed the admin approval of the account. (if any)
If the user is not "Logged-in", according to above, he should count as "anonymous" when the forum decide on forums.
I would also like the list of forum members, to be inaccessible as long as the user is not "Logged-in".
It is not so that I have any problem with this, but my Apache log gets filled up with many user-list searches, log in attempts and similar.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]