News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

Brute force detection (password attacks)

Started by BeberGold, December 29, 2022, 02:08:53 AM

Previous topic - Next topic

BeberGold

Hi,

This topic is about brute force, password attacks.

For example, it can be when
1. a single IP address tries several passwords on one user account or multiple accounts
2. several IP addresses target the same account (attempting to guess the password)

Does SMF have a detection for it please?
And perhaps a way to block temporarily an IP address from trying to log in?

Thank you.

Aleksi "Lex" Kilpinen

There is logic in SMF to offer some level of protection, and to redirect a user after failed attempts, but off the top of my head I can't really offer a more detailed description. The initial redirect threshold is configurable.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

BeberGold

Quote from: Aleksi "Lex" Kilpinen on December 29, 2022, 10:58:25 AMThere is logic in SMF to offer some level of protection, and to redirect a user after failed attempts, but off the top of my head I can't really offer a more detailed description. The initial redirect threshold is configurable.

This redirection is new to me. Would you know where to find it in the administration panel please?

Apologies if the next question sounds stupid. It is just I would like to better understand what you have in mind. In what way would the redirection be a protection?

Aleksi "Lex" Kilpinen

It's "Failed login threshold" under "Security" in the admin control panel.
It will redirect a user to the "Forgot password" page after a set amount of failed login attempts,
interrupting the normal login process.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

shawnb61

In addition to that, there is password flood detection & control.

If we detect multiple attempts within a 10 second window, we don't even let them know if they get it right...

For more info, look at validatePasswordFlood() in LogInOut.php.
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

BeberGold

Quote from: Aleksi "Lex" Kilpinen on December 29, 2022, 12:19:44 PMIt's "Failed login threshold" under "Security" in the admin control panel.
It will redirect a user to the "Forgot password" page after a set amount of failed login attempts,
interrupting the normal login process.

Thank you for this.

Quote from: shawnb61 on December 29, 2022, 01:38:39 PMIn addition to that, there is password flood detection & control.

If we detect multiple attempts within a 10 second window, we don't even let them know if they get it right...

For more info, look at validatePasswordFlood() in LogInOut.php.

You are asking me to look at code. Is there a GUI option to adjust the time window of this feature?
If not, maybe it is something which could be added in future updates and therefore treated as a feature request?

shawnb61

Quote from: BeberGold on December 29, 2022, 01:47:57 PMYou are asking me to look at code. Is there a GUI option to adjust the time window of this feature?
If not, maybe it is something which could be added in future updates and therefore treated as a feature request?

No, these are not user-controllable parameters at this time. 

Feel free to log a request in the Requests board:
https://www.simplemachines.org/community/index.php?board=3.0
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

BeberGold

Quote from: shawnb61 on December 29, 2022, 01:50:14 PMNo, these are not user-controllable parameters at this time. 

Feel free to log a request in the Requests board:
https://www.simplemachines.org/community/index.php?board=3.0


Good idea.

One more way would be to force people to use CAPTCHA either after a few consecutive login failures or when the source of the login attempt is suspicious.

Kindred

Captcha is useless. The bots have figured it out years ago
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Advertisement: