PunBB Registration TOR Optimization
#1
Hi & Hello everyone!

This is a small post about how to re-write an anti DDoS function in your PunBB files that make it almost impossible to run on a tor service.

The function checks whether or not a user with the same IP has registered within the last hour, and based on if that's the case, will make the user wait an hour before being able to register. Unfortunately, PunBB treats every of your visitors using tor (regardless of whether or not they are the same person) as a localhost user (127.0.0.1) which will make everyone wait for an hour. This might work on a PunBB forum that gets 1 registration per day, but isn't really a good practice.

Based on that small issue, PunBB has been tagged as non-compatible with the tor network. PunBB, being a great & lightweight & highly customisable alternative to other forum software would be a great asset for tor though. So, how do we change that issue?

Check your register.php and search for this part:

Code:
// Check that someone from this IP didn't register a user within the last hour (DoS prevention)
    $result = $db->query('SELECT 1 FROM '.$db->prefix.'users WHERE registration_ip=\''.$db->escape(get_remote_address()).'\' AND registered>'.(time() - 3600)) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());

    if ($db->has_rows($result))
        message($lang_register['Registration flood']);


    $username = pun_trim($_POST['req_user']);
    $email1 = strtolower(pun_trim($_POST['req_email1']));

    if ($pun_config['o_regs_verify'] == '1')
    {
        $email2 = strtolower(pun_trim($_POST['req_email2']));

        $password1 = random_pass(12);
        $password2 = $password1;
    }
    else
    {
        $password1 = pun_trim($_POST['req_password1']);
        $password2 = pun_trim($_POST['req_password2']);
    }

Simply remove that part of the code. Alternatively, you could change

Code:
    $result = $db->query('SELECT 1 FROM '.$db->prefix.'users WHERE registration_ip=\''.$db->escape(get_remote_address()).'\' AND registered>'.(time() - 3600)) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());

to something like

Code:
    $result = $db->query('SELECT 1 FROM '.$db->prefix.'users WHERE registration_ip=\''.$db->escape(get_remote_address()).'\' AND registered>'.(time() - 15)) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());

(changing the waiting time from 1 hour to 15 seconds) but this is experimental and I have never tried it out. (Let me know if you tried it though, I'd be interested if that works or not =) ).

Hope you enjoyed that quick trick!

Cheers
Reply
#2
Welcome to GreySec! Jumping right into posting some cool contributions I see. Thanks for the share, I don't use PunBB but I'm sure this will be useful.

Knowing PHP really helps so you can make mods like this.
Reply
#3
(12-19-2020, 12:26 AM)Insider Wrote: Welcome to GreySec! Jumping right into posting some cool contributions I see. Thanks for the share, I don't use PunBB but I'm sure this will be useful.

Knowing PHP really helps so you can make mods like this.

Well, let me in return thank you for the awesome board your setup here, and thanks for the warm welcome! Smile

Looking forward to some nice time spent here Cool

Quick update: Tested out the reduce time from 1 hour to 15 seconds, worked perfectly fine for me!

Cheers

(12-19-2020, 12:26 AM)Insider Wrote: Welcome to GreySec! Jumping right into posting some cool contributions I see. Thanks for the share, I don't use PunBB but I'm sure this will be useful.

Knowing PHP really helps so you can make mods like this.

Btw, didn't find a way to PM you but your nginx leaks your server-version. This ain't critical but you can add some security by hiding it from your users.

You could edit your nginx.conf and add

Code:
server_tokens off;

to hide your version number (1.10.3)

Cheers
Reply
#4
Just arrived and already kicking ass, thank you for the valuable contribution, and i am looking forward to seeing more of your contributions.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Fonts in tor browser IngloRex 2 5,167 01-03-2021, 08:16 AM
Last Post: poppopret