1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Unmaintained LoginUserLocks - Prevent Brute Force: Security 1.0.01

Prevent attempts to brute force the login area

  1. tenants

    tenants Well-Known Member

    tenants submitted a new resource:

    LoginUserLocks - Prevent Brute Force: Security (version 1.0.01) - Prevent attempts to brute force the login area

    Read more about this resource...
     
  2. HWS

    HWS Well-Known Member

    Will people, who bought it, get a refund? ;)




    Just joking. Good to see it available for all.
     
  3. Gopala Subramanium

    Gopala Subramanium Active Member

    Hi, Thanks for the add-on. just one query, once the account is locked user still can try logging in, screen shot attached. Thanks,
     

    Attached Files:

  4. lazer

    lazer Well-Known Member

    Quick (possibly stupid) question...

    If someone is trying to brute force, say, a Moderators account and they get locked out - does this mean that the Moderator using that account is locked out at the same time or does this add-on only prevent further attempts from a specific IP or machine?
     
  5. tenants

    tenants Well-Known Member

    That's not at all a stupid question

    The functionality that this plugin provides is the same functionality that is already in the ACP (user locks)... I'm not really doing anything new, just using what is already available

    The username is locked (IP's can be changed), but it's a small lock (for 30 seconds / 40 seconds). It would be tedious to use this maliciously, it would be easier to lock your admin account via the functionality that is already there in the ACP, since the lock in the ACP is 15 minutes. This is one reason long locks are never a good idea, they are also user unfriendly. Use the default set up and users wont even notice the locks, it would be tedious to continously lock accounts, and you still prevent brute force attempts
     
    lazer likes this.
  6. tenants

    tenants Well-Known Member

    No they can't, the username is locked, even if they use the correct password they can't log in, they have to wait for the lock to expire to get a different response back for that username (try it)

    This plugin locks the account until the lock is expired (the same functionality that is available in the ACP), it does not remove the login page/ login drop down
     
  7. Chime

    Chime Member

    Yet to test but sounds promising enough to test out on a dev install due to importance.
    So a shout out to tenants for extending XF with an improvement mod regarding security.
     
  8. Mouth

    Mouth Well-Known Member

    I would like to see logs for these attempts and blocks. Are they available in the DB?
    How much donation would it take to get a log entry and view at /admin.php?tools/ ? ;)
     
  9. lazer

    lazer Well-Known Member

    Does this work with 1.2 or is it replaced by new core functionality?
     
  10. tenants

    tenants Well-Known Member

    I believe the core now does this (although I haven't tested it)
     
  11. lazer

    lazer Well-Known Member

    Ok, thanks mate.
     
  12. UnitySoft

    UnitySoft Member

    Support Xenforo 1.3.x ?
     
  13. tenants

    tenants Well-Known Member

    Since XF 1.2, this plugin is no longer needed, see:

     

Share This Page