I need some clarification of the problem, can users not unlock their own accounts?
IntegraMOD 141 has tools that you should use right away to combat this.
Unfortunately, the most effective way to combat a brute force attack is by blocking IP's. I know, it sucks...
There are some steps you can do to help prevent a successful attack.
CrackerTracker isn't just here to look pretty, it does have some useful features. In Admin/CrackerTracker/Settings scroll down to the Check Password section and activate it, setting the number of days users have to change their passwords before their accounts are locked. Then, directly under this setting make sure the Password Complexity Check is Active and change the Password Complexity mode to something more complex. This forces users to change their password and forces them to come up with something that is difficult to "guess". Finally, I would change the Password Minimum Length to 8, any less then this and you're asking for trouble, any more and people will be cheesed.
Before you do any of this though, do this code change.
FIND
- Code: Select all
$lang['ctracker_info_pw_expired'] = "The administrator has made adjustments so that a password may be valid only for <b>%s days</b>. days. We recommend for safety reasons that you change your password now. (<a>Profile</a>)";
REPLACE WITH
- Code: Select all
$lang['ctracker_info_pw_expired'] = 'User account passwords expire in <b>%s days</b> days, after which user accounts will be locked if password is not changed. Please click (<a>HERE</a>) to change your password';
Change the code, cause there is a bug there that'll return error messages and won't actually tell your users to reset their passwords. The English is a little shoddy in that MOD, the author is German, and while his English is better then my German, I think that I'll rewrite the language file and post it soon.
We may find that we already have the tools we need to fight this, I don't think there is much more security out there to offer. There is only so much that you can do to prevent these weirdos.