Discus Home Page  |   Knowledge Center  |   Administration Instructions

General Instructions

Main

Overview

Tutorial - Administrator

Tutorial - Moderator

Printed Tutorials

Moderator Tools

Page Manager

Access Manager

User Manager

Queue Manager

Log Analysis

Administrator Tools

Topic Manager

Archive Manager

Moderator Manager

Group Manager

Board Controls

Options Manager

Backup Manager

Data Recovery

Appearance Manager

Database Manager

Version Manager

Quota Manager

Options Manager -- 'Security' tab

The Security tab controls various access settings and limits on user activities on the discussion board. Many of the features noted in this section are available in Discus Pro only. Users of freeware Discus who do not see these features can gain full access by purchasing an upgrade to Discus Pro.

Access Control

Access control regulates who is permitted to view your topics page, and whether your topics page will show all of the topics or just those topics that a user is permitted to read. This section also allows you to configure whether there will be an initial login screen for your board, or whether the topics will come up immediately without the need for a login.

Control who is permitted to view the topics display on your board: Choose any of the three following options to regulate access to your board topics screen.

  • Restricted access (registered users/moderators only): A login screen will be presented to anyone attempting to access the topics page of your board. Only registered users and moderators will be able to access the topics page. Note that the login screen is bypassed if the user or moderator has the "cookie option" enabled in their profile, as they are automatically logged in by virtue of the stored username and password.

  • Public access (display topics immediately): The topics page will be brought up immediately without any login screen. Users and moderators will be able to log in when posting, attempting to read a restricted topic, etc.

  • Display login screen with guest access option: A login screen will be presented, with options to enter a username and password, register for a new account (if self-registration is enabled), and recover a forgotten password (if forgotten password recovery is enabled). There will also be a button to "Enter as Guest" that unregistered guests can use to gain access to the discussion system without an account.

Control which topics are displayed to a user on the topics display: If you are using read-restricted topics on your discussion board, you can choose whether or not your visitors can see those topics until they've supplied login credentials sufficient to allow them to gain access to those topics.

  • All topics on board: All topics on the board will be shown. If a visitor clicks on a topic that he or she is not permitted to read, he or she will be prompted to log in.

  • Only those topics that a user is authorized to view: Shows only those topics that a visitor is currently logged in to read. This option is generally useful only in conjunction with a login screen.

Hide/show categories based on Access Manager settings: If you are displaying only those topics that a visitor is authorized to view, and you are using categories, it may result in the appearance of "empty" categories on the topics page. Checking this option enables a display in the Access Manager allowing the board administrator to set "reading privileges" for categories based on access to actual topics. Note that this box simply makes the Access Manager setting visible; checking this box in itself does not affect the board's operation in any way.

Display the following message if a user is prompted to log in: You can replace the default login prompt by typing something in this box. Discus formatting tags (except image and attachment upload) are permitted here.

Hide default "Enter your username and password to enter this ..." message: If checked, the default message instructing the visitor to enter a username and password will be hidden. You would presumably want to do this only if you've created your own welcome message using the previous text box.

Attachment/Image Uploading

A powerful feature of Discus and Discus Pro is the ability to allow visitors to upload images, and in Discus Pro attachments, along with their posts. This section allows you to configure whether your visitors will be able to upload these items, and if so, to put limitations on the size of uploaded items.

Attachment/Image Uploading Enabled: If you wish to allow image or attachment uploading on your board, you must check this box. If this box is unchecked, image and attachment uploading to posts is disabled.

Limit file sizes (in kb): You can place limits on the size of uploaded images and attachments. Separate settings are available for public posters (unregistered guests), registered users, and moderators. Type "0" into a box to allow unlimited upload size, or "-1" to disable uploading entirely.

... and/or limit dimensions: You can limit the dimensions of uploaded images. In the boxes, enter the maximum number of pixels to allow in the width and height, respectively, of uploaded images. To ensure optimal display on all screen sizes, DiscusWare generally recommends a setting of 640x480 here (your visitors can use their imaging software to reduce the size of the image).

Board Administrator upload size is unlimited: If checked, the limitations you set in the above boxes will not apply to the board administrator. Generally, the board administrator trusts him/herself and can check this box. However, if the administrator wants to avoid unintentionally uploading very large images, this box can be left unchecked and the administrator will be subject to the same limits placed on moderators.

Require IP match to message post IP for uploaded images: DiscusWare generally recommends that this box be left unchecked. This is an extra security check to be sure that images and attachments being uploaded come from the same IP address as the post. On the surface, this may seem like a good idea, but any users who connect through proxies that occasionally change the IP address of the incoming connections will get error messages upon uploading. As broadband connections become more popular, such errors will also increase in frequency if this box is checked.

Use file's extension for unrecognized MIME types if extension is valid: This is an advanced setting related to the setup of the attachments.conf configuration file. If you are unsure what to do, leave this box unchecked. For details on this option, consult the attachments.conf documentation in the Discus Knowledge Center.

IP Banning

IP banning is a way to ban a specific IP address or a range of IP addresses from accessing CGI scripts on your discussion board. This is recommended only in the case of abusive visitors that you cannot otherwise keep away from your system. IP banning prevents accesses to CGI scripts; however, any public reading topics can still be read even by banned individuals.

Note that broad IP banning (e.g., *.aol.com) can have the effect on banning many innocent users in addition to one guilty user. Also, narrow IP banning may not take care of a guilty user (e.g., banning one specific dial-up IP address, when a new IP is assigned for each connection attempt). Someone intent on disrupting a board will likely have several means of accessing the internet; taking care of such a person based on IP banning will likely require several modifications of the banned IP list.

Do not ban IP addresses for "banned" users in User Manager: A "banned" user (in the sense of someone whose account is suspended with the "banned" option in User Manager) will, by default, have any IP addresses they use be automatically banned. However, with certain internet service providers, this may result in banning more innocent people than guilty ones. If this happens, check this box; the banned user will still be prevented from accessing your board, but it will not do any automatic banning of IP addresses.

To add a new IP address or range to ban: Enter the IP address in the "IP address" box. You can use any of the following formats:

  • Banning a single IP address: Enter 1.2.3.4 to ban this one particular computer.

  • Banning a single IP host: Enter hostname.domainname.com to ban this one particular computer. For this to work, your web server must support host name lookups. Note that banning an IP address and the corresponding host is redundant and unnecessary.

  • Banning with wildcards: Enter *.domainname.com to ban all hosts from domainname.com, or enter 1.2.3.* to ban 1.2.3.0 through 1.2.3.255. The "*" wildcard matches any number of any character. You can use the wildcard as many times as you wish. Note that banning just "*" will ban everyone, including yourself, which is generally not a good idea.

  • Caveats: Discus Pro IP banning calculations do NOT perform subdomain calculations or range lookups. Patterns such as "1.2.3.4/255.255.255.0" or "1.2.3.0-1.2.3.255" will therefore not work as advanced network administrators might expect they would just by looking at them.

    When adding a new IP address, you can optionally add a comment, to remind yourself later why the IP address was banned. When you save your options, the newly banned IP address will appear on the list, and a blank box will appear to allow you to ban additional addresses. There is no limit on the number of IP address you can ban.

    If you manage to ban yourself inadvertantly, you will need FTP or telnet access to the server to let yourself back in. The procedure to let yourself back in is described in the Discus Knowledge Center:

To remove a ban on an address or pattern: Uncheck the box next to the pattern whose IP ban you wish to remove, and then save your options. Unchecked patterns will disappear entirely from the list.

IP Limiting

Because Discus is a CGI application, each "hit" on one of your CGI scripts starts up a process to run the program. If a single user attempts to perform a complex operation (such as a search) many times simultaneously, undue load is created for your server. The same applies to some spiders that malfunction, attempting to simultaneously follow links such as "Edit Post" on your board. While Discus itself cannot prevent a CGI process from being started for each hit, it can reduce the resource usage from those hits if you enable this option.

By checking the "Limit IP address to ... simultaneous accesses" box, you are configuring your board to track the number of simultaneous accesses to your discussion board from each IP address. If the IP address makes more simultaneous requests than you configure here, the script will not process the additional requests, but instead insert a pre-programmed delay and then display an error message.

DiscusWare generally recommends that this option be enabled with a setting of 2.

Message Size Limitations

Readers of a discussion board can be annoyed by both very long posts which take a long time to load, as well as by very short posts, where they navigate only to find someone who posted "Me Too." Fortunately, Discus offers protection against both of these situations by allowing the setup of message size limitations.

Limit message sizes: Enter a number into each box to set a maximum message size. Note that the number you enter will be multiplied by 1,000 and that result will be the maximum size of message that can be posted. A setting of "50" in this box limits message size to 50,000 characters, which is generally sufficient for most uses. As with other areas of the discussion board where limits are specified, a setting of "0" indicates that there is no limit on size, and "-1" disables all posting. Your setting can be separately set up for public posters (unregistered guests), users, and moderators.

Minimum number of words: This option prevents extremely short posts and can be separately for public posters (unregistered guests), users, and moderators. A "word" in a post is defined as a sequence of two consecutive non-space characters (in layman's terms, a word with 2 or more letters).

Moderator Logins

Discus Pro gives the ability to ban an IP address and/or e-mail a moderator if too many unsuccessful administration login attempts occur with that moderator's identity. These functions allow automated, proactive monitoring of attempted brute-force attacks to gain administrative access by repeatedly guessing a moderator's password.

Too many failed logins for a moderator bans an IP address: If checked and if there are more failed consecutive login attempts than you specify in the box, the IP address from which the logins are originating will be banned automatically. If you check "Do not do this for the board administrator," the administrator's account will be exempted from this IP banning. DiscusWare recommends that you use this automatic banning option sparingly, if at all, to avoid locking yourself out of your board.

Too many failed logins for a moderator e-mails the moderator: If checked and if there are more failed consecutive login attempts than you specify in the box, a warning e-mail message will be sent to the moderator using the address in the moderator's profile. If you check the "E-mail board administrator too" box, a copy of the warning message will also be sent to the board administrator.

Poster Names & Identification

If you allow both public posting and posting by registered users, you may run into a problem where an unregistered guest attempts to impersonate a registered user by typing that user's username or full name without a password. Since public posting is, by definition, the ability to post with any username, this is allowed. This section of the Options Manager puts some limitations on the names that can be used by unregistered posters.

Public posters may use:

  • Anything at all as the username: Allow the public poster to use any name at all, regardless of whether it is the username or full name of a registered user or moderator.

  • Anything except the exact username of a registered member: A user may enter any name that is not the exact username of a registered member. For example, with this option checked, a public poster would probably not be able to use "admin" as a name when posting.

  • Anything except the exact full name of a registered member: A user may enter any name that is not the exact full name of a registered member. For example, with this option checked, a public poster would probably be able to use "admin" but would perhaps not be able to use "Board Administrator".

  • Anything except the exact username or full name of a registered member: A user may enter any name that is not the exact full name or exact username of a registered member. For example, with this option checked, a public poster would probably not be able to use either "admin" or "Board Administrator".

  • Anything that does not resemble the username or full name of a registered member:

      This option attempts to perform a "fuzzy" pattern match to determine how "close" a public poster's name is to the username or full name of registered users. The algorithm is imprecise at best, as the human mind is excellent at discerning immediately what is "close" but a machine is not capable of such intelligence.

      For this reason, you are asked to specify a "threshold" which will be used to decide whether to reject a name or not. Your threshold is a number from 1 to 100, with lower numbers being more strict (more likely to reject a name). DiscusWare recommends a setting between 40 (strict) and 60 (rather loose) for most implementations, if this option is used.

      Enabling this option will slow the performance of your discussion board, especially if you have a large user list. This is because a complex pattern for each user's username and full name must be built up for comparison against the entry.

      Do not check against single-word full names: Single-word full names within profiles, such as "John" or "Bob," frequently match many unregistered guest names. With most settings, a full name of "Bob" would prevent any posts by any unregistered users named "Bob." To avoid these problems, check this box to ignore single-word full names when performing the comparison.

      Treat non-English characters as the English letter they resemble: A common trick to defeat this sort of filter is to use a non-English character to make the name be different (although to the human eye, it looks very similar). Using the Discus author as an example, consider that "Kevin Paulisse" was a registered username. A public poster might try "Kev�n P�uliss�" to get around the filter, but to the human eye, there is very little difference between these names. With this box checked, i and � (and all of the other characters that look like the letter "i") are all treated as a single letter.

      Comments:

      When a public poster name is rejected, an entry is made in the errors.txt file, noting the public poster name entered and the registered username or full name that was used as the basis for the rejection. If the threshold option is used, the score from 1 to 100 representing the "closeness" of the match is also recorded.

Add text "(Unregistered Guest)" to names on posts by unregistered guests: If checked, the text "(Unregistered Guest)" will be made part of the public poster's name when a post is made. This option is similar to the "username in parentheses" option for registered users. Because Discus Pro 4.0 supports user statuses, one of which is "Unregistered Guest," DiscusWare generally recommends that the option being discussed here not be used, to avoid unnecessary visual clutter.


Copyright © 2002, DiscusWare, LLC, all rights reserved