php script using user's ip to validate

[xc0n]

Ok i have a system that wraps around login systems, it calls a users ip address(md5 encrypted) and then asks a database if the users ip address(md5 encrypted) is acceptable to view/use the login/admin panel, this just adds a tiny bit more security for admin back-ends by not even letting the user view the login page unless there ip is allowed.

 

My only problem is that for the system to work each user needs to have a statip ip, otherwise the database will notice the users dynamic ip changing and not let them into the admin/login page.

 

My question is, would it be possible to some how update the database automatically each time a users dynamic ip changes? I wouldn't have a clue on how to do this, but if some how it is possible i will try to learn and implement it with my system. Maby a .exe file could be installed on each users pc to constantly check the users ip and if a change occours it will send the new ip to the database?

 

Any Ideas?

Thanks in advance.

[MasterACE14]

I would forget about the IP system altogether. Instead when a user logs in and has administrator rights they must type in their password again at the admin panel page.

[xc0n]

i was worried id get that answer!! lol

[AyKay47]

yeah I would tend to agree with MasterACE on this, while this could be done by storing an array of ip addresses and updating it each time a recognized user is logged with a different IP address, you would need to verify the user with some kind of password/username verification...ultimately this logic would produce much more work than is needed and in the long run is not worth the work...

perhaps you can use password verification or a confirmation question or something along those lines instead...

[sponji]

I am really new to PHP, but  I have to agreee. I have had problems logging in to admin panels, because of validating the IP when my IP changes randomly per clicks on websites (This is a common for satellite dish ISP users) it logs me out, for instances PHPBB forums.. By default it validates the IP by default.

[Ninjakreborn]

The main thing to keep in mind with IP protection systems, is they are not entirely reliable (far from reliable).  They are good as a secondary procedure..For example..if you had a solid working login system as protection, and you put IP protection in as a "failsafe" that increases security without relying on IP...it just uses it as a backup plan.  Even Google for example..they keep IP tracking, and allow you to block users by IP but on top of that they have an extensively secured login system, and the 2 step verification (by choice).  Never rely on entirely IP..only put it in as a minor failsafe...adds extra security that you don't rely on, you just hope it catches things that get through your other systems (if they do).

[xc0n]

@businessman332211: Yes i agree, but my system is only for wrapping an existing secure login system. I would'nt just use just my system to vertify the user itself, all my system will do is wrap around other logins and make them just a  bit more harder to hack.

 

I have actually got my system working great now "as long as the user has a static ip address" but once i make the system work with dynamic ip's i think it will be an essential addon for any login system, it can help because if your ip isnt valid in the database and your login system is wrapped with my system then the hacker wont even see your login page, before it loads my system will boot him, i guess it help with less chance of sql injection and people guessing passwords etc!!

[Psycho]

Yes you *could* do this by making the user install an exe on their computer which could send an update to your site when their IP changes, but do you really think users would be willing to install an exe on their computer from your site? I absolutely would not install an exe on my computer just to be able to access the admin pages from a web site/application. Plus, you would need to create the executable and build the PHP backend scripts to receive those updates. Doi you have the knowledge to do that?

 

And, there are still two very big issues:

 

1) Let's say you did all that and you now have an exe that users have installed on their computers to update your database when their IPs change. What happens when a users want to access the admin site from a different computer? You are going to lock them out? What if they get a new PC and don't know where to get that exe?

 

2) This is probable the reason it makes all of this pointless. When the exe is run it is going to have to send the user's new IP and some piece (or pieces) of information so you know which user to associate with the IP. Anyone can easily run the exe and capture the information that is being passed. So, it would be fairly trivial for a malicious user to insert any IPs they wanted into your database.

[xc0n]

@mjdamato: You're right, an exe wont do the trick, but this system will mainly be used by company's that need extra security, that i meet in person, not just the average person with a login script, the system would be installed by me to each of my clients that request it so i guess the only 100% way it will work as i want it too for now is for each client that use's my system to have a static ip address, if they are concerned enough about there admin security im sure they wont mind getting a static ip. Otherwise ill still try to implement a way for the system to work with dynamic ips i just think it will take alot of time & help!

 

 

[Pikachu2000]

If it was feasible, I'd imagine every bank in the country would be doing it.

[xc0n]

@Pikachu2000: exactly why i want to make it nothing is impossible and not everything has already been done.

[Pikachu2000]

I didn't say it was impossible. I said it is not feasible or practical.

[AyKay47]

yeah I would tend to agree with MasterACE on this, while this could be done by storing an array of ip addresses and updating it each time a recognized user is logged with a different IP address, you would need to verify the user with some kind of password/username verification...ultimately this logic would produce much more work than is needed and in the long run is not worth the work...

perhaps you can use password verification or a confirmation question or something along those lines instead...

[voip03]

I have worked on a similar project; it's a long walk in the night.

If you are planning to install you self, why can’t you create a unique id for each user

 

[gizmola]

Yeah i would have to agree that what you are trying to do is reinventing a PKI.  We've had similar threads from people. 

 

Browsers already support certs.  You can build even better authentication around what is already available, and insure end to end security and encryption of all data without a kludge.

 

Check this out as a jumping off point for more research:  http://cs.uccs.edu/~cs526/secureWebAccess/secureWebAccess.htm

 

 

[xc0n]

@everyone: Thanks for your reply's, I like having other people opinions! Even though you have all disagreed, I will still try to complete my system, I have a very open mind so hopefully I can come up with something great! Im on the level at the moment where my system is working & it can also update a users IP when it notices a dynamic IP has changed via a method i have used. Once i have it running how i want ill post it here for you guys to look at and im sure you will be surprised at how i have got it to work and also be able to help me fix any vulnerabilities / messy code etc..

 

thanks again!

[voip03]

Good luck to your project.

Will you come back and tell us?

thank you.

[xc0n]

well its been a year and i have successfully finished my project!!

 

i built a exe to update the mysql database every time the users dynamic ip changes and it works 100%

 

also built a nice hash to protect ip addresses in the database

 

if you want to read more and see some screenshots have a look at the website >> ipsecure.com.au

 

anyone interested on working on this project with me send me a pm!

 

[Christian F.]

So... What about those of us who doesn't run a Windows based operating system?

 

... 256bit jcrypT Hash Algorithm developed by us.

Rule #1 when it comes to encryption and hashing algorithms: Never roll your own.

 

I kind of want to give this to a friend of mine, see how long he needs to crack it completely open. I suspect not very long, especially considering how easy it is to spoof IP-addresses.

[xc0n]

Ahh so nice to have support from this "helping forum" lol

 

Well yes its easy to spoof your ip, but you would need to know what ip u need to spoof, and im pretty sure u can spoof a SPECIFIC ip address so unless my system decides to allow random spoofed ip's then ur out of luck.

 

tell your friend to give it a go, I have this software running on http://www.ipsecure.com.au/demo.php if he can send me a screenshot of just the login page ill be VERY surprised LOL.

 

The only way to compromise this would be to attack the server, its on a basic server without ssl so hooray if he manages to attack it. Remember u think my script is the problem so tell him to attack the script.

 

And for any users that don't have windows i feel sorry for you and u will have to purchase a static ip off your isp

 

also ill hash a basic word using my hash and u get him to crack it :/ just a basic 5 letter plain word

 

jcrypT Hash: ^[EMa3v_Km=)_@S)EM[3t)CH@oX6=3@P

 

have fun.

[Mahngiel]

http://ipsecure.com.au/about.htm

 

If you're going to represent yourself as a legitimate business, it helps to sound like one.  Typos, misspellings, and a 2-sentence "About Us" does not instill confidence in the product.  Chances are, Sys Admins will be the personnel interested in your product, it helps if you speak the lingo and expand on the services.

[xc0n]

jeez did i ask u to look at my about page ? this place is full of ####heads seriously ppl come to try expand tere knowlegde n learn more get help with projects and all u get is smartass ppl sayin u have a spelling mistake ehhhhhh... help... talk about my actual script or ##%% off!

[gizmola]

jeez did i ask u to look at my about page ? this place is full of ####heads seriously ppl come to try expand tere knowlegde n learn more get help with projects and all u get is smartass ppl sayin u have a spelling mistake ehhhhhh... help... talk about my actual script or ##%% off!

 

I think you're taking offense a bit too easily.  His post was simply trying to provide some constructive criticism.  Easy enough to ignore if you feel it's inaccurate, but in reading some of the description of the product, I think you do need some help with your marketing material.  Anyways, good luck with your company. 

[Mahngiel]

talk about my actual script or ##%% off!

 

Where's your script? All i see is somebody who wants the community to purchase and install an executable on their computers that monitors their IP address with the expectation that this will give their login forms some extra security. 

 

But when somebody tries to do some diligence into the 'company' that's purporting these claims you start acting like your nipples were bitten!

 

You haven't presented code, so I assume you're back here after a year to promote your product (spam, btw).  You want to tote your product as a security product, but your site shows zero professionalism.

 

To your last post, I say post your scripts or "##%% off"

[xc0n]

i dont know why i bother... why would i post my source here lol its real smart to build a hash an then give the source :/ im not trying to market anything lol forget the website guys the link i posted was to a demo see demo.php so tell ur ####%#%%% to brake it u have the link i wan see a screenshot of my login page lets see how good u guys are??? or r u all jus full of it?

 

also did use get time to crack the above hash??? thought it would be easy ??? only 5 letters ?? lmfao id love to show my code but not when i get this reaction for wanting to try sumfin new & yea im a s#it speller im truely sorry for this lol

 

sorry for over reacting to the crap thats been posted here i just cant stand f#ckheads that try diss ppl that wana share new ideas, nothing is impossible my system is secure and u can all get f#cked use are all like sheep anyway weather any1 agrees wif me of not they wont say it cause all the douchb@gs would diss them, hahahaha lmao at the w@nkers with quotes in there sig's from a site mod or admin hahahahahaha sucking up much?? lol ehhhhh

 

maby i should visit this forum when i need a spell check done or marketing tips & tips on how to suck up to admin accounts i could really learn alot !!