Welcome, Guest
Username: Password: Remember me

TOPIC: Security feature after several attempts of login

Security feature after several attempts of login 8 months 5 days ago #103449

  • holch
  • holch's Avatar
  • OFFLINE
  • LimeSurvey Team
  • Posts: 2675
  • Thank you received: 323
  • Karma: 121
Hi!

I have problem with the security feature that blocks the access for 10 minutes when you try to login and have several failed attempts. My colleague did this last week and suddenly the access to Limesurvey was blocked for all of us. So I assume that limesurvey blocks the IP. As we all access via the same IP of course, this blocks Limesurvey for all of us. This is of course not really ideal when more than 1 person works on this.

The next problem is, that it took more than 10min until it got liberated. Actually, at the end I did restart our router which solved the problem. But after 10, 15 or 20min we still couldn't access Limesurvey.

So I wanted to know how this feature exactly works:
  • blocking via IP?
  • Blocking via anything else?

How can I best solve this problem?

how does it measure the time? Because obviously it is not 10min.
Have a look at the manual! It is a really valuable source for information. Here some helpful links:
Manual (EN) | Question Types | Question Attributes | Workarounds

If you found this answer helpful and it saved you some time please consider a donation to the project to keep Limesurvey going!
The administrator has disabled public write access.

Security feature after several attempts of login 8 months 5 days ago #103450

  • Ben_V
  • Ben_V's Avatar
  • OFFLINE
  • Platinum Lime
  • Posts: 1081
  • Thank you received: 240
  • Karma: 76
Hi Holch and happy 2014 :cheer:

I suppose that all the security functions you are looking for, live in:
application/models/Failed_login_attemts.php

BTW, maybe the easiest and most reversible way to avoid this control is to open
application/config/config-defaults.php

and increase the default value (= 3)
$config = 3 ; // Lock them out after 3 attempts


Ben
Benoît

goo.gl/Bw5iM => Recherche GG dans le forum français (remplacer "exemple" dans la barre de recherche)
goo.gl/WX8PH => GG search for english forum (Replace "example" in the search bar)
goo.gl/IxiGu => Búsqueda en el foro en español (Cambiar "ejemplo" en la barra de...
The administrator has disabled public write access.

Security feature after several attempts of login 8 months 5 days ago #103456

  • holch
  • holch's Avatar
  • OFFLINE
  • LimeSurvey Team
  • Posts: 2675
  • Thank you received: 323
  • Karma: 121
Hi Ben!

A Happy New Year to you as well.

Thanks for your response. I prefer not to make changes to LS code, as it is a headache when updating.

To increase the default value might help in some cases, but I think if I would have increased it to 5 attempts, or 10, the colleague would probably also run into the same problem.

With the same result that he would have locked us all out, it would have just taken him a little longer. ;-)

But having a whole IP switched out sounds quite dangerous to me as a security measure, especially if the 10min limit isn't working properly.
Have a look at the manual! It is a really valuable source for information. Here some helpful links:
Manual (EN) | Question Types | Question Attributes | Workarounds

If you found this answer helpful and it saved you some time please consider a donation to the project to keep Limesurvey going!
The administrator has disabled public write access.

Security feature after several attempts of login 8 months 5 days ago #103473

  • DenisChenu
  • DenisChenu's Avatar
  • OFFLINE
  • Moderator Lime
  • Posts: 6334
  • Thank you received: 817
  • Karma: 243
Hi,

We can not really change this security measure , this system is for 'password dictionary' test, someone using this system can use same IP.

And i think we have to block by user too (because attacker can use 'transparent proxy' but try with same user).

I think you can use timeOutTime config to 1 : then it's blocked for 1 second.

Denis
The administrator has disabled public write access.
Moderators: ITEd
Time to create page: 0.120 seconds
Donation Image