DragonByte Security

Improves Two-Factor Authentication, provides security alerts, and more.

DragonByte keeps a watchful eye over your forum even when you are not there, and has the capability to alert you of any suspicious activity.

Average customer rating: Download numbers unavailable.


License pricing




Recommended AddOns

DragonByte Security keeps a watchful eye over your forum even when you are not there, and has the capability to alert you of any suspicious activity.

Uses
DragonByte Security is the ideal product for forums that are concerned about security, or wish to be alerted when something suspicious happens. Featuring multiple "Security Watchers" such as Failed Logins and Failed AdminCP Logins, you can set up different "tiers" of actions to be taken when certain thresholds are met. For example, if someone tries to log in to 5 different accounts from the same IP address in 1 hour, you can alert the webmaster. If they try 15 accounts in 1 hour, ban the IP address from your forum entirely.

It keeps a watchful eye on your configuration file, ensuring that it does not get modified by mods or plugins. You can also optionally receive email alerts when any template is modified, including a colourised change log, so you can easily see if someone has added malicious code to your templates.
Add in the ability to permanently trust devices in your XenForo's Two-Factor Authentication module, as well as managing trusted devices and login sessions via your Account page, DragonByte Security can easily be called one of the most comprehensive security suites for your XenForo forum.
Major Features
Security Watchers:
Keep an eye on the most important aspects of XenForo: config.php tampering, AdminCP / User Account access attempts, XenForo Options, User Data, Usergroup Settings and Usergroup Permissions.
Detailed changelogs available for each watcher dealing with changes.
IP Ban, User Ban, Email alerts and temporary forum closure options available for each watcher individually.

Password Expiry: Passwords can be set to expire on a per-usergroup basis after X days. Users will be redirected to the password management screen with a notice saying why they need to change their password.

Password Rules: Set rules for new passwords per-usergroup; minimum length, must contain lower-case, must contain upper-case, must contain numbers, must contain symbols. Can even be applied to new registrations by setting the usergroup permissions for the "Unregistered" group.

Device Trust: Permanently trust a device / IP address combination (optional; on top of XenForo's native 30-day trust) as well as the ability to revoke trust at any time via the Two-Factor Authentication page in your Account page.

Session Management: Easily see all devices your account is currently signed in at (since installing this mod), with the ability to one-click log out any devices you do not recognise.

"Bad Behavior" Integration: Integrate with http://bad-behavior.ioerror.us/ to detect malicious traffic and block it using this easy-to-use, free (at the time of writing) remote detection service.


Complete Feature List

Options
  • Display Version Number
  • Enable Modification
  • Reason For Turning The Modification Off
  • Block Tor Exit Nodes
  • Security Breach Closed Reason
  • Security Watcher: Display Limit
  • Compromised Account Alert: Limit
  • Compromised Account Alert: Alert Staff
  • Compromised Account Alert: Lock Account
  • Enable File Health Check
  • Enable Template Modification Check
  • Prune "Admin Strikes Log" (Days)
  • Prune "Login Strikes Log" (Days)
  • Prune "IP Matcher Log" (Days)
  • (Pro) GeoIP2 File Path

    Bad Behavior
  • Enable Bad Behaviour Detection
  • Enable Strict Mode
  • Enable Logging
  • Enable Verbose Logging
  • Disable EU Cookie Exemption
  • Exempt Registered Members
  • Reverse Proxy
  • http:BL API Key
  • http:BL Threat Level
  • http:BL Maximum Age


Usergroup Permissions
  • Minimum Password Length
  • Password Requires Lower-case Characters
  • Password Requires Upper-case Characters
  • Password Requires Numbers
  • Password Requires Symbols
  • Password Expiry (Days)


Browsable Logs
  • Admin Login Strikes: Failed AdminCP Logins
  • Login Strikes: Failed Front-End Logins
  • Change Log: Edits such as new user groups, deleted user groups, permission changes, etc
  • IP Ban Log: IP addresses banned by security watchers
  • Compromised Log: Accounts that have been successfully logged in to after a number of failed logins
  • Watcher Log: Security watcher triggers
  • Fingerprint Log: Users' browser fingerprints
  • Filtering / Sorting options


Security Watchers
  • General
    • config.php Variable Tampering

    • Logins

    • AdminCP Access Attempts
    • Failed Logins
    • Failed Mass Logins
    • Failed Non-Existent Logins
    • Failed Mass Non-Existent Logins

    • XenForo Options

    • Whitelisted IP Addresses
    • Whitelisted IP Addresses - Exclude Super Administrators
    • Board is Active
    • Inactive Board Message

    • User Data

    • User Name
    • Password
    • Email
    • Primary Usergroup
    • Additional Usergroups
    • Receive Admin Emails
  • Permissions
    • New Usergroup
    • Deleted Usergroup
    • Forum Permissions
    • Admin Permissions
  • Fingerprints
    • New Device Fingerprints (Member Accounts)
    • New Device Fingerprints (Staff Accounts)


Compromised Account Lock
  • Ability to lock an account if it's detected as compromised
  • Prevents any action on the forum
  • The user whose account was logged in to will need to click a link in their email inbox to unlock their account


Compromised Account Alert
  • Alert staff when an account has potentially been compromised


Security Watcher: Failed Staff Logins
  • Identical to "Failed Logins" watcher, except only for staff accounts
  • Allows you to set stricter rules for staff accounts, or optionally only alert the webmaster if a staff account is broken into
  • Failed Staff Logins can lock the account in one of two ways; User Unlock or Admin Unlock. Admin Unlock requires an administrator (other than the affected user) to unlock the account.


Search IP Addresses
  • By user name
  • By IP address
  • Depth (searches for other users / other IP addresses as well)
  • Search New IPs - This search lets you find whether any user account has been accessed by a new IP address since a specific date
  • Find Multi-Account Access IPs - This search lets you find what IP addresses have accessed multiple accounts, if any
  • Suspect IP Range Search - Collates IPs from various DB Security logs and matches partial IPs to detect suspicious IP ranges
  • Find Potential Intruder IP Addresses - Displays a list of IP addresses who have failed to login to valid member accounts more than once

Country Blocking
  • You can now block any country from your forum easily by selecting the country via the new AdminCP page
  • Uses XenForo's IP Ban system to ban the IP ranges assigned to each country


Browser Fingerprinting
  • You can enable browser fingerprinting and have this logged alongside a member's user ID and IP address
  • Used in two new security watchers
  • Defaults to off


Manage Settings Backups
  • A full "dump" of the current XenForo settings are backed up automatically via a cron job
  • Can be manually saved via this page
  • Can be loaded via this apge


Forced Password Change
  • Forces all users to change password the next time they visit the forum
  • Redirects users to the Change Password form in the Account page
  • Can be limited to only force password change for users without 2FA enabled
  • Can be limited to only force password change for users who have been inactive for X days


Mass Password Reset
  • Uses XenForo's own system for generating new random passwords
  • Uses XenForo's email template for sending notifications of the reset in order to maximise familiarity for users
  • Can be limited to only reset passwords for users without 2FA enabled
  • Can be limited to only reset passwords for users who have been inactive for X days


Password Rules
  • Per-usergroup password rules
  • Length, Lower-case, Upper-case, Numbers, Symbols
  • Enforces the rules before the form can be submitted
  • Works on Registration and Change Password in the Account page


Trusted Devices Management
  • Optionally trust devices permanently when logging in with Two-Factor Authentication
  • See a list of all trusted devices in the Two-Factor Authentication page in the "Your Account" page
  • Revoke device trust with one click


Session Management
  • Track all devices currently logged in to your account
  • See a list of all currently logged devices in a new Login Sessions page in the "Your Account" page
  • Force a device to log out with one click
  • Only works with devices that have accessed the forum since installing the mod, but does not require logout/login


Login Failure Response
  • Login failures are modified to give the same response if the user name or password is wrong
  • Helps prevent brute forcing by not giving attackers an indication of what accounts are valid


Core File Alterations
  • File health is checked every 15 minutes via a cron job
  • Receive an email when core files are altered
  • Uses XenForo's file health check to check all core XenForo files
  • Shows a list of altered files in the email


Template Alterations
  • Optionally receive an email when a template is altered
  • Includes direct link to view the template history
  • Shows a diff similar to the template history
  • Can be toggled in the Options for this mod


Tor Exit Node Blocking
  • Optionally block Tor exit nodes
  • List of exit nodes for your site is updated via a cron job
  • Can be toggled in the Options for this mod
DragonByte's XenForo modifications include a single-line merged copyright footer which contains:
  • 1 Link to DragonByte Technologies XenForo store category
  • 1 Link to DragonByte Technologies homepage
  • 1 Link to a Details page listing the modifications this site has installed
  • v3.3.0 - 28th February 2017, 00:30
    Feature: Added an option to enable additional spider identification (spider list provided by ozzy47)
    Feature: Added a toggle for whether WebGL should be excluded from fingerprinting (previously it was forced off)
    Change: Updated the Fingerprint library to a new version, which (with WebGL enabled) provides even more accurate fingerprints
    Change: Improved the way the Branding Free system works, no longer requires a separate key
  • v3.2.1 - 7th February 2017, 01:17
    Feature: New option: Enable Account Breach Check
    Feature: New option: Account Breach Check: Check Username
  • v3.2.0 - 13th December 2016, 00:56
    Feature: "Bad Behavior" (http://bad-behavior.ioerror.us/) integration
  • v3.1.0 - 18th October 2016, 00:09
    Change: Improved performance by implementing phrase caching
    Change: Back-end changes to make pages, error messages and redirects more compliant with XenForo standards
    Fix: Setting password expiry to Unlimited could result in a password changing loop in certain circumstances
  • v3.0.4 - 22nd August 2016, 22:24
    Change: Added caching for templates that are loaded via template hooks
  • v3.0.2 - 18th July 2016, 23:51
    New Features:

    Email Recovery Criteria: Paid Subscription Transaction ID
    • Users who can provide a valid paid subscription / user upgade transaction ID will by default receive a very high score, letting their recovery pass through
    • Score can be configured in the AdminCP


    Email Recovery Criteria: Region
    • If the user's current IP is in the same region (e.g. state within the USA), a positive score can be applied to their request
    • Score can be configured in the AdminCP
  • v3.0.1 - 11th July 2016, 22:44
    New Features:

    Email Recovery
    • Users who have forgotten or lost access to their email accounts can recover their account via a page similar to "Lost Password"
    • Requires you to fill out an email address to receive these reports in the Options for this mod (receives separate emails for successful and unsuccessful email recovery attempts)
    • Adds itself next to every "Lost Password" link
    • Configurable scoring criteria to judge how likely it is that this person's request is legitimate
    • Browsable logs of all email recovery attempts and their outcomes
  • 3.0.0 Gold - 4th July 2016, 23:50
    Bug Fixes:
    • Fixed a couple of cases where a "Invalid class" error could be displayed
    • Attempting to log in with an incorrect username / email will no longer cause a server error
    • Resolved multiple issues with the "Compromised Account Alert" feature
    • Resolved an issue where using the "Admin Unlock" action would generate an email to administrators with incorrect language
  • 3.0.0 Beta 4 - 27th June 2016, 23:11
    Changed Features:

    Password Reset
    • The created password is now based on the userís password rule requirements
    • The Mass Password Reset action now creates a random password based on the userís password rule requirements
  • 3.0.0 Beta 3 - 20th June 2016, 22:46
    New Features:

    Search IP Addresses: Find Potential Intruder IP Addresses
    • Displays a list of IP addresses who have failed to login to valid member accounts more than once
    • Also displays any successful logins from these IP addresses


    Country Blocking
    • You can now block any country from your forum easily by selecting the country via the new AdminCP page
    • Uses XenForo's IP Ban system to ban the IP ranges assigned to each country


    Browser Fingerprinting
    • You can enable browser fingerprinting and have this logged alongside a member's user ID and IP address
    • Used in two new security watchers
    • Defaults to off


    Security Watcher: New Device Fingerprints (Member Accounts)
    • Triggers when a member's account is accessed from a new fingerprint
    • Allows locking the member's account asking them to unlock it
    • Has the same options as "Failed Logins" security watcher


    Security Watcher: New Device Fingerprints (Staff Accounts)
    • Triggers when a staff member's account is accessed from a new fingerprint
    • Allows locking the staff member's account asking them to unlock it
    • Allows locking the staff member's account asking admins to unlock it
    • Has the same options as "Failed Staff Logins" security watcher


    Security Watcher: New Device Fingerprints (Staff Accounts)
    • Triggers when a staff member's account is accessed from a new fingerprint
    • Allows locking the staff member's account asking them to unlock it
    • Allows locking the staff member's account asking admins to unlock it
    • Has the same options as "Failed Staff Logins" security watcher


    Fingerprint Log Viewer
    • Browsable log of all fingerprints
    • Filtering / Sorting options


    Changed Features:
    • When a user is deleted, all relevant data is now also deleted to prevent broken displays and errors
    • "Failed Logins" watcher can now ban the user in question
    • "Failed Staff Logins" watcher can now email the user in question


    Bug Fixes:
    • Two event listeners for DragonByte Credits were inadvertently left in this product
    • The Config Tamper action could cause a PHP error when triggered
    • The email sent when a potentially compromised account is detected would not have the correct contents
    • The Password Change action would not respect the "last active threshold" choice
    • The "Password Rules" checkboxes would not update if the user pasted their password via the right click menu
    • Browsing to the second page of any log view that was limited by date would disregard the date limitations
  • 3.0.0 Beta 2 - 13th June 2016, 23:14
    New Features:

    Compromised Account Lock
    • Ability to lock an account if it's detected as compromised
    • Prevents any action on the forum
    • The user whose account was logged in to will need to click a link in their email inbox to unlock their account


    Compromised Account Alert
    • Alert staff when an account has potentially been compromised


    Security Watcher: Failed Staff Logins
    • Identical to "Failed Logins" watcher, except only for staff accounts
    • Allows you to set stricter rules for staff accounts, or optionally only alert the webmaster if a staff account is broken into
    • Failed Staff Logins can lock the account in one of two ways; User Unlock or Admin Unlock. Admin Unlock requires an administrator (other than the affected user) to unlock the account.


    Suspect IP Range Search
    • Collates IPs from various DB Security logs and matches partial IPs to detect suspicious IP ranges
    • Shows the suspected range(s) along with the number of "hits" this range has generated
    • Located on the "Search IP Addresses" screen


    Password Generator
    • Generate a random password or use your own
    • Fill out username and password to encrypt it for use in Basic Authentication auth files


    Mass Password Reset
    • Can be limited to only reset passwords for users without 2FA enabled
    • Can be limited to only reset passwords for users who have been inactive for X days


    Force Password Change
    • Can be limited to only force password change for users without 2FA enabled
    • Can be limited to only force password change for users who have been inactive for X days


    Changed Features:
    • The "Maintenance" page (Mass Password Reset and Force Password Change) has been split into separate pages to make it easier to find these features
    • The "Failed Logins" watcher no longer triggers for staff accounts


    Bug Fixes:
    • The Mass Password Reset maintenance action would not check if the "confirm action" was set to Yes
    • The "Find Multi-Account IPs" tool would not work as intended
    • The "Close Forum" action would not set the correct close message
    • The "Alert Webmaster" action would not work as intended
  • 3.0.0 Beta 1 - 6th June 2016, 23:30
    Initial release

At a glance

Supports: xenForo 1.5.3+

Requirements: PHP 5.6+

Version: v3.3.0
Release date: 27th February 2017

Have an issue and need some help?