vBSecurity

Adds 2 factor authentication, IP address checks, patches security flaws and more!

vBSecurity keeps a watchful eye over your forum even when you are not there, and has the capability to alert you of any suspicious activity.

Average customer rating: Product downloaded over 3,149 times.


License pricing




Download Demo

Recommended AddOns

vBSecurity keeps a watchful eye over your forum even when you are not there, and has the capability to alert you of any suspicious activity.

Uses
vBSecurity is the ideal product for forums that are concerned about security, or wish to be alerted when something suspicious happens.
It keeps a watchful eye on your configuration file, ensuring that it does not get modified by mods or plugins.
Another important feature is the ability to add a secondary login, unique to each administrator, that is required before accessing the AdminCP. Ideal for forums where multiple administrators may share login information, or where administrators may log in from public computers.
Add in quick settings for the most vital vBulletin Options, Usergroup password settings and recommendations for how to "harden" your forum against attacks, vBSecurity can easily be called one of the most comprehensive security suites for your vBulletin forum.

Documentation
N/A
Major Features
Security Recommendations: Easy overview of the most common methods you can use to improve the security of your forum, with minimal technical knowledge needed.

Administrator Security: .htaccess-like logins for your administrators means that even if they use the same password on multiple sites, malicious users still need a fresh, unique password to log in.

Security Watchers: Keep an eye on the most important aspects of vBulletin: config.php tampering, AdminCP / User Account access attempts, vBulletin Options, User Data, Usergroup Settings and Usergroup Permissions.
Detailed changelogs available for each watcher dealing with changes.
IP Ban, User Ban, Email alerts and temporary forum closure options available for each watcher individually.

Lite
* Searchable list of all AdminCP access attempts
* Searchable list of all failed login attempts
* Searchable list of administrator changes for areas governed by the Security Watchers
* Security Recommendations for common steps to improve forum / server security
* vBOption: IP Address whitelist for AdminCP access
* vBOption: Separate "Closed Reason" for closures that happened due to potential security breaches
* Quick setting page for the most important vBulletin Options security settings
* Quick setting page for the most important Usergroup security settings
* Security Watchers: General - config.php Variable Tampering, AdminCP Access Attempts
* Security Watchers: Logins - Failed Logons, Failed Mass Logons
* Security Watchers: vBOptions - vBulletin Active, Reason For Turning vBulletin Off, Banned Email Addresses, Banned IP Addresses, Use Login "Strikes" System, Whitelisted IP Addresses, Whitelisted IP Addresses - Exclude Super Administrators
* Security Watchers: User Data - User Name, Password, Email, Primary Usergroup, Additional Usergroups, Reputation Level, Warnings, Infractions, Infraction Points, Receive Admin Emails
* Security Watcher Actions: 2 thresholds with individual configuration options, IP Ban / User Ban / Email Webmaster / Close Forum options available for each Watcher option listed above. Some watcher options may not have all actions.

Password Reset
  • Found under "Maintenance" in the AdminCP menu for this mod
  • Resets all users' password to a random number
  • Emails user detailing the password was reset for security reasons
  • Contains username included in the email in case they forgot
  • Contains direct link to the Change Password form in the UserCP


ACP Access Log / Verifier
  • Small table above the normal ACP menu displays current & last logged in IP for the current admin
  • Settable colours for IP Match / IP Mismatch
  • ACP Access Log browser
  • Ability to prune ACP Access Log (separate from vBulletin built-in logs)
  • Ability to turn system off via vBulletin Options



Pro
* Optional .htaccess-like login on a per-administrator basis
* Settings Snapshots - take a "snapshot" of how the vBulletin Options look at the time, instant restore by clicking Load on a previous snapshot
* Security Watchers: Usergroup - Password Expiry, Password History, every usergroup permission group, every "value" permission
* IP Guard: Administrator IP Address authorisation scheme (similar to Steam Guard) - Require email verification for new IP addresses to access the AdminCP, per-administrator disable

(Pro) Password Rules
  • Per-usergroup password rules
  • Length, Lower-case, Upper-case, Numbers, Symbols
  • Enforces the rules before the form can be submitted
  • Works on Registration and Change Password in the UserCP
  • Works with [DBTech] Advanced Registration


(Pro) IP Access Log
  • Tracks all IP addresses used to access a user account
  • Overrides the "Search IP Addresses" functionality in vBulletin to provide advanced functionality
  • Works with all existing links to the "Search IP Addresses" functionality


(Pro) IP Access Log: Search New IPs
  • Searches for any new IP addresses being used to access accounts
  • Displays a familiar looking list of IP addresses
  • Selectable "start date" to check for new IPs


(Pro) IP Access Log: Multiple Account Access IPs
  • Searches for any IP addresses being used to access multiple accounts
  • Displays a familiar looking list of IP addresses
This mod displays a copyright notification in the footer of all pages which includes:
  • 1 Link to DragonByte Technologies homepage
  • 1 Link to Product Description page of this modification
  • 1 Link to Hivelocity Hosting (Lite Version only, removable via a vBulletin Option)
  • v2.2.4 - 21st June 2016, 20:51
    Changed Features:

    Password Reset
    • The created password is now based on the userís password rule requirements
    • The Mass Password Reset action now creates a random password based on the userís password rule requirements
  • v2.2.3 - 20th June 2016, 22:31
    New Features:

    CLI Maintenance Script
    • Ability to execute either of the two maintenance actions via the command line


    Search IP Addresses: Find Potential Intruder IP Addresses
    • Displays a list of IP addresses who have failed to login to valid member accounts more than once
    • Also displays any successful logins from these IP addresses


    Bug Fixes:
    • A few phrases were accidentally created with the wrong phrase key, leading to blank emails being sent in some scenarios
    • The "Password Rules" checkboxes would not update if the user pasted their password via the right click menu
  • v2.2.2 - 30th May 2016, 23:33
    New Features:

    "Failed Logons" Watcher
    • Option to send an alert to the user whose account has been triggered


    Changed Features:
    • "Failed Mass Logons" now only triggers if the user tries unique usernames


    Bug Fixes:
    • The "Failed Mass Non-Existent Logons" rule sets would not trigger correctly, instead the "Failed Mass Logons" ruleset was used
  • v2.2.1 - 19th April 2016, 01:04
    Changed Features:
    • jQuery is now only loaded if an existing library is not found
    • JavaScript has been moved to the footer for improved page load speed and performance
  • v2.2.0 - 16th February 2016, 00:09
    New Features:

    Global IP Address Whitelist
    • IPs can be protected from triggering any actions (such as forum closure or bans)
    • Powerful wildcard options similar to vBulletin's IP banning
    • Controlled via vBulletin Options
  • 2.1.0 Patch Level 4 - 12th January 2016, 05:13
    Bug Fixes:
    • IP Verification should no longer run if the current page is the [DBTech] Two-Factor Authentication page
  • 2.1.0 Patch Level 3 - 22nd December 2015, 02:31
    Bug Fixes:
    • Fixed an issue where administrators without "Can Administer vBSecurity" could no longer search for IP Addresses (regression)
    • Fixed an issue with the Search IP Addresses page on vB3
  • 2.1.0 Patch Level 2 - 1st December 2015, 01:09
    Bug Fixes:
    • Fixed an issue where the Config Tamper watcher log could not be reset
  • 2.1.0 Patch Level 1 - 23rd November 2015, 23:28
    Changes To Existing Features:
    • Moved the User IP Verification code around to improve compatibility with certain forums



    Bug Fixes:
    • Security Watchers: General reset would not work as intended
    • In certain scenarios, the GeoIP lookup could produce a warning about accessing a method on null
    • It was possible for the user-enabled IP verification to display an error message instead of displaying the "Awaiting Authorisation" message
    • The IP Ban Log can now be pruned as intended
    • The Change Log can now be pruned as intended
    • The Watcher Log can now be pruned as intended
  • v2.1.0 - 17th November 2015, 00:32
    New Features:

    IP Verification
    • IP addresses that have been verified by users or administrators will no longer be subject to IP bans
    • Helps prevent false positives


    Admin IP Verification: Re-Send Emails
    • Administrators can request to re-send the email to verify their IP address
    • Useful if the email takes a long time to arrive for whatever reason


    User IP Verification: Re-Send Emails
    • Users can request to re-send the email to verify their IP address
    • Useful if the email takes a long time to arrive for whatever reason


    Security Watcher Display
    • The time period for the Security Watcher display can be configured
    • Default: 7 days
    • Controlled via vBulletin Options


    (Pro) User IP Verification: Admin Control
    • Super Administrators can disable a memberís IP verification setting via the AdminCP user management screen
    • Accessed via the User Manager


    (Pro) IP Address Search: Country Display
    • The IP Address Search screen includes the IP address' country, if your system supports this
    • Requires GeoIP2 downloaded database on your server
    • Controlled via vBulletin Options


    (Pro) IP Host Lookup: Country Display
    • The IP Host Lookup screen includes the IP address' country, if your system supports this
    • Requires GeoIP2 downloaded database on your server
    • Controlled via vBulletin Options


    (Pro) IP Address Search: IP Usage
    • The IP Address Search displays the first and last logged date for a particular IP in the "Logged IP Addresses" list
    • Only displays IP addresses since v2.0.0 was installed.


    (Pro) Compromised Accounts Log
    • Displays a list of accounts flagged as potentially compromised
    • Quick links to users' logged IP addresses as well as displaying current IP address
    • Fully searchable
    • Can only be viewed by administrators with the "Can View Admin Logs" config.php permission
    • Can be pruned by administrators with the "Can Prune Admin Logs" config.php permission


    (Pro) Watcher log
    • Displays the complete list of all Watcher log entries
    • Can be filtered by individual watchers
    • Fully searchable
    • Can only be viewed by administrators with the "Can View Admin Logs" config.php permission
    • Can be pruned by administrators with the "Can Prune Admin Logs" config.php permission


    (Pro) User IP Verification log
    • Displays the complete list of all user IP Verification entries
    • Displays whether the IP has been verified or not
    • Fully searchable
    • Can only be viewed by administrators with the "Can View Admin Logs" config.php permission
    • Can be pruned by administrators with the "Can Prune Admin Logs" config.php permission


    (Pro) Admin IP Verification log
    • Displays the complete list of all admin IP Verification entries
    • Displays whether the IP has been verified or not
    • Fully searchable
    • Can only be viewed by administrators with the "Can View Admin Logs" config.php permission
    • Can be pruned by administrators with the "Can Prune Admin Logs" config.php permission



    Changes To Existing Features:


    • Consolidated the code that applies watcher actions to enable easy extension in the future
    • Config Tampering alerts can now be reset
    • Reworded one of the new Log Prune options to clarify what exactly itís pruning
    • All log pages now require the config.php "Can View Admin Logs" setting for additional security
    • "AdminCP Logins Viewer" now uses username search instead of a drop-down for improved performance
    • "Admin Strikes Viewer" should now perform better as a result of removal of an unreliable feature
    • "Login Strikes Viewer" now uses username search instead of a drop-down for improved performance
    • "IP Ban Log Viewer" now allows you to filter by action when pruning the log



    Bug Fixes:
    • An issue where limiting the IP Ban Log by action would not work as intended has been corrected
    • "Failed Admin Logins" have been moved to the "Logins" watcher group, as was intended
  • v2.0.0 - 10th November 2015, 00:21
    New Features:

    (Pro) New Security Watcher: "Failed Logins: Non-Existent Usernames"
    • Checks for logins against a single username that doesn't exist
    • Lets you take separate action towards bots trying to login with stolen user credentials that don't exist on your site
    • Integrates into the existing "Logins" watcher group


    (Pro) New Security Watcher: "Failed Mass Logins: Non-Existent Usernames"
    • Checks for logins against multiple usernames that don't exist
    • Lets you take separate action towards bots trying to login with stolen user credentials that don't exist on your site
    • Integrates into the existing "Logins" watcher group


    (Pro) Compromised Accounts Detection
    • Alerts the webmaster if someone has failed multiple logins and then successfully logs in to an account
    • Lets you search the logs for the IP address in question to determine whether this is legitimate


    (Pro) IP Ban Log Viewer
    • Browsable and searchable log of all banned IP addresses (from the point of installing v2)
    • Lets you ensure no legitimate members are banned


    Multiple Watcher Actions
    • Define more than 2 actions per watcher
    • Prioritised in the order they are defined
    • Gives you even more fine-tuned control over the actions taken against potential intruders


    Log Pruning
    • Old entries from the adminstrikes, loginstrikes and ipverify tables can be automatically pruned
    • Settable in the vBulletin Options
    • Defaults to pruning data older than 30 days



    Changes To Existing Features:

    Security Watcher Log
    • Rewritten to improve performance
    • Uses a dedicated log table instead of using the datastore
  • v1.2.1 - 3rd November 2015, 00:22
    New Features:

    IP Access Log
    • Tracks all IP addresses used to access a user account
    • Overrides the "Search IP Addresses" functionality in vBulletin to provide advanced functionality
    • Works with all existing links to the "Search IP Addresses" functionality


    IP Access Log: Search New IPs
    • Searches for any new IP addresses being used to access accounts
    • Displays a familiar looking list of IP addresses
    • Selectable "start date" to check for new IPs


    IP Access Log: Multiple Account Access IPs
    • Searches for any IP addresses being used to access multiple accounts
    • Displays a familiar looking list of IP addresses


    Changes To Existing Features:
    • Altered vBulletin & vBSecurity tables to be IPv6 compatible
  • v1.2.0 - 26th October 2015, 23:20
    IP Verification: Front-End
    • Users can control whether to require email confirmation of new IP addresses for front-end pages
    • Toggleable via the UserCP
    • Works in a similar fashion to the AdminCP and ModCP versions
  • 1.1.8 Patch Level 2 - 18th August 2015, 00:07
    Bug Fixes:
    • Fixed an issue with the "login strikes" page that could produce a fatal error in certain scenarios
  • 1.1.8 Patch Level 1 - 11th August 2015, 01:28
    Bug Fixes:
    • Turning the modification off via the "Enable Modification" vBOption meant you could no longer access the majority of vBSecurity admin controls
  • v1.1.8 - 4th August 2015, 00:27
    New Features:

    Login Strikes Viewer
    • Login Strikes log entries can now be pruned
    • Requires the "Can Prune Log Entries" config.php permission
  • 1.1.7 Patch Level 1 - 29th June 2015, 23:48
    Bug Fixes:
    • Turning off the modification via the vBulletin Options will now work as intended
  • v1.1.7 - 15th June 2015, 23:41
    New Features:

    Change Log Viewer: Prune
    • Only accessible to users with the required config.php permission
    • Optional age limit
  • v1.1.6 - 8th June 2015, 22:32
    New Features:

    Admin Strikes Viewer: Prune
    • Only accessible to users with the required config.php permission
    • Optional age limit


    Changes To Existing Features:

    General / Other
    • Streamlined the phrasing for the ACP Logins and Admin Strikes interfaces
  • v1.1.5 - 25th May 2015, 23:15
    New Features:

    AdminCP Login Viewer
    • Paginated list of all AdminCP logins
    • Filter by User Name
    • Filter by start/end date
    • Filter by IP Address
    • Change sort column


    AdminCP Login Prune
    • Only accessible to users with the required config.php permission
    • Optional age limit
  • 1.1.4 Patch Level 3 - 18th May 2015, 23:19
    Bug Fixes:
    • The "Unrecognised AdminCP Login From <new IP address>" email would be sent without a subject and body
  • 1.1.4 Patch Level 2 - 27th April 2015, 21:42
    Bug Fixes:
    • Fixed an issue where the "IP Awaiting Authorisation" message would not display correctly in the DBSEO CP.
  • v1.1.4pl1 - 1st January 1970, 01:00
    Bug Fixes:
    • Fixed an issue where the mod wasn't initialised in the ModCP
  • v1.1.4 - 1st January 1970, 01:00
    New Features:

    Scheduled Password Reset
    • Enforces a password reset for a user upon next login, via the User Manager in the ACP
    • Mimicks the "Password Expiry" feature in vBulletin
    • Great for forcing users to provide a more secure password


    (Pro) Mass Scheduled Password Reset
    • Enforces a password reset for every account upon next login
    • Mimicks the "Password Expiry" feature in vBulletin
    • Great for forcing users to provide a more secure password
  • v1.1.3 - 23rd March 2015, 23:05
    Changes to Existing Features:

    Mass Password Reset
    • Now uses a more secure method of generating temporary passwords
    • Enables greater security for users, avoiding brute force attacks on their passwords before the passwords can be changed
  • v1.1.2 - 1st January 1970, 01:00
    ACP Access Log / Verifier
    • Triggers an email alert if the IP addresses no longer match
    • Sends email to the Webmaster Email listed in the vBulletin Options
  • v1.1.1pl1 - 29th December 2013, 15:57
    Fix: (vB3) Fatal Error while browsing an ACP page
  • v1.1.1 - 18th May 2013, 00:29
    (Pro) Password Rules
    • Per-usergroup password rules
    • Length, Lower-case, Upper-case, Numbers, Symbols
    • Enforces the rules before the form can be submitted
    • Works on Registration and Change Password in the UserCP
    • Works with [DBTech] Advanced Registration


    Password Reset
    • Found under "Maintenance" in the AdminCP menu for this mod
    • Resets all users' password to a random number
    • Emails user detailing the password was reset for security reasons
    • Contains username included in the email in case they forgot
    • Contains direct link to the Change Password form in the UserCP


    ACP Access Log / Verifier
    • Small table above the normal ACP menu displays current & last logged in IP for the current admin
    • Settable colours for IP Match / IP Mismatch
    • ACP Access Log browser
    • Ability to prune ACP Access Log (separate from vBulletin built-in logs)
    • Ability to turn system off via vBulletin Options


    General / Other
    Fix: Using [vSA] Login As User and access the AdminCP while logged in as a non-admin will no longer email the user you are logged in as with a link to authorise your IP address.
  • v1.0.6 - 29th March 2013, 20:44
    Feature: Improved logging details for Control Panel actions
  • v1.0.5 - 17th August 2012, 23:24
    vBSecurity v1.0.5:
    Feature: The Affiliate ID setting now properly integrates with the link-back
    Feature: Added Login Strikes Viewer that lets admins browse all failed logins
    Fix: Bugs with the Admin Strikes Viewer that prevented natural browsing from working properly in some scenarios

At a glance

Supports: vBulletin 3.8.x vBulletin 4.x.x

Requirements: PHP 5.4+

Version: v2.2.4
Release date: 21st June 2016

Have an issue and need some help?