1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

LoginUserLocks - Security Fix [Paid] [Deleted]

Discussion in 'Add-on Releases' started by tenants, Nov 2, 2012.

  1. tenants

    tenants Well-Known Member

    tenants submitted a new resource:

    LoginUserLocks - Security Fix (version 1.0.0) - Prevent attempts to brute force the login area

    Read more about this resource...
  2. Mouth

    Mouth Well-Known Member

    Is there any notification to to the user during subsequent logon attempts, along the lines of "you have xx logon attempts remaining before you account is locked"?
    Can the expiry time be very large, eg. 9999999999999, making it essentially a permanent lock? If os, how does admin release/unlock an account?
    Can you see a list of accounts currently locked?
    If, after an account is locked, the user attempts a subsequent logon and their account is still locked, does it tell them how long remaining until the lock is auto released?

    This is me. I'm currently living in Qatar. Thanks.
  3. tenants

    tenants Well-Known Member

    It uses the same mechanism as the ACP area (which made it very easy to create)

    Login to your admin area 5 times with the wrong password, you'll see the same message (this is a 15 minute lock I believe)

    I would strongly recommend not setting high values for the lock, you are only stopping people from sending thousands of brute force attempt a second, to do this, your lock only needs to be a few second long (1000 request per second may take a few hours to brute force an account, 7 attempt per 30 seconds could take years)

    1000 attempts per second = 3,600,000 per hour
    7 attempts per 30 seconds = 840 per hour

    You can see there is quite a difference with only small non irritating user locks

    I'm keeping this one simple and straight forward, just using the core functionality that is already there, since I think this is an essential security plug-in that should eventually be in the core (or something similar to it in my opinion)

    The error message is simply: Your account has temporarily been locked due to failed login attempts.
    (same as core)

    Oh, I'll let you in, Sorry about that
  4. tenants

    tenants Well-Known Member

    You'll have to give me 15 minutes, you'll never guess what I tested just before letting you through StopCountrySpam...
  5. tenants

    tenants Well-Known Member

    so yes, the ACP user lock is definitely 15 minutes :oops: (IMO it doesnt need to be that long) Anyway, try to register now, it should let you through
  6. Mouth

    Mouth Well-Known Member

    Just tried again, still no go :(
  7. tenants

    tenants Well-Known Member

    Sorry, I still had it blocked. Country Code: QA


    I think I'll create a secure link for country blocks at some point
  8. tenants

    tenants Well-Known Member

    It does now, it was farily simple to do, I've updated it to display the amount of time left:

    This also counts down dynamically, and as soon as it gets to 0, the page redirects to the forum home (so the user knows to login again)
    Mouth likes this.
  9. tenants

    tenants Well-Known Member

  10. Mouth

    Mouth Well-Known Member

    Thanks! As soon as the ^$#&@ at PayPal unlock my account, I'll complete the purchase.

    (I was using Paymate.com on my old website, and swapped to PayPal (more by necessity than choice) when migrating to xf last week, and now they've locked my account and require all sorts of business documentation for authenticity due to increased activity on the account)!!!! ^$&$&*#&^% :)
  11. DRE

    DRE Well-Known Member

    If the user has CAPTCHA in place, after 5 attempts the CAPTCHA is activated. However, this is of no use, and does not prevent multiple requests from continuing (see norecaptcha / recaptchaocr / captchasniper / AutoCaptcha / deathbycaptcha / Stiltwalker / Custom OCR / ANNs)

    ^^^Doesn't the new key keyCaptcha pretty much make this statement not apply to it?
  12. Mouth

    Mouth Well-Known Member

    Done. Thanks.
  13. tenants

    tenants Well-Known Member

  14. tenants

    tenants Well-Known Member

    You should be able to use Chris Deeming's installer for this now, but if you extract the zip, you should have a folder named "LoginUserLocks"

    Add that folder to your library folder (this is where the plugins are usually added...sometimes you need to add other stuff to the javascipt/data folder, but not for this plug)
    So now you should have the structure


    then put the file "addon-LoginUserLocks.xml" inside that folder, so now you have the structure

    • Go to ACP -> Add-ons -> Install Add-on -> Install from file on server
    • Install from file on server: " library/LoginUserLocks/addon-LoginUserLocks.xml"
    • Set options in the administration control panel ACP>>Home>>Options>>LoginUserLocks
    Core Freedom likes this.
  15. tenants

    tenants Well-Known Member

    This is my user locks file structure:

    With this structure, I can then log into the admin control panel,
    Select Add-ons -> Install Add-on -> Install from file on server
    install from file on server, using the following path: " library/LoginUserLocks/addon-LoginUserLocks.xml"
  16. Core Freedom

    Core Freedom Well-Known Member

    I don't have Chris' installer add-on. I have his RegTimer add-on to keep out the spammers.

    I tried everything you said above, can't get it to work. It keeps giving me an error message. :-(

    What filezilla tells me is that this is where the file is. But when I upload that using the server method, I get error messages.

  17. tenants

    tenants Well-Known Member

    how did that path happen, it should have the path:

    Edit: Oh, I know what happened, when unzipping you selected the option

    "Extract to LoginUserLocks_v1_0_1"

    ... well that's fine, inside that folder you will have a folder named LoginUserLocks, this is the folder that goes inside your library (if you want, I can add this for you)

    in the end, you must have the following path:
    and inside that add the xml file, so that you have the path
  18. Core Freedom

    Core Freedom Well-Known Member

    I'm not sure, here is what I see.
    screenshot filezilla.png
  19. tenants

    tenants Well-Known Member

    okay, can you drag the folder "LoginUserLocks" (not LoginUserLocks_v1_0_1) to your library folder
  20. tenants

    tenants Well-Known Member

    We're almost there ;)
    Core Freedom likes this.

Share This Page