Recent Topics

how to set a number of limited trials of login from the same IP within a certain time period

Started by on Dec 26, 2018 – Contents updated: Jan 14, 2019

Dec 26, 2018 15:18    

Hello,

Some days ago I had attacks from one IP address: 33032 trials to hack the login within 24 hours.
So I am looking for a way to block login after more than e.g. five trails from the same IP address for e.g. 15 minutes. And if this occurs again block for 120 minutes and if the attack goes on to set the IP as blocked.
Is there such a feature or a way to realize this?

Would be great
Thanks and Regards, Will

Exact b2evolution version number :6.10.3

Jan 08, 2019 10:26

You could try to block his IP
See here:
https://b2evolution.net/man/ip-ranges

Jan 08, 2019 11:02

@zebulon Thank you for your advice. I blocked the IP range after I noticed that there was this accumulation of login attempts.
But I don't want anyone to be able to launch such attacks. After all, I don't know how careful some users are when choosing their login data. And there happened really very sophisticated attacks that seem to run through algorithms.

Therefore a limitation of the login attempts would be important to increase security.

Jan 08, 2019 11:52

O.K.
Than you probably want to prevent these attempts on the server level.
For example block the IP in the firewall, or (if you use a linux server) try fail2ban which can detect suspicious behavior and block a IP automatically.
I than also recommend to force users to use more secure passwords. See here:
https://b2evolution.net/man/registration-security-settings

Jan 08, 2019 11:57

@zebulon fail2ban comes very close. However, I have b2e running on a shared host and I can only make limited server settings, it would be better if there could be a b2e feature.

Jan 08, 2019 12:06

I see,
In that case something integrated into b2evo makes sense. For example to allow 3 attempts to fail and one has to wait for ca. 3 minutes to try again.
Maybe another option is to use the GeoIP plugin and check the country people come from. Than block those countries where you know you do not have a user base. This could only help to a certain extend obviously.

Jan 08, 2019 12:57

@amoun would be great to hear, whether this code works in b2e without causing mess or security problems (I am no coder)

Jan 08, 2019 18:48

@saunders I had replied to say I was in no hurry to look at the code and thought someone more adept and with head space may have a look. However I'm about to have a quick look but I think I'll quickly turn to look for help, that's as long as i can get started. :) Don't wait up for me lol

Jan 08, 2019 21:21

b2evo already does this (since 2013).

In conf/_advanced.php:


/**
 * If user tries to login 10 times during X seconds we refuse login (even if password is correct)
 * If set to 0, then there is never a lockout
 */
$failed_logins_lockout = 600; // 10 minutes

Jan 08, 2019 21:54

Ha! I've just tried messing with the Wordpress plugin :)

  1. Can the number of login attempts be modified and
  2. Can a secondary stop be implemented as mentioned in the topic earlier

a) three times with a 20 min disable
b) three more times on the next set of three 20 hours disable.

I suppose there's code somewhere that sets this up

Thanks for the direction

Jan 08, 2019 22:19

My Version 6.10.5

@saunders Given the directions to modify the time login is disabled via [conf/advanced.php] Line 734 by @fplanque I have now found where to set the number of login attempts [/inc/_init_login.ic.php] Line 196. It is set from 0 to 9 so that's ten attempts, I'm setting mine to 2 which should work on the third attempt.
if( $failed_logins_lockout > 0 && count( $login_attempts ) == 9 )

@fplanque Better to have a plugin that is user friendly and that won't get overridden by updates.

Jan 09, 2019 11:03

The plugin I have been looking will also block IPs if the same one is used to invoke the lock, say 3 x 3 times.

Features

Limit the number of retry attempts when logging in (for each IP). Fully customizable
Limit the number of attempts to log in using auth cookies in same way
https://wordpress.org/plugins/limit-login-attempts/

Jan 09, 2019 22:08

@amoun - it does not work as hoped and intended. In _advanced.php I set the number of trials to 4 until login should pause for 10 minutes. But in my test I could try 15 times and may be more. Nothing happens. And after all those trials to login I could login when filling the correct phrases.
May be that the intended feature does not work. Please try it yourself.

As I understood @fplanque it should not be possible to try to login - at least - for 55000 times using one IP address within a day. But it happened.

Please test, if it works for you
Thanks

Jan 09, 2019 23:27

@saunders wrote earlier:

@amoun - it does not work as hoped and intended. In _advanced.php I set the number of trials to 4 until login should pause for 10 minutes. But in my test I could try 15 times and may be more. Nothing happens. And after all those trials to login I could login when filling the correct phrases.
May be that the intended feature does not work. Please try it yourself.

As I understood @fplanque it should not be possible to try to login - at least - for 55000 times using one IP address within a day. But it happened.

Please test, if it works for you
Thanks

@saunders Given the directions to modify the time login is disabled via [conf/advanced.php] Line 734 by @fplanque I have now found where to set the number of login attempts [/inc/_init_login.ic.php] Line 196. It is set from 0 to 9 so that's ten attempts, I'm setting mine to 2 which should work on the third attempt.
if( $failed_logins_lockout > 0 && count( $login_attempts ) == 9 )

Modifying [_advanced.php] sets the time locked out not the number of tries that in [/inc/_init_login.ic.php]

Jan 09, 2019 23:30

@saunders

Modifying [_advanced.php] sets the time locked out not the number of tries
$failed_logins_lockout = 600; // 10 minutes

Set the number of tries in [/inc/_init_login.ic.php]
if( $failed_logins_lockout > 0 && count( $login_attempts ) == 2 )

Jan 09, 2019 23:37

I get this. And if I try with the correct password after 10 wrong passwords, I can't log in.

In the hit log though, blocked login attempts are still logged as login attempts.

Jan 09, 2019 23:43

I did this - set it to 4 attempts. but without any effect. (if( $failed_logins_lockout > 0 && count( $login_attempts ) == 4 ))

Jan 10, 2019 00:00

I can't confirm that mod is correct. I can only vouch for the original code.

Jan 10, 2019 09:26

@fplanque I tried to login at b2evolution about 20 times in a row and obliviously there was not break. You can check this by a look into your analytics. My IP is 77.118.29.135 at about 09:15 (MEZ).

It does not even work using: http://demo2.b2evolution.net/stable/index.php?disp=login&redirect_to=%2Fstable%2Findex.php%3Fblog%3D1%26disp%3Dfront&return_to=%2Fstable%2Findex.php%3Fblog%3D1%26disp%3Dfront&source=menu%20link

I tried it on a different installation on a different host and also there I was able to try 20+times to login.
I have never customized or manipulated code which could have affected that.

Jan 10, 2019 11:11

I am using 6.10.4 and haven't changed anything in the code.
Works like it has been explained by @fplanque

After 10 failed attempts the account is locked for 10 minutes. Within this 10 minutes even the correct password isn't accepted.
But I can still login from the same IP in another account with the correct password.

So this would mean that the account is locked for a while but it is not the case that the IP is blocked from preventing to do other attempts on other accounts.

Jan 10, 2019 11:14

It is a bit odd that a 'targeted user' is locked out of his account though it is not his fault but a hackers attempt.

Jan 10, 2019 12:05

@fplanque wrote earlier:

I can't confirm that mod is correct. I can only vouch for the original code.

The only difference, as I said in the earlier post #14, is I changed the 9 for a 2 and it works fine on the third attempt to login
Version 6.10.5 [/inc/_init_login.ic.php] Line 196.

@saunders I can only think some syntax error crept in. Here's the code with a 2 as I am using in version 6.10.5

if( $User )
		{ // Check user login attempts
			$login_attempts = $UserSettings->get( 'login_attempts', $User->ID );
			$login_attempts = empty( $login_attempts ) ? array() : explode( ';', $login_attempts );
			if( $failed_logins_lockout > 0 && count( $login_attempts ) == 2 )
			{ // User already has a maximum value of the attempts
				$first_attempt = explode( '|', $login_attempts[0] );
				if( $localtimenow - $first_attempt[0] < $failed_logins_lockout )
				{ // User has used 2 attempts during X minutes, Display error and Refuse login
					$login_error = sprintf( T_('There have been three failed login attempts. This account is locked for %s minutes.'), ceil( $failed_logins_lockout / 60 ) );
				}
			}
		}

Jan 10, 2019 13:05

OK Problem arising.

Yesterday it all worked as expected, then after @saunders failed use as in post #17, I though AH! maybe it only works with know user names and otherwise will go on for ever. Protecting only users accounts etc.

So I tried [abcdef] for both user namer and password and it didn't work, adding to my theory. So I then used a friends known user name and now that doesn't lock out either with a random password: so I am bemused and will carry on investigating.

EDIT UPDATE
I thought I'll try logging in properly, to see if that shook something up, which was fine and it did.As then I used my friend's user name and this time it worked useing [abcdef] as password,and I receive the message that the account was logged out on the third attempt.

Screenshot on next post

Will try all agian later this evening, it's sunny here so I want to work on the land. Bye

Jan 11, 2019 01:35

@saunders wrote earlier:

@fplanque I tried to login at b2evolution about 20 times in a row and obliviously there was not break. You can check this by a look into your analytics. My IP is 77.118.29.135 at about 09:15 (MEZ).

It does not even work using: http://demo2.b2evolution.net/stable/index.php?disp=login&amp;redirect_to=%2Fstable%2Findex.php%3Fblog%3D1%26disp%3Dfront&amp;return_to=%2Fstable%2Findex.php%3Fblog%3D1%26disp%3Dfront&amp;source=menu%20link

I tried it on a different installation on a different host and also there I was able to try 20+times to login.
I have never customized or manipulated code which could have affected that.

Did you use the same wrong password 20 times or did you change it 20 times?

I just followed your link. With 10 different wrong passwords it blocks.

Jan 11, 2019 01:38

@zebulon wrote earlier:

It is a bit odd that a 'targeted user' is locked out of his account though it is not his fault but a hackers attempt.

Any serious attacker would use a botnet with 10 000 different IPs. Blocking a specific IP is not effective security.

Blocking annoying IPs that bloat your logs is something that should be done at the Apache level.

Jan 11, 2019 01:41

@amoun The blocking is per-user account (10 wrong passwords on a specific login). There is no blocking for non-existing accounts.

Jan 11, 2019 09:18

@fplanque wrote earlier:

@saunders wrote earlier:

@fplanque
Did you use the same wrong password 20 times or did you change it 20 times?
I just followed your link. With 10 different wrong passwords it blocks.

I used different Passwords and in a second test series used different usernames and different passwords, like someone "playing around" to find a working login.

Jan 11, 2019 11:22

@fplanque wrote earlier:

@amoun The blocking is per-user account (10 wrong passwords on a specific login). There is no blocking for non-existing accounts.

Yes that's what I was thinking.
Thanks

@saunders so the question is: are you using registered user names?

Jan 11, 2019 11:26

@fplanque wrote earlier:

@zebulon wrote earlier:

It is a bit odd that a 'targeted user' is locked out of his account though it is not his fault but a hackers attempt.

Any serious attacker would use a botnet with 10 000 different IPs. Blocking a specific IP is not effective security.

Blocking annoying IPs that bloat your logs is something that should be done at the Apache level.


Makes sense, thanks @fplanque

Jan 11, 2019 12:42

@fplanque OK I could reproduce the break to log in after 10 times failed trials. I have chosen an existing Login-User-Name and kept the wrong passphrase fo 11 times. It also worked using different passphrases.

I tested it with a non existing User name. But it makes sense to count by user login trials than to count false login trials by IP.
So thanks for your patience in replying.


Form is loading...

Web Site Builder – This forum is powered by b2evolution CMS, a complete engine for your website.