XenLoginSecurity [Paid] [Deleted]

now I'm really confused. The one I downloaded is the one that ends up giving me this extension: /public_html/library/XenLoginSecurity/LoginUserLocks_v1_0_1

Wasn't that what I was supposed to download?

I don't quite want to do the IP thing yet until we know what's really going on. We know from Matt now that the server has not been compromised and I think this is a loophole in XF software.
 
ok, but that's what I tried first before I created that folder, and it did not work then either.

So what's the exactly url supposed to be that I'm uploading through the server? I have it now as this:

/public_html/library/XenLoginSecurity/LoginUserLocks_v1_0_1
 
Does this notify also notify the admin of the failed login attempts, either by email or displaying in a log file?
 
It notifies the user that has had an unautherised IP address attempt automatically.
When someone attempts to login with a username, using the wrong IP address, and this user name is protected with Login Securtiy, an email gets sent to to the email address associated to the forum users account. The email looks like this:


attempt.webp

This email serves 2 purposes

1) It informs the user that some one has tried to attempt to login to their account. But since its from the wrong IP address, they wont get very far ... So it's it nothing to worry about (even if they had the correct password, they still couldn't login from the wrong IP address)
2) It allows the user to login with the temporary safe link

This link is valid for only a certain amount of time, it also has the IP address within it (so if it was the actual user from a "holiday" location, they can then login and add this IP address to their authorised list)

These attempts are logged in the DataBase (in the table sf_xlsec_sent_emails), I could bring this information forward and put it in the ACP logs
 
There is an issue with this as an admin. Once an admin uses this, even with the fields empty and turned off from the frontend, it still won't let them into the backend. It must contain an IP to allow ACP access once used. I had to delete the row from your settings table to let me into my ACP.

Even disabling the entire mod didn't work, as that was my first action in the db.
 
To log in, all you need to do is go to the front end, and try to login with the admin. This will send an email automatically to the admin
That email contains a safe link so that the user can login (via the front end), they can then add their IP address to the Login Security

Once it's added, they can login via the backend (www.forum/admin.php) and front end (www.forum/)

I use it myself with the admin account, as you can see by attempting to login here:
www.surreyforum.co.uk/admin.php

Oh, you might be right about this option:
Turn on Login Security to only login from defined IP addresses

If this is turned off for the admin, is ACP access still possible.

I'll need to check (that's not a scenario I've tested, since I've always thought it should be turned on for the ACP area... and thus always turned on for the Admin ACP)
 
Okay, I see what you mean.

It's always on for the ACP area. I'll fix this, so that it checks the username / on-off option before blocking the users IP from the ACP area
 
tenants updated XenLoginSecurity: IP Address Account Login Security with a new update entry:

XenLoginSecurity - Fix so that Admins can turn off for ACP

  • If the admin turns off their Login Security options via their account settings, they can now login to the ACP from any IP. Previously, the ACP area always had login security turned on (regarless of the users account seetings), now it checks options when the user attempts to login via the ACP
If you like this plugin, please>>rate it<<
Click to expand...

Read the rest of this update entry...
 
Excellent add-on. Thanks so much for making this. It's a great sense of security in the event someone tries to brute force their way into user/admin accounts.
 
@tenants, I would like to discuss another feature of this add-on I think would be pretty nice to have. Of course I would be willing to pay for you to further the development on this.

Please let me know if you are interested.
 
Just wondering if this also works with "changing IP's", as my telecom-provider is providing "changing IP's" and not "fixed IP's".

Great Addon, I need to buy this.

:)
 
When your IP changes, and you attempt to login, access will be denied. However, you will also be emailed the login attempt and a secure login link will be provided to you through that email which expires after a set amount of time. You can login through that secure link and add the additional IP to your "safe" IP list.

Additionally, if you know the range of IPs your telecom provider uses for you, you can add that range to your whitelist.
 
You must log in or register to reply here.

Similar threads

Jkay
Add-on [paid] deleted users implementation of schema.org meta data
Replies
1
Views
560
Thibeault
T
Top Bottom