new login feature - beware

Post by **bad_brain** » 02 Jun 2009, 03:52

I have noticed a lot of failed login attempts in the logs, to avoid brute forcing attempts I have implemented a feature that bans a user with 3 failed login attempts for 30 minutes now...

Post by **ayu** » 02 Jun 2009, 03:56

bah, ban them for a year, will give them some time to think xD

Post by **computathug** » 02 Jun 2009, 04:02

Thats another good idea b_b, any way of implimenting the security on suck-o to the highest standard even though it may sometimes be a little time consuming, is a good idea at times like this.

Great handling of the total situation at hand.

I will hopefully be back online permanently later today and it will be good to catch up

Post by **lilrofl** » 02 Jun 2009, 07:23

well banned for 30 minutes should give them plenty of time to commit their password to memory me thinks...

moudy · Post by **moudy** » 17 Jun 2009, 12:45

p4inl0v3r wrote:just a suggestion ....

incase of such more than 3 failed attempts , instead of banning , an email to the user can be sent with his passwrd .... if the guy is genuine and in trbl then he is helped .... otherwise also no prob

well some services like hotmail, have an option where you ask them to send you the password to your e-mail, I never noticed some thing like that over here, but yeah its a good idea.

Post by **bad_brain** » 17 Jun 2009, 13:11

well, the point is that those failed login attempts are not made by users that maybe had a drink too much or have trouble remembering their password....those are automated login attempts. maybe 40 different IPs have been banned in the meantime (just for 1 hour, those bans are not permanent), I have checked about 30 of them and NONE was an IP of a known user.

but ok, the "lost password" function is something I will try to set up, good idea...