Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-9992

Limit amount of failed login attempts per IP

    XMLWordPrintable

Details

    • New Feature
    • Status: Unverified Fix (View Workflow)
    • Major
    • Resolution: Fixed
    • 3.0.8
    • 3.0.9-RC1
    • Login
    • None

    Description

      Currently the amount of logins is only limited on a per-user basis. This allows trying a set of common passwords on a wide range of users. It also forces the owners of tried accounts to enter a captcha, which is an annoyance.

      Implementation: add a new table phpbb_login_ips which maps an IP (unique) to the amount of login attempts, also store the time of the first attempt. Also config vars for interval and amount of failed logins allowed in that interval.

      Before login, check if current ip has exceeded maximum failed logins. If he has, present a captcha. If a login fails, insert/update the current IP. Since the table may grow, cron-based garbage collection should be considered.

      Note: The solution is not perfect, such things can be distributed, etc. But it helps mitigate the annoyance caused by this issue.

      Attachments

        Issue Links

          caused

          Bug - A problem which impairs or prevents the functions of the product. PHPBB3-10211 Missing space on the recent PHPBB3-9992 changes

          • Trivial - Cosmetic problem like misspelt words or misaligned text.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. PHPBB3-15482 Allow disabling ip-based login-attempt counter

          • Major - Major loss of function.
          • Open

          Activity

            People

              naderman Nils Adermann
              igorw Igor Wiedler [X] (Inactive)
              Votes:
              4 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: