Due to the fact coding opens exploits, it is inevitable, i am making
and releasing this security mod for phpBB based boards. The problem
is with phpBB, if you have admin level, you have full access to
everything on the site. Which is only a problem because exploits
allow malicous script kiddies to make them selves admins or make admin
accounts. So i plan to render that issue here.

#====
#==== v1.0.0
#====

-> Extra login box on admin panel, so even if you have admin access,
you still can not access the admin panel to delete users, delete
posts, rename things, etc.. This is controled by a .htaccess file &
a .phpbbsecurty file holding the info. There is no way in this mod
for admins to change this info, that would make it pointless & allow
for some admins to lock other admins out etc. Please read the bottom
of the install for instructions on how to setup your username & password.

-> Limit amount of tries an account can be failed. Meaning inputting
the wrong username & password on an account. The amount is set by the
admin. If this number is exceeded, the account is locked.

-> Added a security question and answer to the users table. Every user
will have to add this. It is built into the script to redirect anyone
who has not added this info to their profile so they can update it.

-> Force a user to unlock their account with the security question and
answer provided. If the account is locked, when they try to login, they
will be informed its locked & given a link to unlock it. From there they
have to input the username & email on account to see the security question.
Then they have to answer the question. The answers are stored as an MD5
hash so no one can see what peoples answers are. Security purposes. If
they get it right, the account becomes unlocked & they can then login.

-> Admin notification feature. If an account becomes locked, the mod
will dispatch a PM to an admin, which who it is sent to is configured
in the acp. This feature has an off switch, so if you dont care to know
when accounts get locked, switch this off. You will also reveive an
email notice regarding this as well.

-> For security purposes, users can not change their security question
or answer. If they wish to change it, they need to contact an admin and
have the admin reset their SQ info.

-> Added some blocking features, this mod will try to help block attacks
such as DDoS, Clike, UNION & SQL Injection attacks.

-> Admins have the capability to lock or unlock anyones account in the
User Management admin. They can also reset a users SQ & SA info from
there.

-> Auto ban IP's that are caught trying to use UNION, SQL Injection, Clike
or DDoS tricks. Admin chooses to use this feature or not.

-> Keep sessions table rows under a certain amount. Admins can choose this
amount in the ACP. If the sessions table exceeds this amount of sessions, the
oldest ones will be deleted until its under the set amount.

-> Keeps track of who all attemps to attack your site. These are stored in
a table so they can be viewed. It tracks what they try to do, what time,
and how many times they tried to do it. You can choose to display these
results if you like.

-> Block unadded admins. The board owner will set up a field, the field name
is chosen by them, so a script kiddie can not retrieve it as it will not be
a dynamic field name. Then the board owner will choose a number (the number
of admins on the board). Any admins that exceed this number will be blocked
from the site. So if you have 4 admins, you set the number to 4, and a kid
comes along, injects him an admin account into the DB, this script will keep
him out, as you allow 4 & he makes 5. This feature can be enabled or disabled
only by the oldest admin on the board.

-> Same thing as the above but for moderators.

#====
#==== V1.0.1
#====

-> Added protection against fopen(), so people can not remote open files.

-> Added protection against fwrite(), so people can not remote write to files.

-> Added protection against system(), which appears to let people execute pearl scripts.

-> Added protection against the CBACK Worm including:
	rush=echo%20_START_
	%20cd%20
	%20wget
   and many others this worm uses to get into sites.

-> Added the ability to use any/all of the features via ACP. Also with this is the option to
	auto ban, block or ignore any of them.

-> Added the ability to pm or email the admin to be notified, or neither.

-> Added the ability to allow users to change their sq info, acp contoled to allow this, not
	recomended.

-> Added pagination to the caught page, also added the link they used when they were caught.


#====
#==== V1.0.2
#====

-> Added sessions/cookie protection so no one can manipulate the auto login in any way. This
ensures & checks the cookied password to match the cookied user id, since phpBB its self
doesn't do it when it needs to be done.

-> Added a configuration option for how many entires per page to show on the caught page
since some people where being timed out or loading 404 pages from having to many per page.

-> Removed the edits to the Configuration section & added a seperate admin section.

-> Added the ability for the oldest board admin to allow other admins to modify the special
fields.

-> Added the ability to block users based on user agent.

-> Added the ability to block users based on their referer.

-> Added user level protection, so every refresh it is reset, this way no user can manipulate
the board to pass off as a mod or admin.

-> Added a link to users profiles when they have to add a SQ & Answer, this was neglected in past
versions.

-> Fixed an insecure line of code, where & what wont be mentioned, but its fixed never the less.

-> Added the proper check to make sure the include file is being included from your site *
not being included from an offsite script.

-> Added 3 levels of DDoS protection, since the current is a bit strong for some users.

-> Removed the version number, by popular request. But by doing this, you will now be asked
everytime you post for support what version you are using.

-> Fixed the counter so it now adds multiple exploits again. With 1.0.1 the counter only added
one per IP even if they did try over & over on the same IP.

-> Added a message to the "phpBB Security Thinks You Should Go Away" for each reason someone
is reading it, so they will now know WHY they have been blocked & be given the boards email
to contact the admins if there was a mistake.

-> Added a quick "Member Tries" screen, so it will display any users who have posted & also
tried to exploit your site. It will also display what they did to be banned.

-> Added a "Quick Search" so if someone complains about being banned, you can input their IP
and find out why they where banned & optionally unban them from the same screen. This also
comes with a wildcard (partial match) or exact match choice.

-> Added an automated database backup system. So every day at a preset time (by the admins) the
database will be backed-up & saved to your FTP. This is on/off switchable in the ACP incase
you dont have the space to spare for this feature. But my suggestion is you leave it on & just
delete the old ones every couple days, this way you always have a good copy of your database.

#====
#==== V1.0.3
#====

-> Added protection against passing certain functions & PHP variables in a URL.

-> Added account protection for the board owner in the User Admin -> Management.

-> Added account protection for the board owner in the User Admin -> Permissions.

-> Added a password verification to the modcp.php file so anyone who possibly fakes a user
with some kind of cookie exploit, can not delete topics/posts via modcp.php.

-> Per user request, added a way to delete old DB backups directly in the ACP. This is located
in the Special section, so only the allowed admins can do this.

-> Added some guest protection. With alot of programatic DDoS programs, all the guests will have
the same ip. With this new setting, you can limit how many sessions are stored on a per IP basis
for guests.

-> Added a way to disallow users to use the same username & pass combo, if their pass matches
their username, they will have to choose a different one.

-> Added a minimum characters for a user password. This can be toggled on/off in the ACP and
the minimum is also configurable.

-> Added a way to make all users update their passwords. Basically if you choose this, the first
visit when a user returns after you doing this, they will have to update their password.

-> Fixed the error when changing passwords. Sometimes it would cause a cookie mis-match error.

-> Fixed the cookie issue from phpBB 2.0.18++.

-> Fixed the backup feature error from phpBB 2.0.18++.

-> Made it so any time a user changes their profile, they have to also verify their password,
just to make sure it is them editing their profile.

-> Removed the htaccess verification on the ACP since phpBB finally includes it.

-> Removed the extra cookie checks since phpBB finally updated theirs.

-> Added a version status to the admin index to let you know if you're up to date or not.