Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ Enhancement Requests
Author Message
srhh
Involved
Involved


Joined: Dec 27, 2005
Posts: 296

PostPosted: Fri Dec 30, 2005 11:17 pm Reply with quote

I'm not sure if this should be posted in Sentinel or wanted modules/add-ons. I'd like to know if it is possible to, by either using Sentinel or another method, to ban any user after a set number of failed login attempts, whether the login attempts are for regular users or for admins. Haven't come up with anything in google or the forums.
 
View user's profile Send private message
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Sat Dec 31, 2005 8:03 am Reply with quote

srhh, I am going to move this topic to the NukeSentinel Enhancement Requests forum. I'll let Raven then decide if this should really be outside the realm of NS.

Regards, montego

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Sat Dec 31, 2005 11:08 am Reply with quote

Well i guess it should use something like....(sample i found)..

$sql = "SELECT COUNT(*) AS `failedlogins` FROM `tblLoginAttempts` WHERE `user_id` = '".$_POST["username"]."' AND `reset` = 'N'";

$loginResult = mysql_query($sql, $link_id) or die("Problems checking number of login attempts.");

if ($row['failedlogins'] > 3)
{
die("Your account is locked due to the number of failed logins. Please contact your administrator to re-activate your account");
}
else
{
 
View user's profile Send private message
UnLeasheD
New Member
New Member


Joined: May 01, 2005
Posts: 21
Location: GB

PostPosted: Sat Dec 31, 2005 12:24 pm Reply with quote

I think this would be a good addition.

But I would prefer to see a timed login method, where if someone tries to login and fails it gives a period (set by an admin) before a login attempt is allowed again.

This would at least help to slow down and deter script kiddies from using dictionary attacks.

Just a thought!
 
View user's profile Send private message
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Sat Dec 31, 2005 3:00 pm Reply with quote

UnLeasheD wrote:
I think this would be a good addition.

But I would prefer to see a timed login method, where if someone tries to login and fails it gives a period (set by an admin) before a login attempt is allowed again.

This would at least help to slow down and deter script kiddies from using dictionary attacks.

Just a thought!

If you were to restrict log-in attempts by building in a delay, you would also have to have some mechanism to advise the person attempting the second log-in attempt of that delay thus it may be self-defeating.
However, restricting the actual number of *allowable* attempts would seem a more viable approach and I think Chatserv has incorporated something along these lines in the next BBtonuke upgrade.
 
View user's profile Send private message Send e-mail
srhh
PostPosted: Sat Dec 31, 2005 8:49 pm Reply with quote

hitwalker wrote:
Well i guess it should use something like....(sample i found)..

$sql = "SELECT COUNT(*) AS `failedlogins` FROM `tblLoginAttempts` WHERE `user_id` = '".$_POST["username"]."' AND `reset` = 'N'";

$loginResult = mysql_query($sql, $link_id) or die("Problems checking number of login attempts.");

if ($row['failedlogins'] > 3)
{
die("Your account is locked due to the number of failed logins. Please contact your administrator to re-activate your account");
}
else
{


What files should I plug this into to test it?
 
hitwalker
PostPosted: Sat Dec 31, 2005 9:04 pm Reply with quote

hi srhh,its just a simple sample i picked up...
Its not that easy to create this...
better wait untill someone replies to this...raven or bob....etc...
 
srhh
PostPosted: Sun Jan 01, 2006 1:08 am Reply with quote

You mean, nobody wants to spend new years eve pondering nuke questions? Bahh!! What' the matter with you guys! :moon: Laughing
 
hitwalker
PostPosted: Sun Jan 01, 2006 7:24 am Reply with quote

no i mean that you dont write this in a few hours.
It can be complicated..specially when it integrates with sentinel.
you dont want the wrong person banned do you...
they also have to figure out how they will count the total logins and that info has to be stored including the persons ip,otherwise they can try again after they close the browser..
 
srhh
PostPosted: Sun Jan 01, 2006 3:09 pm Reply with quote

I really do understand all the work that goes into this, I was just poking fun (at myself really) for celebrating New Years in front of my PC like a geek. Smile
 
srhh
PostPosted: Sun Jan 01, 2006 3:30 pm Reply with quote

It appears that the max # of login attempts is already out there! Not sure if I understand what BBtoNuke is or if it is still usable with Sentinel. Here is the link:
Only registered users can see links on this board! Get registered or login!
 
hitwalker
PostPosted: Sun Jan 01, 2006 3:39 pm Reply with quote

well thats for dictionary attacks....
that means....

A method used to break security systems, specifically password-based security systems, in which the attacker systematically tests all possible passwords beginning with words that have a higher possibility of being used, such as names and places.
The word “dictionary” refers to the attacker exhausting all of the words in a dictionary in an attempt to discover the password.
Dictionary attacks are typically done with software instead of an individual manually trying each password.


But bbtonuke is just your forum..if you upgrade to the newest it will be in there ...

but i just prefer only the max login...
 
srhh
PostPosted: Sun Jan 01, 2006 6:40 pm Reply with quote

I see. Wow, its really pathetic what lengths some people will go to to get into an account!
I don't have my forums active, so I'd prefer just a direct max login too.
 
menelaos61
Worker
Worker


Joined: Nov 10, 2004
Posts: 110

PostPosted: Wed Jan 04, 2006 4:36 am Reply with quote

Hey guys,
It seems CNB Your Account has been off the radar for a while.
This is due to me getting married this April...

Anyway, the max numbers of failed logins combined with a delay for the next attempt is such a good idea that I'm gonna include it in the current version.

Stay tuned...

Cheers,
Richard
 
View user's profile Send private message Send e-mail
Guardian2003
PostPosted: Wed Jan 04, 2006 5:52 am Reply with quote

menelaos61 wrote:
Hey guys,
It seems CNB Your Account has been off the radar for a while.
This is due to me getting married this April...

Anyway, the max numbers of failed logins combined with a delay for the next attempt is such a good idea that I'm gonna include it in the current version.

Stay tuned...

Cheers,
Richard

You would have to employ some method of reminding users that they have to wait until they try again or they will end up banning themselves and thus create more work for admins in re-instating accounts - perhaps a count down timer, bar graph displayed on the page etc might help?
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ Enhancement Requests

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©