Resource icon

LoginUserLocks - Prevent Brute Force: Security 1.0.01

No permission to download
Overview Reviews (2) History Discussion
tenants

tenants

Well-known member
tenants submitted a new resource:

LoginUserLocks - Prevent Brute Force: Security (version 1.0.01) - Prevent attempts to brute force the login area

Feel free to Donate. Originally this was a paid add-on, but it's suspected this might now be being exploited. I've made this free so it's available to everyone (it's free for those who can't afford to donate, any amount for those that can ;) )

User locks on login attempts
  • The number of attempts until the lock kicks in is defined in the ACP
  • The amount of time until the lock expires is defined in...
Click to expand...

Read more about this resource...
 
Will people, who bought it, get a refund? ;)




Just joking. Good to see it available for all.
 
Hi, Thanks for the add-on. just one query, once the account is locked user still can try logging in, screen shot attached. Thanks,
 

Attachments

  • error.webp
    error.webp
    59.9 KB · Views: 32
Quick (possibly stupid) question...

If someone is trying to brute force, say, a Moderators account and they get locked out - does this mean that the Moderator using that account is locked out at the same time or does this add-on only prevent further attempts from a specific IP or machine?
 
lazer said:
Quick (possibly stupid) question...



If someone is trying to brute force, say, a Moderators account and they get locked out - does this mean that the Moderator using that account is locked out at the same time or does this add-on only prevent further attempts from a specific IP or machine?
Click to expand...

That's not at all a stupid question

The functionality that this plugin provides is the same functionality that is already in the ACP (user locks)... I'm not really doing anything new, just using what is already available

The username is locked (IP's can be changed), but it's a small lock (for 30 seconds / 40 seconds). It would be tedious to use this maliciously, it would be easier to lock your admin account via the functionality that is already there in the ACP, since the lock in the ACP is 15 minutes. This is one reason long locks are never a good idea, they are also user unfriendly. Use the default set up and users wont even notice the locks, it would be tedious to continously lock accounts, and you still prevent brute force attempts
 
Gopala Subramanium said:
Hi, Thanks for the add-on. just one query, once the account is locked user still can try logging in, screen shot attached. Thanks,
Click to expand...

No they can't, the username is locked, even if they use the correct password they can't log in, they have to wait for the lock to expire to get a different response back for that username (try it)

This plugin locks the account until the lock is expired (the same functionality that is available in the ACP), it does not remove the login page/ login drop down
 
Yet to test but sounds promising enough to test out on a dev install due to importance.
So a shout out to tenants for extending XF with an improvement mod regarding security.
 
I would like to see logs for these attempts and blocks. Are they available in the DB?
How much donation would it take to get a log entry and view at /admin.php?tools/ ? ;)
 
UnitySoft said:
Support Xenforo 1.3.x ?
Click to expand...

Since XF 1.2, this plugin is no longer needed, see:

Mike said:
Option to block logins entirely after a few failures
By default, we only CAPTCHA block accounts after several failed login attempts. This may be more user friendly but some people may consider it to be a security issue. You now have the option to disable logins instead of showing a CAPTCHA.
Click to expand...
 
You must log in or register to reply here.
Back
Top Bottom