Announcement

Collapse
No announcement yet.

Failed login notifications

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Originally posted by woodmj View Post
    Just out of interest is the latest VB5 more secure against these kind of attacks? I just caught a bit of a write-up over at vb.org saying that it was 'the most secure version of VB ever' If it is I might revisit migrating.

    The emails that people are complaining about are the result of the mechanisms that prevent brute force attacks. That is the security. Your users will continue to receive the emails as long as the IP addresses and countries performing the attacks are able to access your server. Only by banning the IP Addresses at the server level can you prevent the attacks. That is outside of what vBulletin can do.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API

    Comment


    • #17
      I have China etc banned in Apache and I did try starting to ban the IPs appearing in the warning mails as well but somehow the attacks are made to look like they come from member IPs and so all I was doing was banning my members so I had to stop that. Unless loads of my members are infected with viruses/malware or have decided to attack their own community I can only assume hackers can fake IPs amongst other stuff. I guess there's not much more I can do.

      Comment


      • #18
        I look at this as just an inconvenience that you have to live with when hosting a community on the web. I too have noticed an uptick this past week or so with members wondering why they're getting these emails. At least they have strong passwords - and I have reminded my community about the importance of having strong passwords. So at least this keeps everyone on their toes.

        No account has been hacked - ever - on our forum. And whenever I receive these notifications from members, I just add the IP to the blocked list. That's about all you can do. Another thing, these brute force attacks seem to be very selective or limited. We have about 27000 members, and only a handful of complaints. I have my admin account and a couple of drone accounts for testing, and I receive these notifications about once every three years or so.
        ~ Master of my own Domain ~

        Comment


        • #19
          I feel I need to bump this up since we are getting a significant increase, and it's no longer an inconvenience but a real problem now. I am getting several "delete my account" emails a day from members who think they are being individually targeted. If one could log in using one's email address instead of a user name, that would pretty much solve the problem. I believe there is a request for this to be implemented in a future version of vBulletin - but c'mon - how many people need to vote on this to get it done? I should not have to rely on some unsupported plugin at the .org site to solve this problem.
          ~ Master of my own Domain ~

          Comment


          • #20
            The word is that there is no more planned development on vb4 at this time, so it seems extremely unlikely that this kind of thing will ever be added to an official release. It's easy enough to use a mod or make code changes to eliminate those emails, so I don't think it makes sense to wait for an official release with this feature.

            Comment


            • #21
              Originally posted by kh99 View Post
              The word is that there is no more planned development on vb4 at this time, so it seems extremely unlikely that this kind of thing will ever be added to an official release. It's easy enough to use a mod or make code changes to eliminate those emails, so I don't think it makes sense to wait for an official release with this feature.
              Yeah, and due to your awesome mod I fixed the problem. Thanks!
              http://www.vbulletin.org/forum/showthread.php?t=317856
              ~ Master of my own Domain ~

              Comment


              • #22
                Originally posted by Bryanb View Post

                Yeah, and due to your awesome mod I fixed the problem. Thanks!
                http://www.vbulletin.org/forum/showthread.php?t=317856

                Thanks so much for the link. I have been trying to find something to combat this issue. I hope this works!

                Comment


                • #23
                  It does not combat the issue, it just hides it, meaning users will be locked out, but have no e-mail explaing why.
                  Baby, I was born this way

                  Comment


                  • #24
                    Originally posted by Paul M View Post
                    It does not combat the issue, it just hides it, meaning users will be locked out, but have no e-mail explaing why.
                    I agree that just suppressing the emails doesn't combat anything except user complaints about the emails, and might actually hide something that some users would like to know about. But that mod does not really block the emails. If a user locks themselves out (like if they've forgotten their password) they will still receive an email. Also if anyone else makes 5 attempts (providing the HV input as needed), an email will be sent as usual. What the mod does, assuming it works like I think it does, is to stop automated guessing (if that *is* actually what is happening) from triggering the lockout emails, and also it effectively reduces the number of those guesses from one ip address (per lockout period). It's true that in those cases it does hide the fact that guessing is taking place, which is something that I hope people understand when considering whether to install it. I think some admins choose to install it because there is really nothing to be done about a mass password guessing attack from many ip addresses, and the resulting multiple lockout emails just annoy users, so it's a compromise between stopping the emails completely or doing nothing.

                    Having said all that, if the mod doesn't work as intended, I'd certainly be interested in knowing. The fact is, I'm not even sure if the occasional attacks we see are even automated.
                    Last edited by kh99; Mon 20 Jul '15, 5:09am.

                    Comment


                    • #25
                      I think some confusion may have crept in as kh99 has written 2 mods in this area. One just switches off the email notifications but the other actively puts obstacles in the way of brute force attacks on user account name/password combinations by adding HVM checks after someone has failed to logon to an account after an admin defined number of times. I'm using the latter and it works a treat on my board.

                      Comment


                      • #26
                        Originally posted by woodmj View Post
                        I think some confusion may have crept in as kh99 has written 2 mods in this area. One just switches off the email notifications but the other actively puts obstacles in the way of brute force attacks on user account name/password combinations by adding HVM checks after someone has failed to logon to an account after an admin defined number of times. I'm using the latter and it works a treat on my board.
                        Yeah, re-reading the sequence of posts above, I can see how someone would assume that we were talking about a mod that just turns off the emails.

                        Also, going back to the idea of using the email address to log in instead of the username, I just remembered this: http://www.vbulletin.org/forum/showt...62#post2540362 for anyone who is interested enough to make file edits. But note that it had not been tested very much.
                        Last edited by kh99; Tue 21 Jul '15, 5:18am.

                        Comment

                        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                        Working...
                        X