Strongbox ROCKS!
 

I have one word to say about Ray at Webmastersguide.com's password security system.......................WOW!

Ray installed StrongBox on my site and the brute force attacks have stopped.....password sharing is done......security rules!

Thank you Ray and thank all of you who helped me with my problem.

Linda

Hey Linda glad to see your problems have stopped. Ray is a great guy and that software of his has saved me a ton of $'s

Thanks for the kind words, Linda, and Kevin.
Also thanks for beta testing the new real time open proxy
detection module. Yours was the first site to test it, but I put
in on one more site early this morning. So far it looks
real good - I'm excited about it.
Linda, I think we took Password Sentry off in the
process of putting Strongbox on your site.
How would you compare the two, so far?

Glad you got it locked up Linda;)

DD

PS vs Strongbox
 

In comparison from Sentry to Strongbox.....I found that when we used the brute force thing on Sentry where one had to type in a "code" each time...there were so many conflicts that even legit members could not get in or they had to log in four and five times...and then their username would get blocked. What a mess. And I think that Sentry is the reason some members could not see certain areas of my site due to conflicts.

The stats that I can view are amazing in Strongbox and they tell me in no uncertain terms exactly what a username has done or tried to do.

And the open proxy thing....well Sentry never had that.

With Sentry all I got were complaints and in some cases, I would get 25 abuse notices in one day. People are still trying old usernames, posted illegal usernames, etc. etc. I did not know that because Sentry did not tell me these things.

I've only had it for two days so in time, I am sure I could write chapters on the comparisons. A great product Ray! Linda

Sounds like Strongbox is the way to go...rock on!

How does Strongbox compare to Pennywize? What are the advantages/disadvantages?

First off, Strongbox isn't really directly compareable to PennyWize
or anything else out there that I know of.
To explain why, I have to get a little technical.
Before I do, let me point out that with Strongbox there is no
monthly fee and no reliance on someone elses server for your protection.
Pennywize is an old solution to an old problem.
The script kiddies, real hackers, and just plain password
sites figured out how to beat PennyWize around 1999-2000.
As more and more password sites and software did their end runs
around PennyWize, we began developing Strongbox
as the next generation in security.

Now for the technical part:

Pennywize and similar services are needed because most web sites
today use something called "Basic Authentication", which is implemented
in a part of Apache called "mod_auth".
This "Basic Authentication" is the system where the gray box pops
up asking for your username and password.
When the designers of mod_auth first released the design
for that system, they were very careful to point out that it was not
intended to be secure. It was intended to be a very basic system
that could be used to put a password on your stats page until something
better was designed. One major weakness is that Basic Authentication -
the pop up gray box - does not distinguish between the two main
phases that you learn about in security 101.
The first day of a computer security course you'll hear about
the two phases of "authentication", making sure the user is
who they say they are, and "authorization", checking if they
are allowed to access this particular page, etc.
The authentication phase is when they login, the
authorization happens
every time they view a page or image.

With basic auth, they never login. Their username and password
is sent by the browser every time it requests a page or image.
Because they never actually login, you never get to thoroughly check them out.
There are a lot of other problems too, liek the fact that the whole
thing is based on a very short password that can be shared.
Pennywize and similar programs try to tape up the holes in basic auth.
That's a very tall order, because basic auth is built like a chain link fence -
way too many holes to try to keep taped up.
PennyWize and similar programs end up working like a burglar alarm
inside the fence - trying to detect an intruder after they get in and
then trying to deal with them after it's too late.

Strongbox, on the other hand, gets rid of the whole "basic authentication"
fence and puts up a thick brick wall instead.
It doesn't tape up any holes, because it throws that fence full
of holes in the trash pile behind the woodshed and puts in it's
own far superior system.

PennyWize and similar systems are also easily defeated by
proxy based attacks.
An http proxy is a server that let's you
surf the web through it. Your computer connects
to the proxy and tells the proxy what page
you want to see. The proxy gets the page
for you and forwards it on to you. From the
server's perspective, you are invisible -
it only sees the address of the proxy.
When people doo a brute force, or "hurling",
attack, they might use 20 different proxies,
so the server sees the requests coming from
20 different IP addreses. They do this to
fool software like Password Sentry, which
merely counts how many times a certain IP
has tried a different username and password.
These older, simpler "patch up" systems will let each
of the attackers IP addresses guess many
usernames each hour, never recognizing that the
guesses from the 20 different IPs are all coming
from the same person and their brute force,
or "hurling" software.
Strongbox isn't so easily fooled. Strongbox
blocks these open proxies right away. There
are some legitimate proxies. For example,
AOL uses proxies so they don't have to have
different IPs for each user. Legitimate
proxies that you want to let through, though,
are closed proxies - AOL proxies, for example,
can only be used by AOL customers. Companies
set up legitimate proxies so that only their
employees or customers can access them. Script
kiddies, hackers, and other undesirables don't
pay for access to 20 different proxies from
20 different companies, of course. Instead
use servers that have been misconfigured or
hacked so that anyone can use them as a proxy,
or one of a couple proxies put up by nerfarious
characters specifically for the purpose of
allowing various kinds of wrong doing to be
accomplished without showing the perpetrators
IP address. These proxies which anyone can
access are called open proxies. As they are
often used by people attacking sites and
rarely or never used by legitimate users,
Strongbox blocks access from these open proxies immediately.


This proxy defense module was originally
designed as an extra cost option to enhance
Strongbox's already high resistance to these
types of attacks. We have decided to include
this module as a free bonus with every Strongbox
installation right now.

Raymor,

wow, I have to say I really appreciate you taking the time to explain the differances and advantages to your program vs others.

Im very impressed, and I will be looking a little further into your product through your site, but I have one more question. If there's let's say 50 sites BUT one main members area, it only needs to be installed on the one main domain/box correct?

There are some variables there and it's not 100% clear what
exactly your scenario is. I normally define a site as being a distinct members page.
50 entrances that lead to the same page is one site.
50 entrances that lead to 50 different "members" pages in 50 sites.
When you say 50 sites but one members area,
does that means 50 sites that each have their own "members home"
page but the pics and videos happen to be in the same directory,
or does that mean 50 entrances that lead to one members page?

Are these AVS sites, or pay sites?
If someone is a member of one (has access to the "one members area",
do they also have access to all of the other sites with the same members area?

We could discuss your exact situation via ICQ, phgone, or email.

Just had Strongbox installed on FoxyAngel's site.

Just wanted to say how wonderful the software is and what a delight it was to do business it with Ray. :)

Oh yeah… seeing the BW being used drop way down was also really nice. :D

Yep...as I said...
 

STRONGBOX ROCKS! AND SO DOES RAY!!!!!

I've had the program for months now and what a difference! The hackers have finally after all these years...GIVEN UP!

Strongbox
 

I purchased a few copies of strongbox a few months ago, and couldn't get it working due to compatibility problems with my dynamic members area. I never really got it installed or used it. .

Instead I am using Pennywize and it has been working great. Not so happy about the monthly charge, but it only took 30 seconds to install and it seems to work fine for my needs.

Ray, is it cool if I sell my 4 licenses to someone in need? If so, anyone in the market for strongbox? :)

Re: Strongbox
 

Ray installed mine. I don't think that there is anything he can't fix. He knows his stuff.

Strongbox broke the feeds with the way they were setup at Angel's site.

Basically the feeds were depended on the correct referral being sent and since the referral was a different sub domain each time this was no longer possible.

The feed people fixed this be placing a small php page on Angel's server that I link to. It then sends some info that says I'm a good url so show me the feeds.

To the members nothing has changed but all password sharing, hacking, and the rest of the crap has completely stopped. Angel's site is using less then half the BW now and has over a third more member's at this time the two weeks ago.

Webmaster's Central video feeds is who Angel is using and their feeds do work with Strongbox now. :)

Yep...strongbox....!!
 

IT'S THE SH-T! |bananna|

dicknixon I'm sure Ray wouldn't mind if you sell your licenses as long as you let him know. I use it on about 20 sites across different servers and it works great for us.

Damn. By the description of Strong Box I thought it was going to be hundreds of dollars, but it's not. It's pretty damned cheap, especially considering what it saves you.

Hike your prices you fool!

That's cool. if the buyer wants the reports and member
managament module they will need to pay me the $30
each for that.

Ray

Hi I'm a noob :D

Is everyone still using strongbox? I just signed up so I hope it's still the best for this type of problem?



I like the pink elephant so I'm gonna post it for no reason |pink :D

I am still using SB on all my sites |thumb

Victoria, from what I've heard Stongbox is the best solution available for these problems, and Ray is a great guy to work with :)

btw, are you by any chance related to Jim? :D

Victoria, I still think Strongbox is a good 3 years ahead
of anything else, but I'm just a tiny bit biased. :)
OK, so I'm a lot biased. Thanks to Kevin and Fonz for
taking the time to reply to Victoria's post.

Victoria I'm doing the pre-install preparations for your site
right now so you'll soon see for yourself and you'll be the one
posting to let others know what you think. I'll certainly be doing
my very best to make sure that your post says something similar
to Linda Might's post that started this thread.

I posted this thread back in February of 2004. And I still say.....STRONGBOX ROCKS....bar none...it is the best, the best, the best!

And Ray has the best customer support ever! Not to mention he is brilliant.

Between my hosting company and Strongbox....my site troubles are few!

|bananna| |pink |bananna| |pink

Linda

Thanks for the replies everyone! Ray is doing the install and hopefully it all works out...I'll let you know :D |thumb

We are very happy with the older version of Strongbox that is running on FoxyAngel.com. I noticed the other day that the newer version of Strongbox that is running on KatVixen.com now works properly with Mac's Safari and also has a passphase option for using on the member's login page. :)

The only thing I can think of that I would change is have a way to turn on/off the email function, on a normal day it's not bad, but the bad days where I get 4500+ emails in 6 hours time takes forever to download and it's always at the worst times.

But I will deal with that over have brute force attacks and all the other crap any day, I defiantly recommend Strongbox.

You should be able to comment out this line
$disabto="webmaster\@$host";
in the config.pl file to stop the mail.

Personally I like fucking with the password trading sites. :D

You can and need to turn off the email stuff. Before I turned it off I would get 500 to 1,000 an hour when people were poking.

The feature that I want/need is to have the admin work for ALL sites on a server. Right now it's one site at a time.

The product DOES work just fine.

I have recommended Strongbox to a lot of my hosting clients and every one of them that took it up was very impressed by its capabilities. Plus Ray is a good guy, I enjoy working with him.

cheers,
Luke

|bow| RAY ROCKS! And I still think he doesn't charge near enough money for this product. Sorry guys.....just being honest.

|pink |pink |pink

Thanks for the very kind posts. There are a couple
of different variables that can be set to adjust the
number of emails Strongbox sends. Below is a cut and
paste from the new Owner's manual page
describing these options, which can be found
at:
http://www.bettercgi.com/strongbox/manual/emails.html

Linda mentioned that she thinks I don't charge enough.
Several other people have said the same thing.
In fact, after I get another support person trained,
the owner's manual "completed", and some
admin interface improvements done I do plan
to increase the price to $150, so if you're planning
to put Strongbox on some more sites you may
wish to order in the next couple of weeks before
I complete these items and then feel comfortable
increasing the price.

Strongbox Owner's Manual - Notification Emails

Strongbox will send emails to your specified email address(es)
when it detects certain types of unusual activity.
There are 3 variables in cgi-bin/sblogin/config.pl which
affect this behavior. Some webmasters with many busy sites
or sites which are the target of many attacks prefer to
recieve fewer emails, being notified of only the most important
information. These variables start at about line #55
of the config file.

@email_addresses (aka @disabtos)

The first sets which email addresses
should be notified. On oler installations this variable
was called @disabtos. On newer installations it has a better
name, @email_addresses. It looks like:

        @disabtos             = ( 'you@yoursite.com', 'tech@yoursite.com' );

        or:

        @email_addresses      = ( 'you@yoursite.com', 'tech@yoursite.com' );

        

This is a comma seperated list of email addresses, all of which
will recieve identical emails when Strongbox needs to notify you
of something. You can have as many email addresses listed as you
wish, from none at all to many. Note that the last email address
does not have a comma after it.

$notifyof

The $notifyof variable tells Strongbox which conditions it should email
you about. If you find that you are recieving more emails than you
would like this is one variable you may wish to edit. This is a list of
"result codes" that match the result codes shown in the Strongbox reports
and the result code which is found in the emails as the last word in
the subject line of the email. It looks like this:

       $notifyof             = 'htpffail|opnproxy|attempts|dis_uniq|totllgns|uniqsubs|badchars|uniqcnty';

       

Some webmasters that get a lot of proxy based dictionary attacks end
up recieving a lot of emails about people trying to login via open proxies,
status code "opnproxy", so they choose not be be notified each time this
happens, but have Strongbox wait to notify them until it suspends a
username of password. To adjust this you can just remove "opnproxy"
from the list, so it looks like this:

       $notifyof             = 'htpffail|attempts|dis_uniq|totllgns|uniqsubs|badchars|uniqcnty';

       

Even if you remove all of the others, you'll probably want to keep
htpffail, which tells you if Strongbox is unable to read the password
file (meaning it probably got deleted or moved), and dis_uniq, which
tells you when a username is permanently disabled. See the
status codes
page for a description of all of the possible status codes.

$max_notices_per_day

Sites which had Strongbox installed after mid 2005 will have
a 3rd variable as the next line after $notifyof, called $max_notices_per_day.
This tell Strongbox the maximum number of emails it should send in
a single day. It looks like:

      $max_notices_per_day  = 25;

      

You can change the maximum number to any number, from zero to any very large nymber.

$notifyof = 'htpffail|attempts|dis_uniq|totllgns|uniqsubs|badchars|uniqcnty';

This looks to be what I am wanting, thanks Cleo and Raymor and whoever else gave me the code to look for.

|thumb

ok, I edited it... now I wait and see if I mucked it up ;)

FYI I just created a Strongbox forum:
http://www.bettercgi.com/forum/

I tried to change something by editing and I really SCREWED IT UP. As always, Ray came to the rescue and undid the mess I created. (I never claimed to know what I was doing when it comes to any codes and such). |huh Good luck to you!

Go Ray....! |pink

nice Ray. hey, i've been trying to contact you on icq "ATCI_Chris" for the past few weeks but you haven't responde at all. is everything ok? vacation?

I'm not using ICQ any more.
I'll give you a call.

nah, don't worry about it. we had a customer with some issues that i think we got straightened out. lol, you still using email?

good to hear everything is ok.

After hearing the good things about Strongbox, and talking to Ray on the phone, I just put in my order. I'm especially looking forward to the anti-sluping features. That in itself is worth the price! Hope you don't have any probs with the hurricane Ray!