Security issue with brute force attacks

[enricodias4654]

I'll post the information on a reply to be restricted to registered members.

 

[enricodias4654]

The script has a feature to log failed login attempts and block ips after X attempts. However, when the ip manage to log in all logs about the previous failed attempts from this ip are removed.

Here is how this can be exploited: If the script is configured to block an ip after 10 failed attempts a bot can try 9 passwords on one account and then log in another account, resetting the logs. This process can be repeated forever.

To solve it, the script should not remove the logs after a successful login. Those logs should remain in the table for at least 24h.

 

[paypal1352]

nice discovery, hopefully the fix is included in 4.3

 

[sukhman21]

yup and for the same reason, i have mine set to block IP after 5 failed attempts.. atleast a hacker can only try 4 times instead of 9..... should save some resources.

 

[enricodias4654]

yup and for the same reason, i have mine set to block IP after 5 failed attempts.. atleast a hacker can only try 4 times instead of 9..... should save some resources.

This will just block ips from normal users who forget their passwords. You should comment the line Auth::clearSessionByUserId($row['id']); in the attemptLogin function in the Auth class.

 

[sukhman21]

ahh good point.. i ll tweak the code. thanks