An account was just locked. - Repeated 80 times...

Support for IntegraMOD 141

Moderator: Integra Moderator

Re: An account was just locked. - Repeated 80 times...

PostAuthor: AlaskaMat » Sun Feb 13, 2011 4:39 pm

Thanks, Helter. I need adult supervision, sometimes!

AlaskaMat
Newbie
Newbie
 
Posts: 21
Likes: 0 post
Liked in: 0 post
Joined: Fri Aug 20, 2010 2:43 pm
Cash on hand: 0.00

Re: An account was just locked. - Repeated 80 times...

PostAuthor: Helter » Sun Feb 13, 2011 9:24 pm

lol...no problem. I think it is a bug in ctracker. It should not accept a null input.
Always use Protection
Image


Please do not PM for support
User avatar
Helter
Administrator
Administrator
 
Posts: 4195
Likes: 2 posts
Liked in: 10 posts
Joined: Sat Mar 11, 2006 4:46 pm
Cash on hand: 354.40
Location: Seattle Wa
IntegraMOD version: IM 3

Re: An account was just locked. - Repeated 80 times...

PostAuthor: looser9 » Tue Feb 15, 2011 8:33 am

"HelterSkelter" wrote:to reset your users accounts, unzip and upload the attached file to your forum root, then browse to reset_login.php. Be sure to delete the file when finished. It will reset both phpBB security and CrackerTracker login tries.



What is going to be reset if I use this?

Only the locked accounts or is it also resetting e.g. Forum rules acknowledgement?


Yours, looser9

looser9
Members
Members
 
Posts: 64
Likes: 0 post
Liked in: 0 post
Joined: Sat Dec 22, 2007 4:29 am
Cash on hand: 0.00

Re: An account was just locked. - Repeated 80 times...

PostAuthor: Helter » Tue Feb 15, 2011 5:03 pm

it resets phpbb's and Ctrackers "login attempt" counts which essentially unlocks all member accounts
Always use Protection
Image


Please do not PM for support
User avatar
Helter
Administrator
Administrator
 
Posts: 4195
Likes: 2 posts
Liked in: 10 posts
Joined: Sat Mar 11, 2006 4:46 pm
Cash on hand: 354.40
Location: Seattle Wa
IntegraMOD version: IM 3

Re: An account was just locked. - Repeated 80 times...

PostAuthor: Teelk » Tue Feb 15, 2011 9:57 pm

I need some clarification of the problem, can users not unlock their own accounts?

IntegraMOD 141 has tools that you should use right away to combat this.

Unfortunately, the most effective way to combat a brute force attack is by blocking IP's. I know, it sucks...

There are some steps you can do to help prevent a successful attack.

CrackerTracker isn't just here to look pretty, it does have some useful features. In Admin/CrackerTracker/Settings scroll down to the Check Password section and activate it, setting the number of days users have to change their passwords before their accounts are locked. Then, directly under this setting make sure the Password Complexity Check is Active and change the Password Complexity mode to something more complex. This forces users to change their password and forces them to come up with something that is difficult to "guess". Finally, I would change the Password Minimum Length to 8, any less then this and you're asking for trouble, any more and people will be cheesed.

Before you do any of this though, do this code change.

FIND
$lang['ctracker_info_pw_expired']        = "The administrator has made adjustments so that a password may be valid only for <b>%s days</b>. days. We recommend for safety reasons that you change your password now. (<a>Profile</a>)";


REPLACE WITH
$lang['ctracker_info_pw_expired']        = 'User account passwords expire in <b>%s days</b> days, after which user accounts will be locked if password is not changed. Please click (<a>HERE</a>) to change your password';


Change the code, cause there is a bug there that'll return error messages and won't actually tell your users to reset their passwords. The English is a little shoddy in that MOD, the author is German, and while his English is better then my German, I think that I'll rewrite the language file and post it soon.

We may find that we already have the tools we need to fight this, I don't think there is much more security out there to offer. There is only so much that you can do to prevent these weirdos.
User avatar
Teelk
Dev Team
Dev Team
 
Posts: 1309
Likes: 0 post
Liked in: 0 post
Joined: Tue Mar 14, 2006 6:25 pm
Cash on hand: 0.00
Location: Canada

Re: An account was just locked. - Repeated 80 times...

PostAuthor: Helter » Wed Feb 16, 2011 5:54 am

Great to see you Teelk!
The mod I sent you is also available for phpBB3 and in that version you have the ability to block ip's and email addresses that have been reported to "block forum spam". We use it here. Youll find it in the acp/integramod section. I have not looked to deeply into the phpBB2 version that I sent you, but im hoping it is the same. Im hoping that if you can mod it for PCP it will be the knockout punch for these damn spammers.

is there a way using ctracker, to force reactivation when a users ip address has changed? It might be a pain for some users but often times an email with a reactivation link is much easier than captcha and far more secure
Always use Protection
Image


Please do not PM for support
User avatar
Helter
Administrator
Administrator
 
Posts: 4195
Likes: 2 posts
Liked in: 10 posts
Joined: Sat Mar 11, 2006 4:46 pm
Cash on hand: 354.40
Location: Seattle Wa
IntegraMOD version: IM 3

Re: An account was just locked. - Repeated 80 times...

PostAuthor: MWE_001 » Wed Feb 16, 2011 12:23 pm

Holy Smokes! It's Teelk! Great to see you. I am glad you guys are working on this. I admin a couple other 1.4.1 sites and I have had an issue like this for a bit now.
"Don't gain the world and lose your soul, wisdom is better than silver and gold" -Bob Marley

If you build it, I can break it! ~ Whispered in the tone of the movie Field of Dreams.
User avatar
MWE_001
Administrator
Administrator
 
Posts: 1298
Likes: 10 posts
Liked in: 2 posts
Joined: Fri Apr 21, 2006 7:59 pm
Cash on hand: 205.25
Location: Illinois

Re: An account was just locked. - Repeated 80 times...

PostAuthor: Teelk » Wed Feb 16, 2011 5:21 pm

Thanks guys, good to see you too.

It's been a while so I wasn't aware that CrackerTracker didn't send an activation email. That seems like an obvious thing it should do. So, it just locks the account?

Unfortunately, the phpBB2 version of that MOD isn't quite as sophisticated. It just allows you to block profile items from users who haven't posted x amount of times. I'll look for the phpBB3 version and see if it's adaptable.
User avatar
Teelk
Dev Team
Dev Team
 
Posts: 1309
Likes: 0 post
Liked in: 0 post
Joined: Tue Mar 14, 2006 6:25 pm
Cash on hand: 0.00
Location: Canada

Re: An account was just locked. - Repeated 80 times...

PostAuthor: Teelk » Wed Feb 16, 2011 11:05 pm

Oops... I lied.

The version of that MOD that I had was extremely old. I'm not sure how I got such an old version. I found the latest one, and I'm working on integrating it. It introduces a new CAPTCHA, so it it'll interfere with CrackerTracker, might take some DIY to turn CT's CAPTCHA off to use this one. Maybe I can integrate them, I'm not sure right now. I"ve had some drinks lol... I'll work on it when I'm sobered up.
User avatar
Teelk
Dev Team
Dev Team
 
Posts: 1309
Likes: 0 post
Liked in: 0 post
Joined: Tue Mar 14, 2006 6:25 pm
Cash on hand: 0.00
Location: Canada

Re: An account was just locked. - Repeated 80 times...

PostAuthor: Teelk » Sun Feb 20, 2011 5:03 am

Ok, this MOD does look good Helter, I've almost completed the IM version. It seems that CrackerTracker, phpBB Security, and Advanced Visual Confirmation are all fighting each other over dominance of one part of board security or another. I'm going to try and let the better ones dominate without completely rewriting all of 141's security. I'd prefer to move on to IM3 if at all possible in the near future.

One thing to do at the moment, if you want your users to be able to unlock their own accounts, let phpBB Security do it. Turn off CrackerTracker's login protection in the ACP. phpBB Security will ask the user for their Username, Email address, and the answer to their security question.

This isn't the ideal solution. What should happen is the password should be reset and an email with the new password should be sent to the user's email address. But, for the time being phpBB Security's solution should work ok.
User avatar
Teelk
Dev Team
Dev Team
 
Posts: 1309
Likes: 0 post
Liked in: 0 post
Joined: Tue Mar 14, 2006 6:25 pm
Cash on hand: 0.00
Location: Canada

Re: An account was just locked. - Repeated 80 times...

PostAuthor: Helter » Sun Feb 20, 2011 6:56 am

sounds great Teelk! Your help with IM3 would be greatly appreciated by everyone as my time has been pretty tight lately and your skills are much better than mine <img>
Always use Protection
Image


Please do not PM for support
User avatar
Helter
Administrator
Administrator
 
Posts: 4195
Likes: 2 posts
Liked in: 10 posts
Joined: Sat Mar 11, 2006 4:46 pm
Cash on hand: 354.40
Location: Seattle Wa
IntegraMOD version: IM 3

Re: An account was just locked. - Repeated 80 times...

PostAuthor: AlaskaMat » Fri Feb 25, 2011 9:02 pm

"Teelk" wrote:One thing to do at the moment, if you want your users to be able to unlock their own accounts, let phpBB Security do it. Turn off CrackerTracker's login protection in the ACP. phpBB Security will ask the user for their Username, Email address, and the answer to their security question.

Teelk,
I did this, but have a new problem...users have forgotten their security answer. Is there a way for me to either reset their question/answer or provide them the chance to do so?
Thanks

AlaskaMat
Newbie
Newbie
 
Posts: 21
Likes: 0 post
Liked in: 0 post
Joined: Fri Aug 20, 2010 2:43 pm
Cash on hand: 0.00

Re: An account was just locked. - Repeated 80 times...

PostAuthor: Teelk » Mon Feb 28, 2011 1:38 pm

Well, you can but it is really not recommended. What you can do is unlock their accounts for them first, the go to Security>>settings in the ACP and enable allow users to change their SQ.

Then I would recommend making a global announcement using CrackerTracker, something along the lines of "Users have 3 days to change their Security Question." Then after the three days disable allow users to change their SQ.
User avatar
Teelk
Dev Team
Dev Team
 
Posts: 1309
Likes: 0 post
Liked in: 0 post
Joined: Tue Mar 14, 2006 6:25 pm
Cash on hand: 0.00
Location: Canada

Re: An account was just locked. - Repeated 80 times...

PostAuthor: mspringgay » Tue Mar 01, 2011 6:50 pm

Could someone one point me to the mod being discussed as potential solution to this problem as I too am getting hit repeatedly by locked accounts. Thanks!

mspringgay
Newbie
Newbie
 
Posts: 24
Likes: 0 post
Liked in: 0 post
Joined: Mon Mar 27, 2006 8:10 pm
Cash on hand: 0.00

Re: An account was just locked. - Repeated 80 times...

PostAuthor: Teelk » Sat Mar 05, 2011 7:16 am

Unfortunately, the MOD won't do anyone any good. I've looked into it and the phpBB2 version of the MOD doesn't do much that IM 1.4.x doesn't already do.

If everyone is tired of locked accounts, go to their ACP>>Security>>Configuration.

Change Login Attemps to 99.

Then go to ACP>>CrackerTracker>>Settings and make sure that Login Protection System is activated. And change "Number of Logins up to the Visual Confirmation" to 1.

This shouldn't lock the account, but will force a CAPTCHA on user's next login. Unfortunately, this doesn't stop the brute force attacks, only IP banning will do that. I know it's a pain, but there really is no other option, and when I say that I mean no other option for anyone, whether they use IntegraMOD or any other system.

IP banning from an online list is a possibility, and I've done some work to try to integrate it. But, it's difficult to test, so no guarantees.

P.S. I do apologize for my previous advice about turning off CrackerTracker Login Protection System and letting phpBB Security handle login. But, I have just come back from a 3 year hiatus from IntegraMOD and am relearning much of it.
User avatar
Teelk
Dev Team
Dev Team
 
Posts: 1309
Likes: 0 post
Liked in: 0 post
Joined: Tue Mar 14, 2006 6:25 pm
Cash on hand: 0.00
Location: Canada

PreviousNext

Return to IntegraMOD 141

Who is online

Registered users: App360MonitorBot, Bing [Bot], Google [Bot], MWE_001