- Posts: 11658
- Thank you received: 2742
Welcome to the LimeSurvey Community Forum
Ask the community, share ideas, and connect with other LimeSurvey users!
Security feature after several attempts of login
- holch
- Topic Author
- Offline
- LimeSurvey Community Team
Less
More
10 years 3 months ago #103449
by holch
I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.
Security feature after several attempts of login was created by holch
Hi!
I have problem with the security feature that blocks the access for 10 minutes when you try to login and have several failed attempts. My colleague did this last week and suddenly the access to Limesurvey was blocked for all of us. So I assume that limesurvey blocks the IP. As we all access via the same IP of course, this blocks Limesurvey for all of us. This is of course not really ideal when more than 1 person works on this.
The next problem is, that it took more than 10min until it got liberated. Actually, at the end I did restart our router which solved the problem. But after 10, 15 or 20min we still couldn't access Limesurvey.
So I wanted to know how this feature exactly works:
How can I best solve this problem?
how does it measure the time? Because obviously it is not 10min.
I have problem with the security feature that blocks the access for 10 minutes when you try to login and have several failed attempts. My colleague did this last week and suddenly the access to Limesurvey was blocked for all of us. So I assume that limesurvey blocks the IP. As we all access via the same IP of course, this blocks Limesurvey for all of us. This is of course not really ideal when more than 1 person works on this.
The next problem is, that it took more than 10min until it got liberated. Actually, at the end I did restart our router which solved the problem. But after 10, 15 or 20min we still couldn't access Limesurvey.
So I wanted to know how this feature exactly works:
- blocking via IP?
- Blocking via anything else?
How can I best solve this problem?
how does it measure the time? Because obviously it is not 10min.
I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.
The topic has been locked.
- Ben_V
- Offline
- Platinum Member
Less
More
- Posts: 1128
- Thank you received: 329
10 years 3 months ago #103450
by Ben_V
Benoît
EM Variables => bit.ly/1TKQyNu | EM Roadmap => bit.ly/1UTrOB4
Last Releases => 2.6x.x goo.gl/ztWfIV | 2.06/2.6.x => bit.ly/1Qv44A1
Demo Surveys => goo.gl/HuR6Xe (already included in /docs/demosurveys)
Replied by Ben_V on topic Security feature after several attempts of login
Hi Holch and happy 2014
I suppose that all the security functions you are looking for, live in:
application/models/Failed_login_attemts.php
BTW, maybe the easiest and most reversible way to avoid this control is to open
application/config/config-defaults.php
and increase the default value (= 3)
$config = 3 ; // Lock them out after 3 attempts
Ben
I suppose that all the security functions you are looking for, live in:
application/models/Failed_login_attemts.php
BTW, maybe the easiest and most reversible way to avoid this control is to open
application/config/config-defaults.php
and increase the default value (= 3)
$config = 3 ; // Lock them out after 3 attempts
Ben
Benoît
EM Variables => bit.ly/1TKQyNu | EM Roadmap => bit.ly/1UTrOB4
Last Releases => 2.6x.x goo.gl/ztWfIV | 2.06/2.6.x => bit.ly/1Qv44A1
Demo Surveys => goo.gl/HuR6Xe (already included in /docs/demosurveys)
The topic has been locked.
- holch
- Topic Author
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 11658
- Thank you received: 2742
10 years 3 months ago #103456
by holch
I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.
Replied by holch on topic Security feature after several attempts of login
Hi Ben!
A Happy New Year to you as well.
Thanks for your response. I prefer not to make changes to LS code, as it is a headache when updating.
To increase the default value might help in some cases, but I think if I would have increased it to 5 attempts, or 10, the colleague would probably also run into the same problem.
With the same result that he would have locked us all out, it would have just taken him a little longer.
But having a whole IP switched out sounds quite dangerous to me as a security measure, especially if the 10min limit isn't working properly.
A Happy New Year to you as well.
Thanks for your response. I prefer not to make changes to LS code, as it is a headache when updating.
To increase the default value might help in some cases, but I think if I would have increased it to 5 attempts, or 10, the colleague would probably also run into the same problem.
With the same result that he would have locked us all out, it would have just taken him a little longer.
But having a whole IP switched out sounds quite dangerous to me as a security measure, especially if the 10min limit isn't working properly.
I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.
The topic has been locked.
- DenisChenu
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 13643
- Thank you received: 2491
10 years 3 months ago #103473
by DenisChenu
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Replied by DenisChenu on topic Security feature after several attempts of login
Hi,
We can not really change this security measure , this system is for 'password dictionary' test, someone using this system can use same IP.
And i think we have to block by user too (because attacker can use 'transparent proxy' but try with same user).
I think you can use timeOutTime config to 1 : then it's blocked for 1 second.
Denis
We can not really change this security measure , this system is for 'password dictionary' test, someone using this system can use same IP.
And i think we have to block by user too (because attacker can use 'transparent proxy' but try with same user).
I think you can use timeOutTime config to 1 : then it's blocked for 1 second.
Denis
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
- uibklime1
- Offline
- New Member
Less
More
- Posts: 3
- Thank you received: 1
4 years 9 months ago #186815
by uibklime1
Replied by uibklime1 on topic Security feature after several attempts of login
Mysql DB:
truncate failed_login_attempts;
You can more selective:
delete from failed_login_attempts where ip = 'xxxx' ;
truncate failed_login_attempts;
You can more selective:
delete from failed_login_attempts where ip = 'xxxx' ;
The topic has been locked.
- tpartner
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 10109
- Thank you received: 3593
4 years 9 months ago #186824
by tpartner
Cheers,
Tony Partner
Solutions, code and workarounds presented in these forums are given without any warranty, implied or otherwise.
Replied by tpartner on topic Security feature after several attempts of login
Huh?
A very cryptic reply to a 5 year old thread.
A very cryptic reply to a 5 year old thread.
Cheers,
Tony Partner
Solutions, code and workarounds presented in these forums are given without any warranty, implied or otherwise.
The topic has been locked.