Lack of interest Block IP's if they try to access more than X multiple accounts

[Alpha1]

To limit attackers in their login attempts, please add a function to Block IP's if they try to access more than X accounts.

 

[Chris D]

We actually already do this.

We count the number of login attempts in the last 5 minutes for the username/email and IP address. If this exceeds 3 then they are shown a captcha or blocked (depending on your Admin CP option).

We also check the number of attempts in the last 30 minutes for the username/email and IP address. If that exceeds 6 attempts, again, captcha or block.

Further on from that, we also check the number of attempts in the last 5 minutes for the IP address only. If that exceeds 7 attempts then captcha or block again.

Finally, we also check the number of attempts in the last 30 minutes for the IP address only. If that exceeds 15 attempts, then captcha or block.

 

[Alpha1]

then captcha or block.

Captcha is very useful for suspicious attempts.
Adding a IP to the ban list should be done in situations that are clearly abusive.

So it would be very useful to have settings for both captcha and automatic IP bans.
Currently we can only do one.

 

[Paul B]

I disagree with automatic IP bans.

If it is a dynamic/corporate/shared IP address, it shouldn't be banned.

 

[Alpha1]

If an IP attempts to access 5000 accounts and tries to brute force it, then the only solution is to ban it. The alternative is to get hacked.

 

[Mike Edge]

I disagree with automatic IP bans.

If it is a dynamic/corporate/shared IP address, it shouldn't be banned.

Could have a white list option along with ban options such as ban for all reasons. Ban for 30 invalid logins but not 30 different account logins.. etc.