-MM- Posted June 2, 2011 Posted June 2, 2011 Hello, I have few suggestion for IPB 3.2.0. Current bruteforce protection works like that: You set X failures in Y time. If user fails to log in X times in time frame of Y then that account will be disabled for his/her IP address. This wont work in all cases. For example our board is getting attacked by bots that are using proxy lists. If it fails to log in with one proxy IP address X times then it will take just another IP address and when it runs out of IP addresses then it will take just new account to bruteforce. At this point current protection will fail because it protects only one account. My suggestion: Make the protection to count all log in failures in Y time frame, so it will protect all users. [*]Usability improvement - locked accounts: Currently bruteforce protection will lock user account for Z minutes. IMO better solution would be replacing locking with captcha. Because sometimes these are real users and they have just forgot the password or don't remember it fully (for example if they don't use that forums everyday). Getting your account locked for example 15 minutes is just annoying and if they are not most active forum users then they may just leave the board. [*]Usability improvement - moderation in topic view: I think its would be great if moderators could edit users signatures on topic view it would make moderation way more easier especially on busy boards. [*]Security - bruteforce protection:
Recommended Posts
Archived
This topic is now archived and is closed to further replies.