Simple Machines Community Forum

SMF Support => SMF 2.1.x Support => Topic started by: BeberGold on December 29, 2022, 02:08:53 AM

Title: Brute force detection (password attacks)
Post by: BeberGold on December 29, 2022, 02:08:53 AM
Hi,

This topic is about brute force, password attacks.

For example, it can be when
1. a single IP address tries several passwords on one user account or multiple accounts
2. several IP addresses target the same account (attempting to guess the password)

Does SMF have a detection for it please?
And perhaps a way to block temporarily an IP address from trying to log in?

Thank you.
Title: Re: Brute force detection (password attacks)
Post by: Aleksi "Lex" Kilpinen on December 29, 2022, 10:58:25 AM
There is logic in SMF to offer some level of protection, and to redirect a user after failed attempts, but off the top of my head I can't really offer a more detailed description. The initial redirect threshold is configurable.
Title: Re: Brute force detection (password attacks)
Post by: BeberGold on December 29, 2022, 12:07:24 PM
Quote from: Aleksi "Lex" Kilpinen on December 29, 2022, 10:58:25 AMThere is logic in SMF to offer some level of protection, and to redirect a user after failed attempts, but off the top of my head I can't really offer a more detailed description. The initial redirect threshold is configurable.

This redirection is new to me. Would you know where to find it in the administration panel please?

Apologies if the next question sounds stupid. It is just I would like to better understand what you have in mind. In what way would the redirection be a protection?
Title: Re: Brute force detection (password attacks)
Post by: Aleksi "Lex" Kilpinen on December 29, 2022, 12:19:44 PM
It's "Failed login threshold" under "Security" in the admin control panel.
It will redirect a user to the "Forgot password" page after a set amount of failed login attempts,
interrupting the normal login process.
Title: Re: Brute force detection (password attacks)
Post by: shawnb61 on December 29, 2022, 01:38:39 PM
In addition to that, there is password flood detection & control.

If we detect multiple attempts within a 10 second window, we don't even let them know if they get it right...

For more info, look at validatePasswordFlood() in LogInOut.php.
Title: Re: Brute force detection (password attacks)
Post by: BeberGold on December 29, 2022, 01:47:57 PM
Quote from: Aleksi "Lex" Kilpinen on December 29, 2022, 12:19:44 PMIt's "Failed login threshold" under "Security" in the admin control panel.
It will redirect a user to the "Forgot password" page after a set amount of failed login attempts,
interrupting the normal login process.

Thank you for this.

Quote from: shawnb61 on December 29, 2022, 01:38:39 PMIn addition to that, there is password flood detection & control.

If we detect multiple attempts within a 10 second window, we don't even let them know if they get it right...

For more info, look at validatePasswordFlood() in LogInOut.php.

You are asking me to look at code. Is there a GUI option to adjust the time window of this feature?
If not, maybe it is something which could be added in future updates and therefore treated as a feature request?
Title: Re: Brute force detection (password attacks)
Post by: shawnb61 on December 29, 2022, 01:50:14 PM
Quote from: BeberGold on December 29, 2022, 01:47:57 PMYou are asking me to look at code. Is there a GUI option to adjust the time window of this feature?
If not, maybe it is something which could be added in future updates and therefore treated as a feature request?

No, these are not user-controllable parameters at this time. 

Feel free to log a request in the Requests board:
https://www.simplemachines.org/community/index.php?board=3.0
Title: Re: Brute force detection (password attacks)
Post by: BeberGold on December 29, 2022, 04:00:12 PM
Quote from: shawnb61 on December 29, 2022, 01:50:14 PMNo, these are not user-controllable parameters at this time. 

Feel free to log a request in the Requests board:
https://www.simplemachines.org/community/index.php?board=3.0


Good idea.

One more way would be to force people to use CAPTCHA either after a few consecutive login failures or when the source of the login attempt is suspicious.
Title: Re: Brute force detection (password attacks)
Post by: Kindred on December 29, 2022, 08:17:11 PM
Captcha is useless. The bots have figured it out years ago