Gammon Forum
Entire forum
Forum
Announcements
Forum security enhancement - limit on incorrect logins
Forum security enhancement - limit on incorrect logins
|
Postings by administrators only.
Refresh page
Posted by
| Nick Gammon
Australia (22,975 posts) bio
Forum Administrator |
Date
| Fri 19 Mar 2010 02:15 AM (UTC) Amended on Fri 19 Mar 2010 04:09 AM (UTC) by Nick Gammon
|
Message
| The forum here has a new feature - if you attempt to log in with an incorrect password more than 5 times your IP address will be banned, making it impossible to login in future from that IP address.
The intention of this is to stop people running automated password-cracking attempts, where they attempt to log in (with a script) by trying thousands of times.
Once you have logged in successfully, your failed attempts (for that IP address) are wiped from the database. Thus you have another 5 attempts available next time.
The failures are recorded by IP address, to stop a denial-of-service attack (where someone might deliberately log in to a known user, and fail, to cause that account to be blocked). Thus only that IP address is blocked from logging in.
Once you have reached the limit the error message will change from "That username/password combination is not on file" to "That TCP/IP address is not permitted to log on". After that, that particular IP address cannot be used to log onto the forum for 24 hours.
You could change to a computer with a different IP address, and post a message on the forum along the lines of:
"Please clear the unsuccessful logins recorded against my username".
Verification of your failed attempts will precede any clearing of the block.
Or simply wait 24 hours before trying again.
|
- Nick Gammon
www.gammon.com.au, www.mushclient.com | top |
|
Posted by
| Nick Gammon
Australia (22,975 posts) bio
Forum Administrator |
Date
| Reply #1 on Sun 21 Mar 2010 02:57 AM (UTC) Amended on Sun 21 Mar 2010 03:01 AM (UTC) by Nick Gammon
|
Message
| The new security code and accompanying logs have shown some unexpected results. There are about 200 attempts a day to log onto this forum by people who do not even attempt to use a valid username (the usernames look randomly generated).
It's like there are bots out there that just randomly fill in forms hoping for the best. What they intend to do if they succeed (and how do you define success?) I don't know.
Suffice to say that extra code has been added today to deal with those pests.
|
- Nick Gammon
www.gammon.com.au, www.mushclient.com | top |
|
The dates and times for posts above are shown in Universal Co-ordinated Time (UTC).
To show them in your local time you can join the forum, and then set the 'time correction' field in your profile to the number of hours difference between your location and UTC time.
8,046 views.
Postings by administrators only.
Refresh page
top
Quick links:
MUSHclient.
MUSHclient help.
Forum shortcuts.
Posting templates.
Lua modules.
Lua documentation.
Information and images on this site are licensed under the Creative Commons Attribution 3.0 Australia License unless stated otherwise.