• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

LoginUserLocks - Security Fix [Paid] [Deleted]

tenants

Well-known member
#1
tenants submitted a new resource:

LoginUserLocks - Security Fix (version 1.0.0) - Prevent attempts to brute force the login area

User locks on login attempts
  • The number of attempts until the lock kicks in is defined in the ACP
  • The amount of time until the lock expires is defined in the ACP
There is no intention to fix this out side of 1.2 release since it has not been deemed a high enough priority security risk

This plugin fixes the following issue:



Scenario: Brute forcing the admin account is simple (and very simple under certain scenarios)

Since the Admin username is very exposed in forums,...
Read more about this resource...
 

Mouth

Well-known member
#2
Is there any notification to to the user during subsequent logon attempts, along the lines of "you have xx logon attempts remaining before you account is locked"?
Can the expiry time be very large, eg. 9999999999999, making it essentially a permanent lock? If os, how does admin release/unlock an account?
Can you see a list of accounts currently locked?
If, after an account is locked, the user attempts a subsequent logon and their account is still locked, does it tell them how long remaining until the lock is auto released?

(note, if the forum tells you that it is closed from registering, it is likely I have prevented your country from registering with StopCountrySpam, let me know if this is the case via PM/Conversation)
This is me. I'm currently living in Qatar. Thanks.
 

tenants

Well-known member
#3
It uses the same mechanism as the ACP area (which made it very easy to create)

Login to your admin area 5 times with the wrong password, you'll see the same message (this is a 15 minute lock I believe)

I would strongly recommend not setting high values for the lock, you are only stopping people from sending thousands of brute force attempt a second, to do this, your lock only needs to be a few second long (1000 request per second may take a few hours to brute force an account, 7 attempt per 30 seconds could take years)

1000 attempts per second = 3,600,000 per hour
7 attempts per 30 seconds = 840 per hour

You can see there is quite a difference with only small non irritating user locks

I'm keeping this one simple and straight forward, just using the core functionality that is already there, since I think this is an essential security plug-in that should eventually be in the core (or something similar to it in my opinion)

The error message is simply: Your account has temporarily been locked due to failed login attempts.
(same as core)

This is me. I'm currently living in Qatar. Thanks.
Oh, I'll let you in, Sorry about that
 

tenants

Well-known member
#5
so yes, the ACP user lock is definitely 15 minutes :oops: (IMO it doesnt need to be that long) Anyway, try to register now, it should let you through
 

tenants

Well-known member
#7
Sorry, I still had it blocked. Country Code: QA

now?

I think I'll create a secure link for country blocks at some point
 

tenants

Well-known member
#8
does it tell them how long remaining until the lock is auto released
It does now, it was farily simple to do, I've updated it to display the amount of time left:

Your account has been locked for 80 seconds due to failed login attempts, you have 55 seconds remaining
This also counts down dynamically, and as soon as it gets to 0, the page redirects to the forum home (so the user knows to login again)
 

Mouth

Well-known member
#10
Thanks! As soon as the ^$#&@ at PayPal unlock my account, I'll complete the purchase.

(I was using Paymate.com on my old website, and swapped to PayPal (more by necessity than choice) when migrating to xf last week, and now they've locked my account and require all sorts of business documentation for authenticity due to increased activity on the account)!!!! ^$&$&*#&^% :)
 

DRE

Well-known member
#11
If the user has CAPTCHA in place, after 5 attempts the CAPTCHA is activated. However, this is of no use, and does not prevent multiple requests from continuing (see norecaptcha / recaptchaocr / captchasniper / AutoCaptcha / deathbycaptcha / Stiltwalker / Custom OCR / ANNs)

^^^Doesn't the new key keyCaptcha pretty much make this statement not apply to it?
 

tenants

Well-known member
#14
You should be able to use Chris Deeming's installer for this now, but if you extract the zip, you should have a folder named "LoginUserLocks"

Add that folder to your library folder (this is where the plugins are usually added...sometimes you need to add other stuff to the javascipt/data folder, but not for this plug)
So now you should have the structure

yourforum/library/LoginUserLocks/

then put the file "addon-LoginUserLocks.xml" inside that folder, so now you have the structure

library/LoginUserLocks/addon-LoginUserLocks.xml
  • Go to ACP -> Add-ons -> Install Add-on -> Install from file on server
  • Install from file on server: " library/LoginUserLocks/addon-LoginUserLocks.xml"
  • Set options in the administration control panel ACP>>Home>>Options>>LoginUserLocks
 

tenants

Well-known member
#15
This is my user locks file structure:
userlocks.png

With this structure, I can then log into the admin control panel,
Select Add-ons -> Install Add-on -> Install from file on server
install from file on server, using the following path: " library/LoginUserLocks/addon-LoginUserLocks.xml"
 

Core Freedom

Well-known member
#16
I don't have Chris' installer add-on. I have his RegTimer add-on to keep out the spammers.

I tried everything you said above, can't get it to work. It keeps giving me an error message. :-(

What filezilla tells me is that this is where the file is. But when I upload that using the server method, I get error messages.

library/LoginUserLocks_v1_0_1/addon-LoginUserLocks.xml
 

tenants

Well-known member
#17
how did that path happen, it should have the path:
library/LoginUserLocks/addon-LoginUserLocks.xml

Edit: Oh, I know what happened, when unzipping you selected the option

"Extract to LoginUserLocks_v1_0_1"

... well that's fine, inside that folder you will have a folder named LoginUserLocks, this is the folder that goes inside your library (if you want, I can add this for you)

in the end, you must have the following path:
yourforum/library/LoginUserLocks/
and inside that add the xml file, so that you have the path
library/LoginUserLocks/addon-LoginUserLocks.xml