Announcement

Collapse
No announcement yet.

Failed login notifications

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • kh99
    replied
    Originally posted by woodmj View Post
    I think some confusion may have crept in as kh99 has written 2 mods in this area. One just switches off the email notifications but the other actively puts obstacles in the way of brute force attacks on user account name/password combinations by adding HVM checks after someone has failed to logon to an account after an admin defined number of times. I'm using the latter and it works a treat on my board.
    Yeah, re-reading the sequence of posts above, I can see how someone would assume that we were talking about a mod that just turns off the emails.

    Also, going back to the idea of using the email address to log in instead of the username, I just remembered this: http://www.vbulletin.org/forum/showt...62#post2540362 for anyone who is interested enough to make file edits. But note that it had not been tested very much.
    Last edited by kh99; Tue 21 Jul '15, 5:18am.

    Leave a comment:


  • woodmj
    replied
    I think some confusion may have crept in as kh99 has written 2 mods in this area. One just switches off the email notifications but the other actively puts obstacles in the way of brute force attacks on user account name/password combinations by adding HVM checks after someone has failed to logon to an account after an admin defined number of times. I'm using the latter and it works a treat on my board.

    Leave a comment:


  • kh99
    replied
    Originally posted by Paul M View Post
    It does not combat the issue, it just hides it, meaning users will be locked out, but have no e-mail explaing why.
    I agree that just suppressing the emails doesn't combat anything except user complaints about the emails, and might actually hide something that some users would like to know about. But that mod does not really block the emails. If a user locks themselves out (like if they've forgotten their password) they will still receive an email. Also if anyone else makes 5 attempts (providing the HV input as needed), an email will be sent as usual. What the mod does, assuming it works like I think it does, is to stop automated guessing (if that *is* actually what is happening) from triggering the lockout emails, and also it effectively reduces the number of those guesses from one ip address (per lockout period). It's true that in those cases it does hide the fact that guessing is taking place, which is something that I hope people understand when considering whether to install it. I think some admins choose to install it because there is really nothing to be done about a mass password guessing attack from many ip addresses, and the resulting multiple lockout emails just annoy users, so it's a compromise between stopping the emails completely or doing nothing.

    Having said all that, if the mod doesn't work as intended, I'd certainly be interested in knowing. The fact is, I'm not even sure if the occasional attacks we see are even automated.
    Last edited by kh99; Mon 20 Jul '15, 5:09am.

    Leave a comment:


  • Paul M
    replied
    It does not combat the issue, it just hides it, meaning users will be locked out, but have no e-mail explaing why.

    Leave a comment:


  • boggseric
    replied
    Originally posted by Bryanb View Post

    Yeah, and due to your awesome mod I fixed the problem. Thanks!
    http://www.vbulletin.org/forum/showthread.php?t=317856

    Thanks so much for the link. I have been trying to find something to combat this issue. I hope this works!

    Leave a comment:


  • Bryanb
    replied
    Originally posted by kh99 View Post
    The word is that there is no more planned development on vb4 at this time, so it seems extremely unlikely that this kind of thing will ever be added to an official release. It's easy enough to use a mod or make code changes to eliminate those emails, so I don't think it makes sense to wait for an official release with this feature.
    Yeah, and due to your awesome mod I fixed the problem. Thanks!
    http://www.vbulletin.org/forum/showthread.php?t=317856

    Leave a comment:


  • kh99
    replied
    The word is that there is no more planned development on vb4 at this time, so it seems extremely unlikely that this kind of thing will ever be added to an official release. It's easy enough to use a mod or make code changes to eliminate those emails, so I don't think it makes sense to wait for an official release with this feature.

    Leave a comment:


  • Bryanb
    replied
    I feel I need to bump this up since we are getting a significant increase, and it's no longer an inconvenience but a real problem now. I am getting several "delete my account" emails a day from members who think they are being individually targeted. If one could log in using one's email address instead of a user name, that would pretty much solve the problem. I believe there is a request for this to be implemented in a future version of vBulletin - but c'mon - how many people need to vote on this to get it done? I should not have to rely on some unsupported plugin at the .org site to solve this problem.

    Leave a comment:


  • Bryanb
    replied
    I look at this as just an inconvenience that you have to live with when hosting a community on the web. I too have noticed an uptick this past week or so with members wondering why they're getting these emails. At least they have strong passwords - and I have reminded my community about the importance of having strong passwords. So at least this keeps everyone on their toes.

    No account has been hacked - ever - on our forum. And whenever I receive these notifications from members, I just add the IP to the blocked list. That's about all you can do. Another thing, these brute force attacks seem to be very selective or limited. We have about 27000 members, and only a handful of complaints. I have my admin account and a couple of drone accounts for testing, and I receive these notifications about once every three years or so.

    Leave a comment:


  • woodmj
    replied
    I have China etc banned in Apache and I did try starting to ban the IPs appearing in the warning mails as well but somehow the attacks are made to look like they come from member IPs and so all I was doing was banning my members so I had to stop that. Unless loads of my members are infected with viruses/malware or have decided to attack their own community I can only assume hackers can fake IPs amongst other stuff. I guess there's not much more I can do.

    Leave a comment:


  • Wayne Luke
    replied
    Originally posted by woodmj View Post
    Just out of interest is the latest VB5 more secure against these kind of attacks? I just caught a bit of a write-up over at vb.org saying that it was 'the most secure version of VB ever' If it is I might revisit migrating.

    The emails that people are complaining about are the result of the mechanisms that prevent brute force attacks. That is the security. Your users will continue to receive the emails as long as the IP addresses and countries performing the attacks are able to access your server. Only by banning the IP Addresses at the server level can you prevent the attacks. That is outside of what vBulletin can do.

    Leave a comment:


  • woodmj
    replied
    Just out of interest is the latest VB5 more secure against these kind of attacks? I just caught a bit of a write-up over at vb.org saying that it was 'the most secure version of VB ever' If it is I might revisit migrating.

    Leave a comment:


  • fwulfers
    replied
    There wasn't really a pattern in the IP addresses that were used. I checked a few but gave up after a while.

    I deleted 5000 user accounts (about 60%) of users that signed more than 6 months ago and never posted. We also had an issue with user PM spamming (possibly from a hacked account) so I enabled pm throttling so users can not send more that 5 PMs per hour. And users with post count of less than 5 don't have access to PM at all. Reports of these failed logged in notifications seemed to have slowed down after I deleted the old user accounts.

    Leave a comment:


  • woodmj
    replied
    This still seems to continue. Wave after wave of it. Big chunks of usernames. Even trying to block proxies and placing the usual suspect country IP blocks.

    The IPs the attacks come from seem to just be faked now as that of valid member ones and so the member ends up getting blocked and the hacker continues to hack.

    Leave a comment:


  • Wayne Luke
    replied
    When all you have available is an IP address, there aren't many conclusive solutions. IP Addresses are transient and easy obtainable. Banning country blocks where they originate is often the best and only solution.

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X