Simple Machines Community Forum

Link to the mod (https://custom.simplemachines.org/index.php?mod=2181)

Login Security

Major features receive email on failed login attempt, account login protection by ip address, and locking of an account after too many failed attempts.


Features:
-Email alerts on failed login attempts plus using the failed login attempt ip address finds any members on the forum using that ip address and lets the account owner know who it could be.
-Account lock protection after a certain number of tries the account can be locked for certain amount of time.
-Account lock protection. You are able to bind an account to an ip address or multiple ip addressed preventing people from logging into the account if they are not in the user's allowed ip addresses. Set via the user's profile.

very very nice

Indeed this is a very very nice mod!
Good job Mate :)

How can you change the "Send email on failed login attempt" to every 2 or 3?

Maybe  I can add that option.

Cheers mate, That'd be great :)

Could a little more explanation of the various fields be provided?

Which fields do you want to know more about?

On the Login Security Panel:

- Login attempt check time range in minutes
Is this the period in which if the number of login attempts exceeds the number in the field above (3 in this screenshot) they get locked out?

- Account locked retry minutes
Is this how long the account is locked?  Is anything displayed on the login screen informing the person they are locked out?

- Send email on failed login attempt
Is this a yes (1) or no (0) switch?  Or how many times before the email is sent?  Sent to whom?  The account owner or an Admin?

- Allow users to protect their account by ip address
Is this a yes (1) / no (0) field?

- Secure Login Link Expire time in minutes
What does that mean?


Sorry for all the questions.

Grazie,

Cal

Login attempt check time range in minutes
1. Yes it is.

Account locked retry minutes
2. Yes it is. Yes they are alerted when they try to login that the account is locked.

- Send email on failed login attempt
3. This is yes or no if an email is sent. It is sent every time a login failed and is sent to the account owner.

4. Yes it is a checkbox.

5. Is if the account was locked/ or locked out by ip address they can request a secure login link that will allow them to override the lockouts and it is sent to the user's email address on file

Thank you.  Greatly appreciated.

Would you consider putting some of this info into the MOD description, and at least on the Yes/no questions indicating that they are yes/no, or make them checkboxes?  I thought the send email on failed login attempt was a counter as to how many times one could get it wrong before the email was sent, and would wait until the set number of failed login attempts occurred before sending.

Please excuse my inpertenance, as I don't know php as well as I should, but I was reading the parse and noticed in the update to LogInOut.php you have a '3' hard-coded:
   // Been guessing a lot, haven't we?
   if (isset($_SESSION['failed_login']) && $_SESSION['failed_login'] >= $modSettings['failed_login_threshold'] * 3)





I think it's a very good MOD that adds some needed extra protection.  And I know that anything written these days for 1.1.x is really generous of you SMF experts, so I hope my questions are not taken as being a nuisance.

Grazie,

Cal

Quote
if (isset($_SESSION['failed_login']) && $_SESSION['failed_login'] >= $modSettings['failed_login_threshold'] * 3)

That is part of SMF I just moved that code to make it better work with this mod


Updated the mod to support SMF 2.0

I welcome all security related mods, and this mod definitive belong to the category 'security'.
Txs for this useful mod!  :)

No problem glad you enjoy it.

Very very good protection :D +200 Armour to Forum ( Like an Epic Item :P )

This is Turkish translation ;)

// Begin Login Security Text Strings
$txt['ls_login_security'] = 'Giriş Güvenliği';
$txt['ls_invalid_ip'] = 'Giriş başarısız. Bu hesap IP adresi ile korunmaktadır. Eğer bu hesabın sahibi siz iseniz, hesabınıza gönderilecek olan <a href="%link">güvenli giriş linkini</a> oluşturun.';
$txt['ls_account_locked'] = 'Başarısız girişler sonucu hesap kilitlenmiştir. Bu hesap %min daha kilitli kalıcaktır. Eğer bu hesabın sahibi siz iseniz, durumu düzeltmek için hesabınıza gönderilecek olan <a href="%link">güvenli giriş linkini</a> oluşturun.';
$txt['ls_secure_email_subject'] = 'Güvenli Giriş Linki';
$txt['ls_secure_email_body'] = 'Merhaba, %name,
Hesabınız için güvenli giriş linki talep edildi.
Eğer bu linki siz talep ettiyseniz lütfen aşağıdaki linke tıklayarak hesabınıza giriş yapınız.

%link

Bu link %min dakika içinde geçersiz kalıcaktır.

İstekçi(lerin) IP adresi(leri): %ip';

$txt['ls_matched_members'] = 'Aynı IPde çakışan forum üyeleri:';

$txt['ls_failed_email_subject'] = 'Başarısız giriş teşebbüsü';
$txt['ls_failed_email_body'] = 'Merhaba, %name,

Hesabınıza yönelik başarısız giriş teşebbüsleri tespit ettik.

%membermatches

Hesabınıza yanlış giriş yapmaya çalışmış IPler: %ip';

// Settings
$txt['ls_securehash_expire_minutes'] = 'Güvenli Giriş Linklerinin bitiş süresi ( dakika )';
$txt['ls_allowed_login_attempts'] = 'İzin verilen giriş deneme sayısı';
$txt['ls_allowed_login_attempts_mins'] = 'Giriş teşebbüslerinin kontrol edileceği zaman aralığı ( dakika )';
$txt['ls_login_retry_minutes'] = 'Kilitlenmiş hesaplar için tekrar deneme süresi';
$txt['ls_allow_ip_security'] = 'Kullanıcıların hesaplarını IP adresleri ile korumalarına izin ver';
$txt['ls_send_mail_failed_login'] = 'Başarısız giriş teşebbüslerinde email yolla';

$txt['ls_current_ip_address'] = 'Şu anki IP Adresi: ';
$txt['ls_ip_address_protection'] = 'IP Adresi ile Hesap Koruma';
$txt['ls_ip_address_protection_note'] = 'Birden fazla IPye izin verebilirsiniz ( virgül ile ayırın )';

// END  Login Security Text Strings

Thanks for the translation!

Odd.. I can alter values into whatever I want, after saving the new values I always return to the ones as visible in attached image..

Is that for SMF 2.0?

Yep, SMF 2.0 RC1.2

Quote from: Smog on October 17, 2009, 07:14:58 PM
Yep, SMF 2.0 RC1.2

Fixed redownload the latest version uninstall the old version first.

Installed v1.02 and the prob is now solved, txs.  :)
BTW, value of SMF Failed login threshold is 5, what value do you suggest for Number of allowed login attempts?

I would say three. Because rarely do people mistype or forget their password more than that.

Ar, will try/test as suggested.  :)

Is it possible to enter more trusted IP's? or a range, using 127.*.*.* ?

You can seperate additional IP's with a comma
Ranges are not supported yet.

thanks for your fast reply, I need range as well, because I like to have access from my Iphone. I will send you a PM as well now.

Added SMF 2.0 RC2 support

I have a problem when going to login to the forum when we will Loggin sure we will find
Fatal error: require_once () [function.require]: Failed opening required '/ home2/motosec/public_html/Sources/Subs-LoginSecurity.php' (include_path ='.:/ usr / lib / php: / usr / local / lib / php ') in / home2/motosec/public_html/Sources/LogInOut.php on line 300,

what can I do to restore the forum I like the original??

Are you using SMF 2.0 RC2?

You can just uninstall the package via the package manager.

one question, there was a post, but not enough detail to answer my question...

Quote
Send email on failed login attempt

Is it the Account Owner or Admin (or both?)

It sends email to the Account Owner.

I'm getting an install error (on 1.1.11):
3.     Execute Modification     ./Sources/ModSettings.php     Test failed

Can I somehow check what the problem is?

You can use the modsite to download a manual instruction list then compare the changes made to that file from the site to your own file to see what is different.

Thanks! That helped! It was the Easy Edit Meta Data mod that had changed the code. I uninstalled it, installed Login Security and reinstalled the Meta mod.

Glad you got it working!

Thanks, reinstalled since i had to redo forum. and didn't do email Acc. Owner, I might, I might not, I do not know for sure...

It's a good thing to have for extra security for your accounts and other admins/mods

ok. enabled!

Can this be modified to send a failure email to both the account owner and the administrator?

Could be right now it just the account owner. Otherwise I don't think the admins would want a failture message for every user.

Actually I would want failure messages as well.  It should be a configurable option.

Most webmasters also have access to create e-mail accounts.  I would simply create another e-mail account and use Outlook rules to put all account failures in a special folder.  Alternatively, I could use my normal email address and just filter it by the message...

Great mod! love it!

I do have a question however: I get errors written in the log:

Quote8: Undefined index: allowedips
File: /Themes/default/Profile.template.php (account sub template - eval?)
Line: 1528

This one is written when I want to make a change on the account related settings page and fill in a wrong password.
Also there is this error message:

Quote8: Undefined index: allowedips
File: /Sources/Profile.php
Line: 719

but I've been unable to recreate that one yet.

Any idea where these are coming from?

sidenote: dutch translation is attached

What SMF version are you running?

Sorry forgot to mention 1.1.11

Also attached profile.template.php and profile.php

Any news on my question?

whenever someone click change profile (make a change in its profile)

i get this in error log


http://www.freakygurus.com/index.php?action=profile;area=theme;save
8: Undefined index: allowedips
File: /home/content/f/r/e/freakyadmin/html/Sources/Profile-Modify.php
Line: 1012

im using RC2 with default curve theme

Released a new version that should fix those errors  sid2varun

still the same error is coming

Same here, also with updated version, I get the error

Quote8: Undefined index: allowedips
File: /Themes/default/Profile.template.php (account sub template - eval?)
Line: 1528

but only if a user goes to "account related settings" and clicks save changes.

smf 1.1.11

The error happens because the text field entry is left empty.

EDIT: Not in new version.. just caught onto that.

i have a ?

it says allow users to protect their account by ip address what does this mean what i want to do is get it to where the members can only log in to the forum if they are coming from their ip address i am confused on how this work so in other words if ip is 12.12.12.12 and i try to log into the forum from 13.13.13.13 it will deny me i only want to do this for certain members and not give them the capability of adding ip's only a mod or admin cab add ip's


thanks

ok i have a test acct on my forum i noticed that if i am logged in as the test user under profile there is no reference to the up rotection for a regular user if i go into the profile as admin i see the ip address field so it looks like i need to enter their ip address in that field to lock it in and they cannot change it as they cannot see it correct???

You first need to enable the setting under login security once set it should should a textbox to enter an ip if they want to lock the ip to that account.

i have the box checked to allow it what i mean is i dont want the user to be able to change the ip or add an ip and it seems like that is how the mod works cause like i said i can see the box under their profile to add the ip addresses when i am admin but when i am the user there is no box so it seems like it is working properly i was just wondering cause the description is misleading i mean if you wan to lock an acct with an ip why would the user be able to add or change ip's that would kinda defeat the purpose if you are trying to stop acct sharing

This mod is not to stop account sharing so would not do what you are asking.

This mod is to stop people who steal username/password and logging in from another ip when using the IP protection.

ok but why cant i see the ip protection box under profile account settings while logged in as the user

Quote from: sid2varun on February 04, 2010, 05:26:56 AM
whenever someone click change profile (make a change in its profile)

i get this in error log

Code Select Expand


http://www.freakygurus.com/index.php?action=profile;area=theme;save
8: Undefined index: allowedips
File: /home/content/f/r/e/freakyadmin/html/Sources/Profile-Modify.php
Line: 1012

im using RC2 with default curve theme

bump**

Updated for SMF 2.0 RC3!

This is a fantastic addon, however I seem to be having a slight issue with it on my 1.1.11 install where the emails arent being sent at all on login failures. I tested this a few times, intentionally logged in to my account with the wrong password 2 times (threshold is set to 3) and no emails came through or even generated (checked the local mail server log). Any help in troubleshooting this would be appreciated.

*EDIT*

Apparently the emails go through sometimes, but it doesnt seem to be consistent. Got 2 emails for a total of 3 failed attempts and no secure hash link in any of them.

Quote from: vbgamer45 on February 25, 2010, 05:07:36 PM
This mod is not to stop account sharing so would not do what you are asking.

This mod is to stop people who steal username/password and logging in from another ip when using the IP protection.

that will be a nice modification as well, is this possible to make (you can contact me PM, to tell me about any costs).

Thanks vbgamer45, great mod  ;D

Glad you enjoy it has come in handy for me!

Hi,
sorry for a lame question but I have a problem with this mod.

I have installed 1.1.11, language Polish.
But I can't see anywhere options for Login Security. Where I can change setting for it?

Thanks a lot for helping me.

Quote from: yoduffy on May 07, 2010, 05:46:42 AM
Hi,
sorry for a lame question but I have a problem with this mod.

I have installed 1.1.11, language Polish.
But I can't see anywhere options for Login Security. Where I can change setting for it?

Thanks a lot for helping me.

go to features and options
and you have to see Login Security in the menu (SMF 1)

Still, I can't find it. The installation of Login Security mod was successful.  :-\

Quote from: yoduffy on May 07, 2010, 06:30:25 AM
Still, I can't find it. The installation of Login Security mod was successful.  :-\

try to edit your url in your browser with after your forum url/
index.php?action=featuresettings;sa=loginsecurity

Now i can see something but still it doesn't look good.
Anyway thanks!
(https://www.simplemachines.org/community/proxy.php?request=http%3A%2F%2Fimg714.imageshack.us%2Fimg714%2F2897%2Fsmfscript.gif&hash=7b6695fa3f1539742561390c1ea6430dca37fec1)

That's because the mod hasn't been translated in to your language.

The correct text:
   Number of allowed login attempts     
   Login attempt check time range in minutes    
   Account locked retry minutes    
   Send email on failed login attempt    
   Allow users to protect their account by ip address    
   Secure Login Link Expire time in minutes    

Thanks!

I installed this just fine, but when I go to my profile, there is no option for the binding IP to your account. Yes, I do have the correct box checked (I don't have the email one checked - we do not want to use that one). Any help?

ETA: Although it installed fine (I did have to manually do the ModSettings, but that went smoothly), it seems like it's not taking at all. It didn't lock out my test account attempts. I am able to see the tab to edit the settings, and aside from unchecking the email box, nothing is working:\ This is a great mod and I'd like to get it to work! :)

I'm getting an undefined index:

Undefined index: allowedips
Sources/Profile-Modify.php
Line: 1021

Quote from: Jade Elizabeth on May 09, 2010, 12:12:56 AM
I'm getting an undefined index:

Undefined index: allowedips
Sources/Profile-Modify.php
Line: 1021

Fixed in 1.0.2.2

Thank you :)

Russian translation (please use both files)

Thank you Bugo for the translation!

Sorry for this lame question but...
The lock function works fine, but how do I unlock them so they can have access again.
I've looked everywhere I  could think of but can't find a way to do it.  Thanks

Lock function you mean bind to an ip address?

After the 3 tries (thats what I have it set at, it locks them out. How do I unlock them should I to them back in?
How do I give them back their account?

There should be an option to enable secure link.
It allows the user to request a link sent to their email of their account to override the lock out.
Also i think there is a lock time limit

These are the only options I have.

Number of allowed login attempts   
Login attempt check time range in minutes   
Account locked retry minutes   
Send email on failed login attempt   
Allow users to protect their account by ip address   
Secure Login Link Expire time in minutes   

I don't see any option to enable secure link.

Ok so i guess it is already enabled so if they are locked out they have an option to login.

Set secure login expire time to 60 minutes

I'll give it a try. Thanks for the help.

Hey vbgamer45

this looks like a great Mod to help with security and would like very much to use it, however when I click Apply Mod, I see the following error. SMF 1.1.11

Please can you advise on how to proceed, thank you

J

5.     Execute Modification     ./Sources/Profile.php     Test failed

QuoteError in Package Installation
At least one error was encountered during a test installation of this package. It is strongly recommended that you do not continue with installation unless you know what you are doing, and have made a backup very recently. This error may be caused by a conflict between the package you're trying to install and another package you have already installed, an error in the package, a package which requires another package that you don't have installed yet, or a package designed for another version of SMF.

Install it then make that one change manually probably another conflict a mod.

Quote from: vbgamer45 on July 31, 2010, 08:18:43 PM
Install it then make that one change manually probably another conflict a mod.

Got it, thank you for your help

J

Glad you got it working!

Hi great mod
Question I have
like does this block peeps trying to register multiple accs on forum from there IP addy ?

If not is there a mod that blocks peeps trying to register a second acc on forum from their IP addy


cheers

KT

No does not block multiple registration from same ip.
SMF has some built in checks to stop from the same session.

Hi, I'm getting a blank white screen when I install this, in the Features & Options page.

Running SMF 1.1.11

Apparently it conflicts with Custom BBC mod found here:

http://custom.simplemachines.org/mods/index.php?mod=621

The reason I found out, is I removed certain lines from that were added from custom bbc, in modsettings.php:

$subActions = array(
'basic' => 'ModifyBasicSettings',
'layout' => 'ModifyLayoutSettings',
'loginsecurity' => 'ModifyLoginSecuritySettings',
'karma' => 'ModifyKarmaSettings',
'custombbc' => 'ModifyCustomBBCodeSettings',
);

specifically:

'custombbc' => 'ModifyCustomBBCodeSettings',

and then suddenly the white screen goes away.

Anyone been able to successfully install this login security with this other mod applied as well?

Any halp? :(

For some reason, our users get sent a blank email whenever they (or someone else) log in but mistype the password. For this reason, we'd like to uninstall the mod. However, we get the following when running the uninstall test:


Error in Package Installation
At least one error was encountered during a test installation of this package. It is strongly recommended that you do not continue with installation unless you know what you are doing, and have made a backup very recently. This error may be caused by a conflict between the package you're trying to install and another package you have already installed, an error in the package, a package which requires another package that you don't have installed yet, or a package designed for another version of SMF.
Uninstall Actions "Login Security"

   1.   Execute Modification   ./Themes/default/languages/Modifications.english.php   Test successful
   2.   Execute Modification   ./Sources/LogInOut.php   Test failed
   1.   Replace   ./Sources/LogInOut.php   Test successful
   2.   Replace   ./Sources/LogInOut.php   Test successful
   3.   Replace   ./Sources/LogInOut.php   Test failed
   4.   Replace   ./Sources/LogInOut.php   Test successful
   5.   Replace   ./Sources/LogInOut.php   Test successful
   6.   Replace   ./Sources/LogInOut.php   Test successful
   7.   Replace   ./Sources/LogInOut.php   Test successful
   3.   Execute Modification   ./Sources/ManageSettings.php   Test successful
   4.   Execute Modification   ./Themes/default/Profile.template.php   Test successful
   5.   Execute Modification   ./Sources/Profile-Modify.php   Test successful
   6.   Execute Modification   ./Sources/Admin.php   Test successful
7.   Delete File   ./Sources/Subs-LoginSecurity2.php   
8.   Execute Code   UnInstall.php   





Currently installed mods:

1.   Join Reason    1.3   [ Install Mod ] [ List Files ] [ Delete ]
2.   Login Security    1.0.2.2     [ Uninstall ] [ List Files ] [ Delete ]
3.   Online status on login    1.5     [ Uninstall ] [ List Files ] [ Delete ]
4.   Downloads System    1.3.4   [ Install Mod ] [ List Files ] [ Delete ]
5.   Resize Attached Images    2.1.1     [ Uninstall ] [ List Files ] [ Delete ]
6.   Aeva Media    1.3a   [ Install Mod ] [ List Files ] [ Delete ]
7.   Bookmarks    2.3     [ Uninstall ] [ List Files ] [ Delete ]
8.   Karma Description Mod    2.6.8     [ Uninstall ] [ List Files ] [ Delete ]
9.   Captcha on Reminder    1.1   [ List Files ] [ Delete ]
10.   jQLightbox    0.5     [ Uninstall ] [ List Files ] [ Delete ]
11.   Copy Topics    1.6     [ Uninstall ] [ List Files ] [ Delete ]
12.   PM Attachments    1.5     [ Uninstall ] [ List Files ] [ Delete ]
13.   EmailValidator    1.0     [ Uninstall ] [ List Files ] [ Delete ]
14.   ENotify    1.06     [ Uninstall ] [ List Files ] [ Delete ]
15.   Hide Topics from Guests    1.0   [ List Files ] [ Delete ]
16.   SMF Articles    1.2.2.1   [ List Files ] [ Delete ]
17.   Tagging System    2.2.1   [ List Files ] [ Delete ]
18.   Favicon    1.3     [ Uninstall ] [ List Files ] [ Delete ]
19.   eNinja - Admin Notes    0.9.2   [ Install Mod ] [ List Files ] [ Delete ]

You need to uninstall mods in the order they were installed so whatever was installed after this mod that affected those files would cause the mod uninstall issues

Quote from: vbgamer45 on September 30, 2010, 10:43:23 AM
You need to uninstall mods in the order they were installed so whatever was installed after this mod that affected those files would cause the mod uninstall issues

Ok, have to check out. Thanks!

I hate to bring this back up, but when people don't fill in their password (or a wrong pw), when saving settings in their account related settings, I get an undefined index error in the log. Specifically:

Quote8: Undefined index: allowedips
File: /Themes/default/Profile.template.php (account sub template - eval?)
Line: 1527

SMF 1.1.11 and version 1.0.2.2 installed

Also sometimes get this error:

Quote8: Undefined index: allowedips
File: /Sources/Profile.php
Line: 726

but I've been unable to recreate that one thus far. Upgraded to 1.0.2.2 today, so I dont know if that one is still there now. The first one is though...

I am having the same problem as below:

Quote from: Sinistercat on March 22, 2010, 08:37:58 PM
This is a fantastic addon, however I seem to be having a slight issue with it on my 1.1.11 install where the emails arent being sent at all on login failures. I tested this a few times, intentionally logged in to my account with the wrong password 2 times (threshold is set to 3) and no emails came through or even generated (checked the local mail server log). Any help in troubleshooting this would be appreciated.

*EDIT*

Apparently the emails go through sometimes, but it doesnt seem to be consistent. Got 2 emails for a total of 3 failed attempts and no secure hash link in any of them.

The e-mail notifications are not consistent, sometimes I get one after 2 failed attempts sometimes still nothing after 3 failed attempts.

SMF 1.1.11 and now 1.1.12

Any help appreciated :)

**Edit** I just got 2 emails after 5 failed login attempts, threshold set at 3. Account still not locked, allowed me to login on 6th attempt with correct password

Security is everything!
Your mods are the best ever!
Thank you :)

"Email alerts on failed login attempts plus using the failed login attempt ip address finds any members on the forum using that ip address and lets the account owner know who it could be."

Is there a way you can add this feature when a person tries to reset the password by forgot password option?
Right now it send an email with the persons ip adress only. But it would be very nice to know which member could have been that tried to reset our password.

That's a good feature request will keep it in mind for future updates

Hello,

I am using this mod now because an idiot is attempting to hack into everyone's account. The mod works great and is absolutely well done. However we are having one issue. One of our Membergroups cannot see the IP Protection ability. I'm talking about the actual field to input the IP address. All of the other membergroups can however.

Is there a permission I am missing somewhere? I have checked the "Allow users to protect their account by ip address" checkbox and looked over each user group permissions. I am unsure why it works for all except one.

Thanks,
Isabel

There is not any membergroup level settings it should appear for all groups

That is what I thought, but it does not appear for one specific group.

I can set you up with a test account if you'd like.

Quote from: PLAYBOY on December 22, 2010, 03:51:59 PM
"Email alerts on failed login attempts plus using the failed login attempt ip address finds any members on the forum using that ip address and lets the account owner know who it could be."

Is there a way you can add this feature when a person tries to reset the password by forgot password option?
Right now it send an email with the persons ip adress only. But it would be very nice to know which member could have been that tried to reset our password.

Is there gonna be an update soon? Do you think this feature will be added?

It seems as though this mod is not fully functional on my forum. I have everything checked:

(https://www.simplemachines.org/community/proxy.php?request=http%3A%2F%2Fimg526.imageshack.us%2Fimg526%2F1345%2F41120901.jpg&hash=75009f06d904d925ea798f29451568de0900c03b)

But some users have been able to protect their accounts themselves while others have not. I currently have a BOT problem with one attempting to hack into accounts on my forum and this was our number one security measure. I'm unsure what to do about this. Are there any other permissions for this mod I am missing?

Those are the only settings for the mod.

Is it maybe possible to make the same thing possible only then for boards.
So on a specific boards the user needs to be on that certain IP else he/she cant get in that board? (this ip should only be editable by moderators)

You would help me very much if you could tell me if this is possible, and if zo how.

Thank a lot by now.

Not possible

Quote from: vbgamer45 on January 04, 2011, 08:42:08 PM
Those are the only settings for the mod.

... ok.

Well, thanks for the assistance.

Quote from: vbgamer45 on January 06, 2011, 12:08:36 PM
Not possible

Because?

It's not built into the mod but you can do it but would have to code yourself.

If I could I certainly would.

Is it ok if I can find something in your mod that I could use

Yeah you can use the mod for whatever you want on your own site.

Like others, I'm getting :

8: Undefined index: allowedips
File: Profile.php
Line: 589

v1.0.2.2 and SMF 1.1.12 (just updated to .13)

When the attempt threshold has been exceeded, is the account locked, or the IP that attempted to log in?  I've been having a series of login attempts against all of my members over the last day or two from a bunch of different IPs.  I don't want to inconvenience them by having them be locked out.  I just want to prevent those IPs from attempted again.

Account is locked.  If you have secure login link enabled they can override by clicking a link sent to their email account.

So it'll keep locking every time it happens?

Yes you can set it up in the settings area to configure when to lock and how long

I've just installed this mod manually, but none of the text labels are coming up? I've checked the $txt array and it's empty. I'm running SMF 1.1.7 - any idea what this could be caused by? I've placed the text in every Settings.english.php file I could find :(

It should normally be in Modifications.english.php...

Quote from: Arantor on February 15, 2011, 05:06:40 AM
It should normally be in Modifications.english.php...

Cheers, works a charm now.

[Edit] I didn't read the instructions correctly :-\ my bad, it's always the little things! ::)

Updated for SMF 2.0 final.

Forgot to update the version number?
The version number on the archive is still the same (LoginSecurity1.0.2.2). Apparently so is the package info.
I have a version 1.0.2.2 installed that is from February this year. But the one I just downloaded is obviously newer.

No changes except added support for SMF 2.0 final so need to update version number.

Cool, thanks for this mod!  8)

Glad you enjoy it

Quote from: vbgamer45 on June 12, 2011, 09:12:49 AM
No changes except added support for SMF 2.0 final so need to update version number.

Version numbers are means to tell apart different versions of a software product, not medals of accomplishment.
That being said, thank you for updating this mod. It's appreciated.

Hey vbgamer45,

Would it be possible to add an option so that instead of locking the account it would just ban the IP address? For example, after 4-5 fails (could be adjustable by the admin). This would be helpful.

Thanks,
Jeff. :)

I would have to add that into the system at some point.

Quote from: vbgamer45 on June 14, 2011, 05:23:37 PM
I would have to add that into the system at some point.

Hey,

Thanks for the quick response.

Whenever you have a chance to add it is fine. :)

Jeff.

I just tested the mod and got the failed login email.

QuoteHello Test123,
We have detected a failed login attempt on your account.

Matched forum members with same ip address:
Kolya


IP address of the failed login attempt: xxx.xxx.xxx.xxx

While this is mostly a very useful mod, providing security that should actually be part of the SMF itself in the first place, I am highly critical of its feature to suggest other forum members by name as potential attacker and providing their IP address.

Since the suggestion is based on IP address information it is quite unreliable. No matter if its correct or not, this practically screams for the victim to take matters into their own hands, eg PMing the other member who allegedly attacked their account, or even publicly accusing them of breaking into their account, leading into flamewars, etc.
If the suggestion is incorrect (which the victim has no way of knowing) we have another member being put into a guilty until proven innocent situation. Additionally their IP is exposed, putting them at risk of "counter" attacks.
In both cases Fear Uncertainty and Doubt are produced on the forums. It's like a police squad hinting the victim of a burglary on the name and address of someone who may have been the burglar.

Clearly this information belongs into the hands of the administration, not into the hands of forum members. An administrator could see if more attacks have been perpetrated from the same account and thereby verify if a suspected forum member is an attacker. But currently administrators never get that info.

I have changed the mod to produce a more reasonable email notification about a failed login attempt:

QuoteHello Test123,
We have detected a failed login attempt on your account.

If you want to inform the administrators, just reply to this email.

IP address of the failed login attempt: xxx.xxx.xxx.xxx

The changed code is as follows.
In Sources\Subs-LoginSecurity2.php
FIND

// Include any IP's that match other forum members....
$memberMatches = '';
if (!empty($IPmemberList))
{
$memberMatches = $txt['ls_matched_members'] . "\n" . $IPmemberList;
}

$msgBody = $txt['ls_failed_email_body'];
$msgBody = str_replace("%name",$emailRow['real_name'],$msgBody);
$msgBody = str_replace("%membermatches",$memberMatches ,$msgBody);
$msgBody = str_replace("%ip",$ip,$msgBody);

sendmail($emailRow['email_address'], $txt['ls_failed_email_subject'], $msgBody);


REPLACE WITH

// Include any IP's that match other forum members....
// $memberMatches = '';
// if (!empty($IPmemberList))
// {
// $memberMatches = $txt['ls_matched_members'] . "\n" . $IPmemberList;
// }

$msgBody = $txt['ls_failed_email_body'];
$msgBody = str_replace("%name",$emailRow['real_name'],$msgBody);
// $msgBody = str_replace("%membermatches",$memberMatches ,$msgBody);
$msgBody = str_replace("%membermatches",'If you want to inform the administrators, just reply to this email.' ,$msgBody);
$msgBody = str_replace("%ip",$ip,$msgBody);

sendmail($emailRow['email_address'], $txt['ls_failed_email_subject'], $msgBody);


This is just a quick fix. Certainly the author of this mod could cook up something better, by directly informing the admin in the error log.

hi, thx for this mod, I love it, I am using it on smf 2.0 gold, my mod setting are with default values and the 2 checkboxes unchecked.

I tried to force an account on my server from a proxy, but I had only the usual email check page, and after many login attemp I had this error:

QuoteSorry, you are out of login chances.  Please come back and try again later

it seems that it isn't working the mod, isn't it? it isn't the mod error message

EDIT: I set Number of allowed login attempts to 2, but after 4 attempts, I never been blocked, on error log I have 4 attempts, and my ip has never been blocked for 15 minutes (as it is set to)

I set Number of allowed login attempts to 3, but after 6 attempts, I never been blocked..Is this working correctly...Can Gamer help please?

Busy at the moment remind me in a couple weeks.

Any help before that would be Nice :-)

Hi VBgamer
I want to use this mod but have other Security mods pre-installed
2 files I am having problems with is this
./Sources/LogInOut.php
This part of the code is OK. silly thing is missing the "." at the end of the sentence >  in my template
// Login Security Mod
if (isset($_REQUEST['securelogin']))
{
$_SESSION['secureloginhash'] = $_REQUEST['securelogin'];
}

// End Login Security Mod

// Set the login URL - will be used when the login process is done.
this part I have problems with
// Challenge passed.
elseif ($_REQUEST['hash_passwrd'] == sha1($user_settings['passwd'] . $sc))
$sha_passwd = $user_settings['passwd'];
else
{
// Login Security Mod
require_once($sourcedir . '/Subs-LoginSecurity2.php');

// They failed login....
AddLoginFailure($user_settings['id_member']);

$loginSecurityErrorLogged = true;

// End Login Security Mod
and this part of the code in
./Themes/default/Profile.template.php
// Something to end with?
if (!empty($field['postinput']))
echo '
', $field['postinput'];

echo '
</td>
</tr>';

// Login Security Mod
if ($modSettings['ls_allow_ip_security'] && $key == 'real_name')
{
global $user_info;

echo '<tr>
<td><b>', $txt['ls_ip_address_protection'], ':</b></td>
<td>'
,$txt['ls_current_ip_address'],$user_info['ip'],'<br />
<br />
<input type="text" name="allowedips" size="30" value="', @$context['allowedips'], '" />
<br /><span class="smalltext">',$txt['ls_ip_address_protection_note'],'</span>
</td>
</tr>';
}

// End Login Security

// Allow the administrator to change the date they registered on and their post count.

instead of trying to show you my code and you tell me what to edit I thought might be easyer for you just
to have a look at it, so a attached the two files for you....
No rush buddy do it when you can, I will leave the install till you have time to have a look at the files

cheers

Hi,
does this email the user or the admin on the failed login attempts?

Emails the user.

Brilliant mod! Helped me censure people sharing accounts without completely banning them. Thanks very much.

Quote from: qtime on October 30, 2009, 09:05:50 AM
Is it possible to enter more trusted IP's? or a range, using 127.*.*.* ?

Here's a hack to allow a range on the IP's fourth byte i.e. 127.123.123.*. The code is pretty obvious so you should be able to expand it for *.*.*
SMF 1.1.16, Mod 1.0.2.2
sources/Subs-LoginSecurity.php
Find // Check if we have IP Security turned on
if (empty($modSettings['ls_allow_ip_security']))
return true;

// Get user's ip
$ip = $user_info['ip'];

Replace with // Check if we have IP Security turned on
if (empty($modSettings['ls_allow_ip_security']))
return true;

// Get user's ip
$ip = $user_info['ip'];
// FLOYDPINK INSERT - IP Range Check; Create nnn.nnn.nnn.*
$ip_range=substr($ip, 0, strrpos($ip, ".")+1) . "*";

Find // IP's where found make a list
$ipArray = explode(",",$ipRow['allowedips']);

if (in_array($ip, $ipArray) == true)
return true;

Replace with // IP's where found make a list
$ipArray = explode(",",$ipRow['allowedips']);

if (in_array($ip, $ipArray) == true)
return true;
// FLOYDPINK INSERT - IP Range Check
elseif (in_array($ip_range, $ipArray) == true)
return true;


Here's a couple of enhancements that might also be useful.

Insert error message using restricted member's id rather than guest so that error appears in member's profile
SMF 1.1.16, Mod 1.0.2.2
sources/Subs-LoginSecurity.php
Find // Maybe they get a bypass link or not???
if (CheckForSecureLoginLink($memberID) == false)
{
// IP not found give them a big error message!
$loginInText = str_replace("%link", $scripturl . '?action=login2;sa=securelink;mem=' . $memberID, $txt['ls_invalid_ip']);

Add After // FLOYDPINK INSERT - Force log_errors to insert record for attempted login user rather than guest
global $ID_MEMBER;
$ID_MEMBER = $memberID;


Display IP Restriction on profile summary
sources/profile.php
Find // They haven't even been registered for a full day!?
$days_registered = (int) ((time() - $user_profile[$memID]['dateRegistered']) / (3600 * 24));
if (empty($user_profile[$memID]['dateRegistered']) || $days_registered < 1)
$context['member']['posts_per_day'] = $txt[470];
else
$context['member']['posts_per_day'] = comma_format($context['member']['real_posts'] / $days_registered, 3);

Add Before // FLOYDPINK INSERT - Login Security Restriction
// Login Security
$allowedips = '';
if ($modSettings['ls_allow_ip_security'])
{
global $db_prefix;
$dbresult = db_query("
SELECT
allowedips
FROM {$db_prefix}login_security
WHERE ID_MEMBER = " . $memID, __FILE__, __LINE__);
$numRows = mysql_num_rows($dbresult);
// We are not going to do anything since they don't have any settings defined
if ($numRows != 0)
{

$ipRow = mysql_fetch_assoc($dbresult);
$allowedips = $ipRow['allowedips'];
}
mysql_free_result($dbresult);

}
// End Login Security


themes/default/profile.template.php
Find // If the person looking is allowed, they can check the members IP address and hostname.
if ($context['can_see_ip'])
{
echo '
<tr>
<td width="40%">
<b>', $txt[512], ': </b>
</td><td>
<a href="', $scripturl, '?action=trackip;searchip=', $context['member']['ip'], '" target="_blank">', $context['member']['ip'], '</a>
</td>
</tr><tr>
<td width="40%">
<b>', $txt['hostname'], ': </b>
</td><td width="55%">
<div title="', $context['member']['hostname'], '" style="width: 100%; overflow: hidden; font-style: italic;">', $context['member']['hostname'], '</div>
</td>
</tr>';

Add After // FLOYDPINK INSERT - Login Security Restriction
if (!empty($context['member']['allowedips']))
echo '
<tr>
<td width="40%"></td><td>
<span style="color: red;font-size: small;">Login restricted to ', $context['member']['allowedips'], '</span>
</td>
</tr>';

Note: The coded message 'Login restricted to ' should really be moved to a language file to allow multi-language support

Thanks floydpink for the code snippets I really like the ip range to allow access.

Here's some code that restricts the USE of an account to the IP not just the login.
It specifically addresses the situation where someone uses a mobile device to login 'forever' using the prescribed IP and then takes that mobile device elsewhere and is able to access the forum using a non-prescribed IP (WFI hotspot , 3G etc.) because the SMF session is still valid.
It might not have much use for a user who sets their own restriction but is a powerful tool for an administrator wanting to place the restriction e.g. if it is established that a user is allowing an unauthorised third party to view private areas of a forum using the mobile device, the restriction limits that user's access to an IP that has been established as being a bona-fide IP at which that user is known to be the real user.
Initially, the user sees the login error message after which they are redirected to the login page.
Notes: The code has been developed with the 'secure login' function disabled - so a user's ability to reset the restriciton via email may be affected -  and is based on the security.php 'is_not_banned' function.

SMF 1.1.16, Mod 1.0.2.2
/index.php
Find
// Check if the user should be disallowed access.
is_not_banned();

Add After

// Floydpink INSERT - Login Security - Restrict usage
global $ID_MEMBER;
if(isset($ID_MEMBER) && !$user_info['is_guest'])
{
require_once($sourcedir . '/Subs-LoginSecurity.php');
CheckAllowedIP($ID_MEMBER);
}


sources/Subs-LoginSecurity.php
Find
global $txt, $db_prefix, $modSettings, $scripturl, $user_info;

Add After
global $ID_MEMBER, $sourcedir; //Floydpink INSERT - Login Security - Restrict usage

Find
// Check if we have IP Security turned on
if (empty($modSettings['ls_allow_ip_security']))
return true;

Add After

// Floydpink INSERT - Login Security - Restrict usage
if (isset($_SESSION['ipchecked']['notallowed']) && $_SESSION['ipchecked']['notallowed'] && !$user_info['is_guest'])
{
$_SESSION['logout_url'] = 'action=login';
require_once($sourcedir . '/LogInOut.php');
Logout(true);
}
elseif (!isset($_SESSION['ipchecked']['ID_MEMBER']) || $_SESSION['ipchecked']['ID_MEMBER'] != $ID_MEMBER || $_SESSION['ipchecked']['ip'] != $user_info['ip'])
{
$_SESSION['ipchecked'] = array(
'ID_MEMBER' => $ID_MEMBER,
'ip' => $user_info['ip'],
'notallowed' => 0,
);
// Floydpink END INSERT

Find
$loginInText = str_replace("%link", $scripturl . '?action=login2;sa=securelink;mem=' . $memberID, $txt['ls_invalid_ip']);

// Log error needed because we are including html link!!!
log_error($loginInText);

Add After
// Floydpink INSERT - Login Security - Restrict usage
$_SESSION['ipchecked'] = array(
'notallowed' => true,
);

Find
// Display error
fatal_error($loginInText,false);

}
}

Add After
} // Floydpink INSERT - Login Security - Restrict usage


love the mod only 1 issue, ip locking only lasts a couple days before the ips are pruned out?

Something i would like to see is a log file created of failed login attempts, for Admins to review, showing the login info given, IP, time, and if they were locked out. It does me no good to protect my users if i do not know that someone is trying to crack their account.

The Mod looks good, although i may attempt to modify it to suit my needs and wants if there is not an update that does so.

QuoteSomething i would like to see is a log file created of failed login attempts, for Admins to review, showing the login info given, IP, time, and if they were locked out.

That would be called the error log.

Hi,

I've just installed the mod under 2.0.7

I'm getting email notificatiosn, which is gerat but teh account is not being barred and there are no user profile settings. Help please!

What settings did you set for the mod

The defaults I think.

Number of allowed login attempts - 5
Login attempt check time range in minutes - 60
Account locked retry minutes - 15
Send email on failed login attempt -  tick
- tickAllow users to protect their account by ip address
Secure Login Link Expire time in minutes - 30

OK, ive installed on a test system

What Im seeing now is that my admin account is seeing the lockdown account IP address in account settings but ordinary users dont. Are permissions involved?

"Last Modified: Yesterday at 01:05:13 AM"

"You are able to bind an account to an ip address or multiple ip addressed preventing people from logging into the account if they are not in the user's allowed ip addresses. Set via the user's profile."

will that work by ip classes and cidr's?
or does it require the entire ip and must be as auto read by the systems?


what i am getting at is,
can it be manually changed and use a more broad ip format, for users who do not have a static ip (A,B,C,D wildcard and cidr formats)
ie, 1.2.*.* or 1.2.0.0/16 instead of 1.2.3.4

At the moment it just does the exact ip address and multiple ip addresses separated by a comma.

Ok
thankyou VB

and thankyou for all the mods you dev

What would be really cool is if you could make it so that there is no alert to administration unless the user clicks on a report link, which would be in the email they receive. The only thing the user would need to do is click the "report hack attempt" link.

I don't understand. If login fails it is only sent to the member owner not the administration.

VB, I haven't tried your mod but let me make one suggestion. Have you thought about removing the ability to log in via username. I done this to my SMF forums for years.

One reason I do this is because anyone can figure out someones username and try to login via it, but an email address, people tend to keep that stuff a secret.

Find this line in LogInOut.php
// You forgot to type your username, dummy!
if (!isset($_POST['user']) || $_POST['user'] == '')
{
$context['login_errors'] = array($txt['need_username']);
return;
}

Add before
// Must be a email address NEND
if (!isset($_POST['user']) || $_POST['user'] == '' || !filter_var($_POST['user'], FILTER_VALIDATE_EMAIL) === true) {
$context['login_errors'] = array($txt['need_valid_email']);
return;
}

You will have to replace a few language strings with the mod, but works perfect for my sites. ;)

Haven't thought about it but would be a neat idea.

Hey,

   I'm having an issue that I was unaware of till today, and tried with my test account, When I FAIL the Log-in And have the E-mail sent with the secure log-in link, It cycles me right back to the Account Locked, Click for Secure log-In E-mail, So Basically your locked out till the time limit expires....

I've Uninstalled the MOD and Re-Installed With no errors. My Settings Are:

Number of allowed login attempts 3
Login attempt check time range in minutes 60
Account locked retry minutes 15
Send email on failed login attempt (Checked)
Allow users to protect their account by ip address (Checked)
Secure Login Link Expire time in minutes 30

Any Idea On this, These are my Installed Mods:

1.  Login Security 1.0.3 [ Uninstall ]
2. @mention members 1.1.3 [ Uninstall ]
3. Tagging System 3.0 [ Uninstall ]
4. Generic Avatars 1.11 [ Uninstall ]
5. Responsive Curve 1.0.0 [ Uninstall ]
6. EzPortal 3.1 [ Uninstall ]
7. Email Inactive Users 1.1.1 [ Uninstall ]
8. SA Chat 1.0a1 Rev120 [ Uninstall ]
9. reCAPTCHA for SMF 1.0.0 [ Uninstall ]
10. Disable Right Click 4.1.2 [ Uninstall ]
11. Enhanced PM Popup 1.0.1 [ Uninstall ]
12. PM Attachments 1.6 [ Uninstall ]
13. Annoy User 1.2.4 [ Uninstall ]
14. nCode Image Resizer 1.4 [ Uninstall ]
15. Default Avatar 1.1.1 [ Uninstall ]
16. InLine Attachments 1.2.1 [ Uninstall ]
17. Voter Visibility 2.1 [ Uninstall ]
18. SA Twitter 1.2 [ Uninstall ]
19. Show Number of Errors at Top of Forum 1.1.2 [ Uninstall ]
20. KeyCAPTCHA for SMF 2.11 [ Uninstall ]
21. Treasury 2.12 [ Uninstall ]
22. Ad Managment 3.2 [ Uninstall ]
23. E-Arcade 3.0 [ Uninstall ]
24. Share this topic - SMF Mod 1.3 [ Uninstall ]
25. Stop Spammer 2.3.9 [ Uninstall ]
26. Code Highlighting 1.0 [ Uninstall ]
27. Highslide 4 SMF 0.8.1 [ Uninstall ]
28. SA GPlus 0.3 REV 9 [ Uninstall ]
29. Register Redirect 1.0 [ Uninstall ]
30. Membergroup ID with Group Name 1.1 [ Uninstall ]
31. Default_Membergroup 2.0 [ Uninstall ]
32. Block Email Usernames 0.4.2 [ Uninstall ]
33. httpBL 2.5.1 [ Uninstall ]
34. Topic Solved 1.1.1 [ Uninstall ]
35. Say Thanks 1.3 [ Uninstall ]
36. Downloads System 2.5 [ Uninstall ]
37. ICAP: Info Center Access Permission 1.0.0 [ Uninstall ]
38. Users mass actions 0.1.1 [ Uninstall ]
39. SA Facebook 3.0

Running SMF 2.0.11

Thanks For any help on this.

Mike

EDIT:

The Secure link takes me BACK to the regular Log-In Screen, Not sure if that's how it's supposed to work or not...

Look into the  CheckForSecureLoginLink($memberID) function
and the login_security database table

The system works best on a session variable stored in secureloginhash

Quote from: vbgamer45 on June 04, 2016, 04:09:20 PM
Look into the  CheckForSecureLoginLink($memberID) function
and the login_security database table

The system works best on a session variable stored in secureloginhash

Ok I checked out the Database Entries, And For MY Account, there is a secureloginhash, I'm Assuming that that whole field is a copy of the Members (looks like it), Can you direct me on the "CheckForSecureLoginLink($memberID) function" where to look..

Sorry I haven't had much time to look into this I'm here in SE Texas,  So Floods/House/Cars/Feed Stray Cats+Dogs needed done....

Take your time, I use I few of your MODS and I know you have a life, I Uninstalled for now, they can reset the password if need be...

Thanks,

Mike

Actually one of my members said the same thing that the secure login doesn't work, it told her it had timed out the first try and then when she got a new one sent it said the same thing. She finally got in but she had to wait for the lockout to expire.

Quote from: joelstoner on February 24, 2013, 03:15:47 PM
Something i would like to see is a log file created of failed login attempts, for Admins to review, showing the login info given, IP, time, and if they were locked out. It does me no good to protect my users if i do not know that someone is trying to crack their account.

The Mod looks good, although i may attempt to modify it to suit my needs and wants if there is not an update that does so.

I would like users to be notified within SMF if someone is trying to hack their account, and I would also like the administrator (me) to be notified if attacks on any accounts are detected.

Quote from: nend on October 16, 2015, 09:31:47 PM
VB, I haven't tried your mod but let me make one suggestion. Have you thought about removing the ability to log in via username. I done this to my SMF forums for years.

One reason I do this is because anyone can figure out someones username and try to login via it, but an email address, people tend to keep that stuff a secret.

Find this line in LogInOut.php

Code Select Expand

// You forgot to type your username, dummy!
if (!isset($_POST['user']) || $_POST['user'] == '')
{
$context['login_errors'] = array($txt['need_username']);
return;
}

Add before

Code Select Expand

// Must be a email address NEND
if (!isset($_POST['user']) || $_POST['user'] == '' || !filter_var($_POST['user'], FILTER_VALIDATE_EMAIL) === true) {
$context['login_errors'] = array($txt['need_valid_email']);
return;
}

You will have to replace a few language strings with the mod, but works perfect for my sites. ;)

This is such a good idea, I think it ought to be a standard feature for SMF. It greatly increases the difficulty of hacking a user's account if the user's publicly visible forum name is NOT also their account username. Why didn't I think of this?

Considering that it has been a standard feature since forever in SMF to have a different username vs display name... It just requires the user to opt into it. My login is not Arantor, for example ;)

I didn't think of it! If it were the default behavior, I wouldn't have to. Security is hard. Putting the burden of thinking about security on the users always fails eventually, even if the users are security experts. Enforcing nend's methods in SMF would be a large improvement in security, for relatively little cost.

Hi

I'm having a problem where users don't have the option to add an ip to their account. Only administrators are able to do so. Where do I specify whether a group should have access to this feature? It is already enabled in the admin settings. Screenshots: screenshot1 (http://image.prntscr.com/image/82d007d817a1497a89b8dc0c512e884c.png), screenshot2 (http://image.prntscr.com/image/14f3d515734f4e2bb5730ade0e91c8d1.png)

Update for SMF 2.0.x
1.0.4
!Fixed issue where notifications didn't have a message-id in the email sent.

+Added support for SMF 2.1.x

Thanks for this MOD.

I've tested that once.

After having entered my password incorrectly several times, I got the same email 4 times.

There is a setting in the admin area.
Yes you get notified via email on each password attempt fail.

Ok thx.  ;)

Question :)

I installed this on a test server everything works great. If an admin loses access to their email and is locked out, how can the admin log back into the forum? Might be a dumb question.  ::)

They would have to change the email via the database.

Quote from: vbgamer45 on February 02, 2021, 01:14:05 PM
They would have to change the email via the database.

@vbgamer45 thank you congrats for making a nifty, little mod.  ;)

Hello, the mod looks perfect for my needs.

Can you set it to send an email to my admin account to be made aware of any failed attempts, or does it only email to the account in question?

I believe it only does the person in question.

Hi, I installed this mod a few days ago. Since the installation, I am getting the following (undefined)error when I'm looking into the log section of SMF: "Undefined array key "ls_login_security"".
I can not uninstall the mod, because the test fails at the "./Sources/LogInOut.php"-File.
Does anybody know, how to safely remove this mod? I'm using SMF 2.1.3.
Thanks for your help!

What line and file is the is_login_security security mod.
To remove if there are other mods installed after uninstall them first if they modify the login area.

Hi, thank you for your reply. I think I could solve the issue- I uninstalled "Login Security" first, then downloaded SMF 2.1.3 from the website, and then replaced the "LogInOut.php" file on the server with the "LogInOut.php" from the downloaded files.

1.0.5 Update
!Clear the lock out time if they used a secure login link successfully.

Hi.

I am having an issue with my forum so I thought I would uninstall this mod to make sure it wasn't the cause. But I get an error when doing so ...

Screenshot 2025-03-02 180941.png

Screenshot 2025-03-02 181010.png

I have uninstalled every mode that was installed after Login Security and I am still getting this error.

The language file is safe to ignore.

I would try to do the other edit manually.