We hope you enjoy your visit.

You're currently viewing our forum as a guest. This means you are limited to certain areas of the board and there are some features you can't use. If you join our community, you'll be able to access member-only sections, and use many member-only features such as customizing your profile, sending personal messages, and voting in polls. Registration is simple, fast, and completely free.


Join our community!


If you're already a member please log in to your account to access all of our features:

Username:   Password:
Add Reply
Preventing hackers from becoming root; An almost garanteed method
Topic Started: May 21 2004, 12:10 PM (552 Views)
Paper
Member Avatar
Member
[ *  *  *  *  *  * ]
OK, this really belongs in the trouble shooting section of the documentation. But I can't access it so I'll post it here.

I doubt any admins here like hackers, especially hackers of their own boards. Although it is sussposed to be impossible to hack IF boards, people passwords are cracked.

There is a way to stop crackers from becoming root.

When you register, use a user name that is not your user name that you would like. Add a password that you are not going to use with the user you would to be.

Now create another group and call it "administrators" that is based from the admin (ROOT) group. Create a new user with the user name and password you would like.

Put that new user into the administrators group. With the "Admin (ROOT)" group, make sure the setting that hides it from the user list is enabled.

With the first user (ROOT one), edit the member title and change it to Members.

Don't post using the "Admin (ROOT)" user name, use the name you asigned to the "Administrator" group.

This works because only ID1 can edit itself. ID1 is always the first user. No other admin's can. By not being root you only loose a few options, but still have control. If you ever need full control loggin as the root user, making sure your name doesn't appear in the online box.

When hackers hack your user name, they will not be able to become root. So you can easily solve the issue.
Offline Profile Quote Post Goto Top
 
primexx
Primexx - A Member Of InvisionFree
[ *  *  *  * ]
there are a few problems with your theory, for one thing, you cannot fully hide ID1 from the board, they will still be able to see it, and also even if you change the member title to members, the 'Group:' still displays admin, basically your "fool proof" plan is realy fool proof.
Offline Profile Quote Post Goto Top
 
Paper
Member Avatar
Member
[ *  *  *  *  *  * ]
Yes, but not unless you change the group name to "Member" and never ever post with it. Ever. Also delete the email address out. It's not fool proof, but it offers a better level of protection than just postign with root admin.

Like the operating system Linux says, never use root unless you have too. They will eventually see ID1, but hopefully by the time they relize it will be too late, and you would have got control again.
Offline Profile Quote Post Goto Top
 
Chibi Dude
Member Avatar
Teh Minishrink
[ *  *  * ]

Hey hey hey, I like your style. Good thinking. I already made a backup account but I didn't really want to use it... meh.
Offline Profile Quote Post Goto Top
 
Wyvern
CAVE STORY MANIA!!
[ *  * ]
Why not just use a password with a lot of letters, capital letters, and numbers in it? NO ONE can hack that. Make sure your E-mail has the same.

.. I'm serious.
Offline Profile Quote Post Goto Top
 
Chibi Dude
Member Avatar
Teh Minishrink
[ *  *  * ]

Suppose your computer has been hacked. Period.
Offline Profile Quote Post Goto Top
 
Paper
Member Avatar
Member
[ *  *  *  *  *  * ]
Quote:
 
Suppose your computer has been hacked.

I asume this is by using cookies, as other ways are unrealiable. So by having a non-root admin they coudl hack that non-root admin, but you could still loggin as root and top them.

It's yet another security measure, if your baord is to valuable.

Complex passwords may work, unless they hack the cookie, with your password in.

Anyways, how do you back up all your topics and posts onto another board?
Offline Profile Quote Post Goto Top
 
Always Greener
Member Avatar
Member
[ *  * ]
I also have the similar approach but NOT the stupid one like this.
Offline Profile Quote Post Goto Top
 
RazorICE
Is back for good... maybe evil.
[ *  *  *  * ]
Wyvern
May 22, 2004 06:39 AM
Why not just use a password with a lot of letters, capital letters, and numbers in it? NO ONE can hack that. Make sure your E-mail has the same.

.. I'm serious.

This does not work if you have a keylogger installed on your computer and you dont even know its there.
Offline Profile Quote Post Goto Top
 
metzger_123-ZNS
Join Project Horizon Now!!!
[ *  *  * ]
my best method would be to use a password that has numerals and letters. such as 3fH6eV49J <- that would be near impossible to crack. I know because i used to use password crackers at school, not on IF boards, so i wouldnt know much about the admin.php file. But i heard its got its flaws, so never think your safe!
Offline Profile Quote Post Goto Top
 
Deleted User
Deleted User

Quote:
 
This does not work if you have a keylogger installed on your computer and you dont even know its there.


:lol:
Yeah, there's not much you can do if you don't make an effort to secure your system, your messengers, etc., your email, blah blah..
The best thing you can do is just to take reasonable security precautions in everything you do.
It does no good to go through elaborate setups and then download a keylogger off some site or in your email, or use a school computer and forget to log out or whatever.
That stuff happens all the time too.
The easiest thing you can do is just to get a good password for your forum and the email account you use for it.
They say at least 6 characters, mixed case and numbers, etc.
10 is better.
20 is beyond the scope of any normal cracker.
30 would probably take anyone who tried it so long to crack that IF itself would no longer exist by then.
Most people think that's crazy and would take way too much effort, but my 30 character password takes me less than 2 seconds to type in because I've done it so many times.
That's a lot less time than it would take to recreate your forum after somebody trashes it.
Quote Post Goto Top
 
Paper
Member Avatar
Member
[ *  *  *  *  *  * ]
Quote:
 
I also have the similar approach but NOT the stupid one like this.

Fine, if my method is stupid then it's tupid. Although would you rather have an Admin hacked, or root admin?

It's a security measure, and OK, it's not as fool proff as I orginally thought, but it's still useful.

So what is so stupid about it?
Offline Profile Quote Post Goto Top
 
Nir
Member Avatar
Former IF Support Staff
[ *  *  *  *  *  *  * ]
*Quizbiz moves this topic to a better location
Offline Profile Quote Post Goto Top
 
1 user reading this topic (1 Guest and 0 Anonymous)
« Previous Topic · zIFBoards Discussion · Next Topic »
Add Reply