1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Lack of Interest Block IP's if they try to access more than X multiple accounts

Discussion in 'Closed Suggestions' started by Alfa1, Nov 7, 2015.

  1. Alfa1

    Alfa1 Well-Known Member

    To limit attackers in their login attempts, please add a function to Block IP's if they try to access more than X accounts.
     
    thomas1, borbole and Mouth like this.
  2. Chris D

    Chris D XenForo Developer Staff Member

    We actually already do this.

    We count the number of login attempts in the last 5 minutes for the username/email and IP address. If this exceeds 3 then they are shown a captcha or blocked (depending on your Admin CP option).

    We also check the number of attempts in the last 30 minutes for the username/email and IP address. If that exceeds 6 attempts, again, captcha or block.

    Further on from that, we also check the number of attempts in the last 5 minutes for the IP address only. If that exceeds 7 attempts then captcha or block again.

    Finally, we also check the number of attempts in the last 30 minutes for the IP address only. If that exceeds 15 attempts, then captcha or block.
     
    Alfa1, ozzy47 and Brogan like this.
  3. Alfa1

    Alfa1 Well-Known Member

    Captcha is very useful for suspicious attempts.
    Adding a IP to the ban list should be done in situations that are clearly abusive.

    So it would be very useful to have settings for both captcha and automatic IP bans.
    Currently we can only do one.
     
  4. Brogan

    Brogan XenForo Moderator Staff Member

    I disagree with automatic IP bans.

    If it is a dynamic/corporate/shared IP address, it shouldn't be banned.
     
  5. Alfa1

    Alfa1 Well-Known Member

    If an IP attempts to access 5000 accounts and tries to brute force it, then the only solution is to ban it. The alternative is to get hacked.
     
    The Forum Heroes likes this.
  6. The Forum Heroes

    The Forum Heroes Well-Known Member

    Could have a white list option along with ban options such as ban for all reasons. Ban for 30 invalid logins but not 30 different account logins.. etc.
     

Share This Page