Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-9992

Limit amount of failed login attempts per IP

    Details

    • Type: New Feature
    • Status: Unverified Fix
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.8
    • Fix Version/s: 3.0.9-RC1
    • Component/s: Login
    • Labels:
      None

      Description

      Currently the amount of logins is only limited on a per-user basis. This allows trying a set of common passwords on a wide range of users. It also forces the owners of tried accounts to enter a captcha, which is an annoyance.

      Implementation: add a new table phpbb_login_ips which maps an IP (unique) to the amount of login attempts, also store the time of the first attempt. Also config vars for interval and amount of failed logins allowed in that interval.

      Before login, check if current ip has exceeded maximum failed logins. If he has, present a captcha. If a login fails, insert/update the current IP. Since the table may grow, cron-based garbage collection should be considered.

      Note: The solution is not perfect, such things can be distributed, etc. But it helps mitigate the annoyance caused by this issue.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                naderman Nils Adermann
                Reporter:
                igorw Igor Wiedler [X] (Inactive)
              • Votes:
                4 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: