Login Security

[blunted]

love the mod only 1 issue, ip locking only lasts a couple days before the ips are pruned out?

[joelstoner]

Something i would like to see is a log file created of failed login attempts, for Admins to review, showing the login info given, IP, time, and if they were locked out. It does me no good to protect my users if i do not know that someone is trying to crack their account.

The Mod looks good, although i may attempt to modify it to suit my needs and wants if there is not an update that does so.

[Arantor]

Something i would like to see is a log file created of failed login attempts, for Admins to review, showing the login info given, IP, time, and if they were locked out.

That would be called the error log.

[marjorie]

Hi,

I've just installed the mod under 2.0.7

I'm getting email notificatiosn, which is gerat but teh account is not being barred and there are no user profile settings. Help please!

[vbgamer45]

What settings did you set for the mod

[marjorie]

The defaults I think.

Number of allowed login attempts - 5
Login attempt check time range in minutes - 60
Account locked retry minutes - 15
Send email on failed login attempt -  tick
- tickAllow users to protect their account by ip address
Secure Login Link Expire time in minutes - 30

OK, ive installed on a test system

What Im seeing now is that my admin account is seeing the lockdown account IP address in account settings but ordinary users dont. Are permissions involved?

[byproduct]

"Last Modified: Yesterday at 01:05:13 AM"

"You are able to bind an account to an ip address or multiple ip addressed preventing people from logging into the account if they are not in the user's allowed ip addresses. Set via the user's profile."

will that work by ip classes and cidr's?
or does it require the entire ip and must be as auto read by the systems?


what i am getting at is,
can it be manually changed and use a more broad ip format, for users who do not have a static ip (A,B,C,D wildcard and cidr formats)
ie, 1.2.*.* or 1.2.0.0/16 instead of 1.2.3.4

[vbgamer45]

At the moment it just does the exact ip address and multiple ip addresses separated by a comma.

[byproduct]

Ok
thankyou VB

and thankyou for all the mods you dev

[CMOBOSS]

What would be really cool is if you could make it so that there is no alert to administration unless the user clicks on a report link, which would be in the email they receive. The only thing the user would need to do is click the "report hack attempt" link.

[vbgamer45]

I don't understand. If login fails it is only sent to the member owner not the administration.

[nend]

VB, I haven't tried your mod but let me make one suggestion. Have you thought about removing the ability to log in via username. I done this to my SMF forums for years.

One reason I do this is because anyone can figure out someones username and try to login via it, but an email address, people tend to keep that stuff a secret.

Find this line in LogInOut.php

Code Select Expand

// You forgot to type your username, dummy!
if (!isset($_POST['user']) || $_POST['user'] == '')
{
$context['login_errors'] = array($txt['need_username']);
return;
}

Add before

Code Select Expand

// Must be a email address NEND
if (!isset($_POST['user']) || $_POST['user'] == '' || !filter_var($_POST['user'], FILTER_VALIDATE_EMAIL) === true) {
$context['login_errors'] = array($txt['need_valid_email']);
return;
}

You will have to replace a few language strings with the mod, but works perfect for my sites.

[vbgamer45]

Haven't thought about it but would be a neat idea.

[Miker1029]

Hey,

   I'm having an issue that I was unaware of till today, and tried with my test account, When I FAIL the Log-in And have the E-mail sent with the secure log-in link, It cycles me right back to the Account Locked, Click for Secure log-In E-mail, So Basically your locked out till the time limit expires....

I've Uninstalled the MOD and Re-Installed With no errors. My Settings Are:

Number of allowed login attempts 3
Login attempt check time range in minutes 60
Account locked retry minutes 15
Send email on failed login attempt (Checked)
Allow users to protect their account by ip address (Checked)
Secure Login Link Expire time in minutes 30

Any Idea On this, These are my Installed Mods:

Code Select Expand

1.  Login Security 1.0.3 [ Uninstall ]
2. @mention members 1.1.3 [ Uninstall ]
3. Tagging System 3.0 [ Uninstall ]
4. Generic Avatars 1.11 [ Uninstall ]
5. Responsive Curve 1.0.0 [ Uninstall ]
6. EzPortal 3.1 [ Uninstall ]
7. Email Inactive Users 1.1.1 [ Uninstall ]
8. SA Chat 1.0a1 Rev120 [ Uninstall ]
9. reCAPTCHA for SMF 1.0.0 [ Uninstall ]
10. Disable Right Click 4.1.2 [ Uninstall ]
11. Enhanced PM Popup 1.0.1 [ Uninstall ]
12. PM Attachments 1.6 [ Uninstall ]
13. Annoy User 1.2.4 [ Uninstall ]
14. nCode Image Resizer 1.4 [ Uninstall ]
15. Default Avatar 1.1.1 [ Uninstall ]
16. InLine Attachments 1.2.1 [ Uninstall ]
17. Voter Visibility 2.1 [ Uninstall ]
18. SA Twitter 1.2 [ Uninstall ]
19. Show Number of Errors at Top of Forum 1.1.2 [ Uninstall ]
20. KeyCAPTCHA for SMF 2.11 [ Uninstall ]
21. Treasury 2.12 [ Uninstall ]
22. Ad Managment 3.2 [ Uninstall ]
23. E-Arcade 3.0 [ Uninstall ]
24. Share this topic - SMF Mod 1.3 [ Uninstall ]
25. Stop Spammer 2.3.9 [ Uninstall ]
26. Code Highlighting 1.0 [ Uninstall ]
27. Highslide 4 SMF 0.8.1 [ Uninstall ]
28. SA GPlus 0.3 REV 9 [ Uninstall ]
29. Register Redirect 1.0 [ Uninstall ]
30. Membergroup ID with Group Name 1.1 [ Uninstall ]
31. Default_Membergroup 2.0 [ Uninstall ]
32. Block Email Usernames 0.4.2 [ Uninstall ]
33. httpBL 2.5.1 [ Uninstall ]
34. Topic Solved 1.1.1 [ Uninstall ]
35. Say Thanks 1.3 [ Uninstall ]
36. Downloads System 2.5 [ Uninstall ]
37. ICAP: Info Center Access Permission 1.0.0 [ Uninstall ]
38. Users mass actions 0.1.1 [ Uninstall ]
39. SA Facebook 3.0

Running SMF 2.0.11

Thanks For any help on this.

Mike

EDIT:

The Secure link takes me BACK to the regular Log-In Screen, Not sure if that's how it's supposed to work or not...

[vbgamer45]

Look into the  CheckForSecureLoginLink($memberID) function
and the login_security database table

The system works best on a session variable stored in secureloginhash

[Miker1029]

Look into the  CheckForSecureLoginLink($memberID) function
and the login_security database table

The system works best on a session variable stored in secureloginhash

Ok I checked out the Database Entries, And For MY Account, there is a secureloginhash, I'm Assuming that that whole field is a copy of the Members (looks like it), Can you direct me on the "CheckForSecureLoginLink($memberID) function" where to look..

Sorry I haven't had much time to look into this I'm here in SE Texas,  So Floods/House/Cars/Feed Stray Cats+Dogs needed done....

Take your time, I use I few of your MODS and I know you have a life, I Uninstalled for now, they can reset the password if need be...

Thanks,

Mike

[Jade Elizabeth]

Actually one of my members said the same thing that the secure login doesn't work, it told her it had timed out the first try and then when she got a new one sent it said the same thing. She finally got in but she had to wait for the lockout to expire.

[badon]

Something i would like to see is a log file created of failed login attempts, for Admins to review, showing the login info given, IP, time, and if they were locked out. It does me no good to protect my users if i do not know that someone is trying to crack their account.

The Mod looks good, although i may attempt to modify it to suit my needs and wants if there is not an update that does so.

I would like users to be notified within SMF if someone is trying to hack their account, and I would also like the administrator (me) to be notified if attacks on any accounts are detected.

[badon]

VB, I haven't tried your mod but let me make one suggestion. Have you thought about removing the ability to log in via username. I done this to my SMF forums for years.

One reason I do this is because anyone can figure out someones username and try to login via it, but an email address, people tend to keep that stuff a secret.

Find this line in LogInOut.php

Code Select Expand

// You forgot to type your username, dummy!
if (!isset($_POST['user']) || $_POST['user'] == '')
{
$context['login_errors'] = array($txt['need_username']);
return;
}

Add before

Code Select Expand

// Must be a email address NEND
if (!isset($_POST['user']) || $_POST['user'] == '' || !filter_var($_POST['user'], FILTER_VALIDATE_EMAIL) === true) {
$context['login_errors'] = array($txt['need_valid_email']);
return;
}

You will have to replace a few language strings with the mod, but works perfect for my sites.

This is such a good idea, I think it ought to be a standard feature for SMF. It greatly increases the difficulty of hacking a user's account if the user's publicly visible forum name is NOT also their account username. Why didn't I think of this?

[Arantor]

Considering that it has been a standard feature since forever in SMF to have a different username vs display name... It just requires the user to opt into it. My login is not Arantor, for example