Suggestion is for Administrator Control Panel

[Psinetic]

I still don't have persmissions to post a new thread in the subscription, so I'll post it here so someone can move it THANKS!

Suggestion is for Administrator Control Panel:

Taking a look around the admin control panel I've noticed a few things here and there. Now, this plugin would require alot of work and time, but I think it's a very good Idea. For sites that contain more than one administrator and/or troubled moderators, this plugin would be ideal.

The idea is to add a a section to the ACP which does the following:

Allows the administrators (or could specify only one administrator access or a specific group) to be able to

a) see a log of all changes made in the admin control panel made by which administrator did this (not just what they DID but also every link they clicked on and every tab they accessed).

b) add's an "undo" option for the administrator(s) who are allowed to access this panel to not only see exactly what code in a template or file changed by whatever administrator was but also to be able to make modifications and changes to the code in another window to either add or subtract from the "Undo" process. So not only could you opt to just undo the changes made, but also see the original code, compare it with the code changed, as well as make changes to either code and submit it as the official "undo" code.

c) make reports for administrators to be reviewed by other administrators to see their activity of a specified time and export them.

d) adds more security to the administrator's access to the admin panel, including password requirements for certain sections of the admin CP.

Well, that's about all I've come up with so far, but I'd like to see if this might maybe be a good idea for an additional plugin for the admin control planet.

[Scoutie44]

That would make me think I'm being stalked :/

[Psinetic]

consider this. recently my forum was hacked with an exploit (my fault for not upgrading fast enough) which allowed a hacker to make an administrator account. Now the hacker didn't do much and I had a backup of my templates and was able to change the index page back to normal. But if a hacker had gotten in and made subtle changes in several templates I'd be unable to undo them or would have to analyze the entire database and all of the template, or the quickets solution would be to take the entire forum down and reinstall everything.

keeping track on your admins isn't only a safe method of staying more secure, but it's also a very good method of security.

[Scoutie44]

But logging every little action, link click and keyboard tap would most likely be a lot of unnecessary bloat. Let alone providing the option to Undo the changes. Can you imagine hundreds, maybe evn thousands, of pages detailing every single move an Admin makes? It's overkill. You should have daily, at least weekly database and forum backups so if something like this does happen, you can just import the backup and upgrade the forums, if need be.

Unless you've been hacked, I really don't see the need for these tools.

[Zash]

This would use an insane amount of resources, and I'm not even sure how possible it is. Best bet is just to secure your forums, and set up a cron job to make an external backup ever so often.

[Psinetic]

it wouldn't be a huge use of resources if it simply stored these logs and deleted them after say a week or replaced them. That should be an automatic configuration of the plugin anyways shoudn't it? and yes, my forum WAS hacked and when i turned to the admin control panel it gave me jack squat in figuring out what this hacker did. He had an admin account, created newly. He used an exploit. Admin cp didn't give me any hint in knowing WHAT the exploit was. I found it through random google searches. But if i had the ability to see what code was accessed in creating his account, it wouldn't be hard seeing what code he inputted either comparing the two codes to part the exploit.

it makes no sense that the admin cp is this limited. i can't do anything in it to actually manage the forums properly. yes, backups, member management, forum changes, cool, great, but are you actually saying "spying"? really? there's an OWNER and an ADMINISTRATOR, i think the owner most certainly has the right to know everything the administrators are doing. on top of that, any forum can be broken into, security isn't just making sure it's updated and making backups, it's also keeping a very close eye on what happens to the site. the current admin logs don't tell me anything. it's useless. it just says "so and so did this on this date at this time" and that's it. and it doesn't even go into detail, it's just generalized. it's completely useless. if one of my administrators makes a change in the templates and jacks everything up and didn't copy the template before the change then how am i to know what the original code was, especially if i'm not an expert at coding. it'd be better to already have a copy of the specific code changed to compare against.

another point i'd like to make is, just because the log tells you what "changes" it made, it doesn't protect the site or its members. if a hacker hacks my site, i want to know why, right? a log telling me what they DID to the site won't tell me why they're there. if i were able to see exactly what they clicked on and where they went and what they changed, i could tell if they saw my ip address, or if they looked at a "specific" member's profile meaning they hacked the site for that person or they potentially KNOW that person and they're someone i can contact to find out, many things. there's so much this admin cp currently lacks.

and i never said a plugin of this magnitude would be a simple task. i can almost promise you, however, that it wouldn't be THAT much of a strain on resources. honestly, my uses click things more than my admins do.

[Scoutie44]

It'd also be nice if MyBB could make me dinner, too.

I'm sorry, this just doesn't do anyone any real benefits, unless they've been hacked. Which is somewhat rare, might I add.

[Zash]

Instead of trying to 'undo' a hack, why not prevent it in the first place?

Most hacks are caused by insecure passwords. Your password should have letters (both uppercase and lowercase), numbers, and symbols, and should be random (no dictionary words).

Here's a generator for you: http://www.mybbstudios.com/password-generator.php

Now, I also wrote a guide on how to protect your Admin CP through extra passwords and IP redirections, and if you didn't rename your admin directory, you probably should. I also wrote about securing your config.php file.

Six Methods to Protect Your MyBB Forums: http://www.mybbstudios.com/thread-30.html

Now, tell me you did all of these things and STILL got hacked? If you got hacked, chances are the hacker will disable this tool (if he has half a brain).

[labrocca]

Quote:keeping track on your admins isn't only a safe method of staying more secure, but it's also a very good method of security.

That's not security that's recovery.

There are ways to find out which templates are edited. Mybb has all master templates as sid -1 I believe (or some column) so a quick phpmyadmin to see which are changed would show you. There is also a timestamp as well.

If someone has your admincp you have deep problems anyways. What your suggesting doesn't really help you very much.

Quote:Instead of trying to 'undo' a hack, why not prevent it in the first place?

Exactly. And if you are compromised recovery is vital. Logs should also show you whatever you need more so than anything in the database. It's best to view actual apache logs if you want to know exactly what the penetrator has done.

Quote:Admin cp didn't give me any hint in knowing WHAT the exploit was.

Nor would it in your scenario. If someone gained admincp they most likely have an sql injection method so having stored any info there won't help you. As it is the current exploit in 1.4.6 has a command to rewrite the IP address of the hacker. The IP and email are both rewritten.

Psinetic...why not tell everyone how many times you have been hacked and compromised on both you local computer and your sites. You want these cookie cutter solutions when what you really need to do is have better habits and practices. When it comes to security. I would rank you a 1/10. Don't think for a second adding these tools would really help you.

Quote:security isn't just making sure it's updated and making backups

lol...no but that's 95% of it.

[Ryan Gordon]

And what's to say the hacker doesn't delete those logs? If they can get an administrator account, they can sure get and delete logs in the database.