Tweet
that message which locks you out after incorrect attempts does NOT protect a vbulletin forum from remote bruteforce attacks. I know because I have tried online tools and while it does take a long time to actually get a password, if you do, this still does not protect a vbulletin. A feedback of mine would be to upgrade that to actually work.
-
-
Hello, I believe the system was not designed to protect the board from brute force attempts.Shamil Nunhuck, - Radon Systems Ltd.
█ VPS + Dedicated Server Hosting and Management
█ vBulletin Hosting and Services
█ Server / Website Consultation -
That's interesting. I am being brute forced at the moment. Several long-abandoned accounts with stupidly easy passwords have been accessed, but nothing done with them.Comment
-
I rather thought it WAS...otherwise, what's the point?Originally posted by Shamil. View PostComment
-
It's not designed for brute force, it's just a simple login lock out system to prevent account hacking.Originally posted by Mark.B View PostComment
-
After 5 bad logins, no furture logins will be taken until the 15 min expire, regardless of what is sent to the login script.Comment
-
Thanks Zachery.
I seem to have been getting attacked for about two days now, first time this has happened to this extent. About half a dozen very old abandoned accounts got logged in, though they didn't do anything. Examination of Who's Online shows about half a dozen failed log in attempts every ten to fifteen minutes, and one of my test accounts received the "failed login" email.
Hopefully they'll get bored soon. the admin passwords a pretty strong.Comment
-
Comment
-
It sets a cookie and session right? Or is it by IP address? If it's by cookie and session, then someone could simply delete those and try again. If it's by IP then that's harder and they would have to release/renew with their ISP, or rotate IPs on their proxy/vpn.Originally posted by Zachery View PostComment
-
You know the build up how its coded with current GPU's you can brute force a password in matter of seconds. After you know the build up you can also make a rainbow table of the most used combinations.Originally posted by MRGTB View PostComment
-
Is their a reason that you can not simply ban the IP address ?I seem to have been getting attacked for about two days now, first time this has happened to this extent. About half a dozen very old abandoned accounts got logged in, though they didn't do anything. Examination of Who's Online shows about half a dozen failed log in attempts every ten to fifteen minutes, and one of my test accounts received the "failed login" email.Comment
-
It should be based on a session/ip. Its not based on cookies.Originally posted by feldon23 View PostComment
-
Yep, it's IP based. Have a look at the strikes table.Shamil Nunhuck, - Radon Systems Ltd.
█ VPS + Dedicated Server Hosting and Management
█ vBulletin Hosting and Services
█ Server / Website ConsultationComment
-
Is the username not part of the three strike system because with only IP protection you can brute force it.Originally posted by Shamil. View PostComment
-
The username, IP and time of ban start are logged in the table.Originally posted by we_are_borg View PostShamil Nunhuck, - Radon Systems Ltd.
█ VPS + Dedicated Server Hosting and Management
█ vBulletin Hosting and Services
█ Server / Website ConsultationComment
-
Hello,
I am facing a with a problem in my forum. For some reason all the members of the forum are not able to login to the forum. When they provide the username, password and hit login the...Sun 24 Jan '16, 10:22pm
Comment