Forums

Unfortunately no one can be told what FluxBB is - you have to see it for yourself.

You are not logged in.

#1 2012-05-24 22:07:13

gnat
Member
Registered: 2011-07-15
Posts: 13
Website

Security: Maximum Login Attempts

Does this exist in the core somewhere?

What functionality is in place for dealing with a dictionary attack or a malicious user who knows you well?

I realize the redirect time is 1 whole second, but that does not help prevent the latter.

Offline

#2 2012-05-24 22:45:11

Newman
Member
Registered: 2011-11-05
Posts: 344

Re: Security: Maximum Login Attempts

Completely pointless and probably a highly annoying mod if it was ever made.  Vbulletin does it and it's stupid.

You can use a simple session script:

$seconds = 20;

	if (!isset($_SESSION)) {
session_start();
}
// anti flood protection
if($_SESSION['last_session_request'] > time() - $seconds){
message("Stop trying to login so fast...");
}
$_SESSION['last_session_request'] = time();


Something like this would work, place the  $_SESSION['last_session_request'] at the bottom of the mysql query that checks if the password matches what's inputted.

But clearly this is only a temporary solution and is using sessions only, but if a hacker can bypass sessions quite easily using other methods which I will not talk about here.

But that code should work for what you're talking about, or make a new row column name "mlogin" in the online table, then check each time they try to login and it fails make use a query to update the mlogin=mlogin+1, then in the php check

 if ($user['mlogin'] >3)message("You used up your failed login attempts already, sorry");

Then you would need to select that mlogin row too to check if if >3 ... performance issue I will not tolerate or approve of.  But it's up to you, this is just advice fellas, you can do whatever the hell you wanna do smile

Good luck

Offline

#3 2012-05-25 04:06:41

Smartys
Former Developer
Registered: 2008-04-27
Posts: 3,139
Website

Re: Security: Maximum Login Attempts

That would most certainly not work. Nothing forces me to use the same session ID (or any session ID) for subsequent requests. Thus, it's trivial to bypass that sort of protection.

Offline

#4 2012-05-25 04:19:07

Newman
Member
Registered: 2011-11-05
Posts: 344

Re: Security: Maximum Login Attempts

Smartys wrote:

That would most certainly not work. Nothing forces me to use the same session ID (or any session ID) for subsequent requests. Thus, it's trivial to bypass that sort of protection.

Specifically says

"But clearly this is only a temporary solution and is using sessions only, but if a hacker can bypass sessions quite easily using other methods which I will not talk about here"

And also, adding a new field in the users table would be another temporary solution.  Anyone can bypass session ID's. 

I don't see you helping or posting code to help others.

Offline

#5 2012-05-25 04:27:59

Smartys
Former Developer
Registered: 2008-04-27
Posts: 3,139
Website

Re: Security: Maximum Login Attempts

Let me rephrase my previous statement: your solution will only protect against "brute-force" attacks by non-sophisticated users using browsers. That's not the kind of attack you worry about.

In reality, you would need to use IP and username-based protections to lock out malicious attempts (with timeouts), in tandem with password hashing via something like bcrypt that would "slow down" the authentication process. You then have to worry about denial of service attacks against users.

Offline

Board footer

Powered by FluxBB 1.5.8