Jump to content

Lock Accounts After "x" Failed Logins For "x" Mins


Guest Logan

Recommended Posts

Posted

We really need this feature to add to the security of our board, Matt said he was considering adding it but in case it's forgotten or not sure how to be implemented. I will post a feature request for it (I also posted a mod request for this at IZE in case this isn't in 2.1):

Purpose: To lock accounts after a certain amount of failed logins have been reached due to an incorrect password, for a certain amount of time.

Features:

  • Be able to set the amount of failed logins it takes to lock the account (ACP setting).
  • Be able to set the amount of minutes the account stays locked for after the amount of failed logins has been reached (ACP setting).
  • Be able to display a message to the user when a failed login occurs, ex:
    "You have used 1 out of 5 login attempts. After all 5 have been used, you will be unable to login for 15 minutes."
  • Allow the owner of the account to unlock their account via a link sent to their email. This is a great feature to protect from attackers and people intentionally locking your account. Still provide the lockout time, but to unlock before the time expires use the link in your email.
  • MAYBE (not a required feature), but would be nice. Be able to set which user groups this affects (configurable in the general settings of this mod, not group settings) make it a scrolling div and be able to select the groups there.
  • And when all of the failed login attempts have been reached if they try to login again show a message that the account is currently locked and the time remaining before the account is unlocked is in "x" amount of minutes (show minutes remaining before account is unlocked), if you would like to unlock your account right away check your email for an unlock link.
Also, it may be a good idea to add logging to this feature. Username attempted, attempt #, IP Address of attemptee, date/time.

Thank you.
Posted

There is the Login Security System which works QUITE WELL for 2.0.4 - which I'm sure will be converted over to 2.1 - made by SOG

Although all features included in LSS would make great additions to 2.1 FINAL.

very nice idea :thumbsup:


and maybe a log of all failed connection with the IP of the person and the name tried


Is one of the features of LSS...
Posted

There is the Login Security System which works QUITE WELL for 2.0.4 - which I'm sure will be converted over to 2.1 - made by SOG



Although all features included in LSS would make great additions to 2.1 FINAL.




Is one of the features of LSS...


The LSS is extremely buggy and doesn't work well at all. However, yes either way it would be best if this feature was implemented into IPB 2.1.
Posted

there's a disadvantage, someone can lock many account of your board.


Very true, hmm. There must be something that could be put in place to stop / limit that from happening.
Posted

The LSS is extremely buggy and doesn't work well at all. However, yes either way it would be best if this feature was implemented into IPB 2.1.


I know on my version, I fixed all the bugs manually - and it worked beautifully.

Nonetheless, Matt should get the feature list from it and base everything off of it - as it has many great features.
Posted

Very true, hmm. There must be something that could be put in place to stop / limit that from happening.


Probley make some accounts unable to be locked, no matter how many times the person tries to lock it. So like (say this was implemented) all the "admin (ROOT)" accounts couldn't be locked.
Posted

In 2.1 you can choose the username and the display name, isn't it?

So, if anyone try to block your account he'll need to know your login username, because i think it is displayed on the boards just your display names, isn't it?

Posted

Probley make some accounts unable to be locked, no matter how many times the person tries to lock it. So like (say this was implemented) all the "admin (ROOT)" accounts couldn't be locked.


Quite the opposite, you'd want the root account to lock out.
Posted

In 2.1 you can choose the username and the display name, isn't it?



So, if anyone try to block your account he'll need to know your login username, because i think it is displayed on the boards just your display names, isn't it?


Very, very good point! No one will know your username except you, therefore display names would really help stop abuse if this were to be a feature :D
Posted

I believe that Matt said in another thread that he was considering this feature for IPB v3.0 so we'll have to wait and see if it gets added at that time because as far as I know Matt's done adding features to 2.1...

Posted

If a feature like this were to be installed.. Firstly, I doubt it's going to make it to v2.1..

An option to be able to unlock the account would be nice, where an unlock email could be requested (once per locking). That way if someone went on a "locking spree", someone could get it unlocked early, perhaps even with a 2nd link that would enable them to choose a different password when signing in.

As for display/login names, I think that login names are not disclosed, but there could be a way to find it out.

Posted

Yeah on this board for members pre-display name..

But what about those who register with one type of login name, and something else as a display name? Then that doesn't reveal it.

So, yeah that's a good spot, but no, I mean something a little more guaranteed.

Posted

Well I think the difference between the login username and the display name was a very good point imporved to IPB. It will help on attacks and blocking accounts and will be a very good safety resource.

I do think that it could be improved in IPB 2.1, we don't mind waiting for some more time if it will be for our own security. At least I don't mind waiting one more month to the 2.1 release.

Just one~more point: if you are already thinking on features to IPB 3.0 it take me to thinking if IPB 2.1 is an official update or just a "beta" version for 3.0.

Posted

Yes just like the LSS, also give the user the option to unlock via a link in their email. Also display it in the error message "Your account has been locked for 15 minutes if you would like to unlock it without waiting for the time check your email" or something.

Posted

Yes just like the LSS, also give the user the option to unlock via a link in their email. Also display it in the error message "Your account has been locked for 15 minutes if you would like to unlock it without waiting for the time check your email" or something.


Good ideia Logan, it would be good for the users and bad for the attackers, and also a safety feature that would help many administrators and their communities.
Posted

Yup, I really hope this feature makes it into IPB 2.1, or at least IPB 2.2. IPB 3.0 is really far away from now.

I've updated the feature list and added unlock link via email as well.

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...