Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-9992

Limit amount of failed login attempts per IP

    Details

    • Type: New Feature
    • Status: Unverified Fix
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.8
    • Fix Version/s: 3.0.9-RC1
    • Component/s: Login
    • Labels:
      None

      Description

      Currently the amount of logins is only limited on a per-user basis. This allows trying a set of common passwords on a wide range of users. It also forces the owners of tried accounts to enter a captcha, which is an annoyance.

      Implementation: add a new table phpbb_login_ips which maps an IP (unique) to the amount of login attempts, also store the time of the first attempt. Also config vars for interval and amount of failed logins allowed in that interval.

      Before login, check if current ip has exceeded maximum failed logins. If he has, present a captcha. If a login fails, insert/update the current IP. Since the table may grow, cron-based garbage collection should be considered.

      Note: The solution is not perfect, such things can be distributed, etc. But it helps mitigate the annoyance caused by this issue.

        Issue Links

          Activity

          Hide
          Sam Sam Thompson added a comment -

          Another alternative could be simply logging the failed attempted as soon as it hits the CAPTCHA using our default logs system. It wouldn't require another table but could bloat the logs and make this type of thing harder to detect if the admin doesn't ever look at the logs or the user doesn't report it.

          Show
          Sam Sam Thompson added a comment - Another alternative could be simply logging the failed attempted as soon as it hits the CAPTCHA using our default logs system. It wouldn't require another table but could bloat the logs and make this type of thing harder to detect if the admin doesn't ever look at the logs or the user doesn't report it.
          Hide
          manic2 manic2 [X] (Inactive) added a comment -

          There should be a option to disable this or set the config vars for interval and amount of failed logins allowed in that interval.

          In an organisation with a large number of legitimate users then they could all be accessing from the same IP or a small range of IPs & this could cause annoyance if captcha is continually presented to them.

          Show
          manic2 manic2 [X] (Inactive) added a comment - There should be a option to disable this or set the config vars for interval and amount of failed logins allowed in that interval. In an organisation with a large number of legitimate users then they could all be accessing from the same IP or a small range of IPs & this could cause annoyance if captcha is continually presented to them.
          Hide
          naderman Nils Adermann added a comment -

          The updater fails when it is run before updating files because the table name constant is not defined.

          Show
          naderman Nils Adermann added a comment - The updater fails when it is run before updating files because the table name constant is not defined.

            People

            • Assignee:
              naderman Nils Adermann
              Reporter:
              igorw Igor Wiedler [X] (Inactive)
            • Votes:
              4 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development