- Posts: 185
- Thank you received: 11
Welcome to the LimeSurvey Community Forum
Ask the community, share ideas, and connect with other LimeSurvey users!
Please suggest brute force protection other than built-in captcha
- bulgin
- Topic Author
- Offline
- Elite Member
I am familiar with mod_sec (which can't help in this case) and csf firewall which I believe won't help also. I am also familiar with the built-in captcha which although helpful, I believe this version can hold attackers at bay for a while but not for too long.
Currently our survey is not publicly available on the site but the nature of how participants are notified of the survey is very public and someone could track down the survey link and go at it with a brute force tool. As well, because we reward the participant with a digital redemption card upon completion, this makes our site all the more attractive.
- bulgin
- Topic Author
- Offline
- Elite Member
- Posts: 185
- Thank you received: 11
Thanks.
- DenisChenu
- Away
- LimeSurvey Community Team
- Posts: 13643
- Thank you received: 2491
Unsure it must be log as 401 or 403 , maybe.
or maybe need to create own log ? application.limesurvey.survey.token.invalid.SID for example ?
Please report a feature request.
About log file : what do you put inside your config ?
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
- bulgin
- Topic Author
- Offline
- Elite Member
- Posts: 185
- Thank you received: 11
400 Bad Request
The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications.
I'll submit on that and see if there is any likehood that we can do this. A lot of misery could be avoided by implementing some method to log bad requests. Then it would be a simple matter of getting a log monitor of some sort to implement an ip block.
- bulgin
- Topic Author
- Offline
- Elite Member
- Posts: 185
- Thank you received: 11
- bulgin
- Topic Author
- Offline
- Elite Member
- Posts: 185
- Thank you received: 11
Add this (not tested) in the function
\Yii::log("Bad token entered", error, 'plugin.logToken.Error');
Use Yii to log it where you want exactly : manual.limesurvey.org/Optional_settings#Logging_settings
I wanted to add a note to mantis report (bugs.limesurvey.org/view.php?id=14710) but it is impossible to tell from the login screen there if I am logged in as a guest or my username. I can't find a link on mantis to add a note.
- bulgin
- Topic Author
- Offline
- Elite Member
- Posts: 185
- Thank you received: 11
So my solution which may work for some but not all involves the following and requires a server running mod_security.
1) Provide a method whereby the token is entered NOT into the usual token entry form provided by limesurvey, but another form that does a database lookup on the entered token and, if correct, redirects the user to the correct survey link which includes the proper token and lands them on the start of the survey. This will require some mysql kung fu.
2) If incorrect the participant is redirected to an error page.
3) Setup mod_security to block the user's IP after X number of failed attempts to the URL error page.
Of course, this requires some work outside of Lime with a submission form addon or plugin that does the verification. But it works.
- holch
- Away
- LimeSurvey Community Team
- Posts: 11658
- Thank you received: 2742
Not sure if it is still implemented in 3.x, but before if you had a couple of failed attempts you were blocked for a while from trying again. Was quite annoying because sometimes it wouldn't let you try again after the time (e.g. 10min). Haven't run into this problem for a while, so either I don't get my passwords wrong anymore or the feature has been taken out.For many a useful tool would be tool deny access to the survey by IP address when X number of failed tokens have been entered. So far, Limesurvey can't do this or at least in any way that I'm aware of.
I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.
- DenisChenu
- Away
- LimeSurvey Community Team
- Posts: 13643
- Thank you received: 2491
I mean :bulgin wrote: Thank you @DenisChenu I've installed the ShowResponse and see it listed in the plugins page, but I'm lost on how to use your code to now make it log somewhere.
Add this (not tested) in the function
\Yii::log("Bad token entered", error, 'plugin.logToken.Error');
Use Yii to log it where you want exactly : manual.limesurvey.org/Optional_settings#Logging_settings
I wanted to add a note to mantis report (bugs.limesurvey.org/view.php?id=14710) but it is impossible to tell from the login screen there if I am logged in as a guest or my username. I can't find a link on mantis to add a note.
1. You can create a light plugin to log only token error
2. You can use Yii to log it at a specific file
3. Then you can use fail2ban to disable IP access
For 2:
'log' => array( 'routes' => array( 'fileError' => array( 'class' => 'CFileLogRoute', 'logFile' => 'tokenaccess.log', 'levels' => 'warning, error', 'categories' => 'plugin.logToken.Error', ), ), ),
Here log is done at tmp/runtime/tokenaccess.log
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
- bulgin
- Topic Author
- Offline
- Elite Member
- Posts: 185
- Thank you received: 11
- bulgin
- Topic Author
- Offline
- Elite Member
- Posts: 185
- Thank you received: 11
I'd like to be able to use @DenisChenu method but I can't get the log file to work. . .
- DenisChenu
- Away
- LimeSurvey Community Team
- Posts: 13643
- Thank you received: 2491
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.