• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

LoginUserLocks - Prevent Brute Force: Security 1.0.01

No permission to download

tenants

Well-known member
#1
tenants submitted a new resource:

LoginUserLocks - Prevent Brute Force: Security (version 1.0.01) - Prevent attempts to brute force the login area

Feel free to Donate. Originally this was a paid add-on, but it's suspected this might now be being exploited. I've made this free so it's available to everyone (it's free for those who can't afford to donate, any amount for those that can ;) )

User locks on login attempts
  • The number of attempts until the lock kicks in is defined in the ACP
  • The amount of time until the lock expires is defined in...
Read more about this resource...
 

lazer

Well-known member
#4
Quick (possibly stupid) question...

If someone is trying to brute force, say, a Moderators account and they get locked out - does this mean that the Moderator using that account is locked out at the same time or does this add-on only prevent further attempts from a specific IP or machine?
 

tenants

Well-known member
#5
Quick (possibly stupid) question...



If someone is trying to brute force, say, a Moderators account and they get locked out - does this mean that the Moderator using that account is locked out at the same time or does this add-on only prevent further attempts from a specific IP or machine?
That's not at all a stupid question

The functionality that this plugin provides is the same functionality that is already in the ACP (user locks)... I'm not really doing anything new, just using what is already available

The username is locked (IP's can be changed), but it's a small lock (for 30 seconds / 40 seconds). It would be tedious to use this maliciously, it would be easier to lock your admin account via the functionality that is already there in the ACP, since the lock in the ACP is 15 minutes. This is one reason long locks are never a good idea, they are also user unfriendly. Use the default set up and users wont even notice the locks, it would be tedious to continously lock accounts, and you still prevent brute force attempts
 

tenants

Well-known member
#6
Hi, Thanks for the add-on. just one query, once the account is locked user still can try logging in, screen shot attached. Thanks,
No they can't, the username is locked, even if they use the correct password they can't log in, they have to wait for the lock to expire to get a different response back for that username (try it)

This plugin locks the account until the lock is expired (the same functionality that is available in the ACP), it does not remove the login page/ login drop down
 
#7
Yet to test but sounds promising enough to test out on a dev install due to importance.
So a shout out to tenants for extending XF with an improvement mod regarding security.
 

Mouth

Well-known member
#8
I would like to see logs for these attempts and blocks. Are they available in the DB?
How much donation would it take to get a log entry and view at /admin.php?tools/ ? ;)
 

tenants

Well-known member
#13
Support Xenforo 1.3.x ?
Since XF 1.2, this plugin is no longer needed, see:

Option to block logins entirely after a few failures
By default, we only CAPTCHA block accounts after several failed login attempts. This may be more user friendly but some people may consider it to be a security issue. You now have the option to disable logins instead of showing a CAPTCHA.