Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

Please suggest brute force protection other than built-in captcha

  • bulgin
  • bulgin's Avatar Topic Author
  • Offline
  • Elite Member
  • Elite Member
More
4 years 11 months ago #182547 by bulgin
I'm looking for a solution or at least deterrent to slow down a brute force attack on tokens. As our survey will require the participant to manually enter the token, they are therefore short in characters - 5 or 6 in length automatically generated by LS.

I am familiar with mod_sec (which can't help in this case) and csf firewall which I believe won't help also. I am also familiar with the built-in captcha which although helpful, I believe this version can hold attackers at bay for a while but not for too long.

Currently our survey is not publicly available on the site but the nature of how participants are notified of the survey is very public and someone could track down the survey link and go at it with a brute force tool. As well, because we reward the participant with a digital redemption card upon completion, this makes our site all the more attractive.
The topic has been locked.
  • bulgin
  • bulgin's Avatar Topic Author
  • Offline
  • Elite Member
  • Elite Member
More
4 years 11 months ago #182561 by bulgin
If we could come up with a way to enter failed login attempts into a log file, the rest would be easy to solve by simply monitoring that log file via csf or some other log file watcher. I did activate the log file feature plugin, but alas that doesn't seem to log to a flat file as well as it doesn't seem to capture failed attempts. Perhaps instituting this could be done? What do people think?
Thanks.
The following user(s) said Thank You: DenisChenu
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
4 years 11 months ago - 4 years 11 months ago #182599 by DenisChenu
We don't log (usage of Yii::log) bad token entered. I think it's a great option to log all of this error.

Unsure it must be log as 401 or 403 , maybe.
or maybe need to create own log ? application.limesurvey.survey.token.invalid.SID for example ?

Please report a feature request.


About log file : what do you put inside your config ?

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Last edit: 4 years 11 months ago by DenisChenu.
The topic has been locked.
  • bulgin
  • bulgin's Avatar Topic Author
  • Offline
  • Elite Member
  • Elite Member
More
4 years 11 months ago #182615 by bulgin
401 requires the originating server to send a WWW-Authenticate header field which I don't think happens in this case and 403 has similar requirements. From RFC 2616 I think a 400 would be the best:

400 Bad Request

The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications.

I'll submit on that and see if there is any likehood that we can do this. A lot of misery could be avoided by implementing some method to log bad requests. Then it would be a simple matter of getting a log monitor of some sort to implement an ip block.
The topic has been locked.
  • bulgin
  • bulgin's Avatar Topic Author
  • Offline
  • Elite Member
  • Elite Member
More
4 years 11 months ago #182618 by bulgin
Feature request submitted. You can vote on it here:

bugs.limesurvey.org/view.php?id=14710
The following user(s) said Thank You: DenisChenu, cdorin
The topic has been locked.
  • bulgin
  • bulgin's Avatar Topic Author
  • Offline
  • Elite Member
  • Elite Member
More
4 years 7 months ago - 4 years 7 months ago #187534 by bulgin
Thank you @DenisChenu I've installed the ShowResponse and see it listed in the plugins page, but I'm lost on how to use your code to now make it log somewhere.

Add this (not tested) in the function

\Yii::log("Bad token entered", error, 'plugin.logToken.Error');

Use Yii to log it where you want exactly : manual.limesurvey.org/Optional_settings#Logging_settings


I wanted to add a note to mantis report (bugs.limesurvey.org/view.php?id=14710) but it is impossible to tell from the login screen there if I am logged in as a guest or my username. I can't find a link on mantis to add a note.
Last edit: 4 years 7 months ago by bulgin.
The topic has been locked.
  • bulgin
  • bulgin's Avatar Topic Author
  • Offline
  • Elite Member
  • Elite Member
More
4 years 7 months ago #187667 by bulgin
For many a useful tool would be tool deny access to the survey by IP address when X number of failed tokens have been entered. So far, Limesurvey can't do this or at least in any way that I'm aware of.

So my solution which may work for some but not all involves the following and requires a server running mod_security.

1) Provide a method whereby the token is entered NOT into the usual token entry form provided by limesurvey, but another form that does a database lookup on the entered token and, if correct, redirects the user to the correct survey link which includes the proper token and lands them on the start of the survey. This will require some mysql kung fu.
2) If incorrect the participant is redirected to an error page.
3) Setup mod_security to block the user's IP after X number of failed attempts to the URL error page.

Of course, this requires some work outside of Lime with a submission form addon or plugin that does the verification. But it works.
The topic has been locked.
  • holch
  • holch's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
4 years 7 months ago #187694 by holch

For many a useful tool would be tool deny access to the survey by IP address when X number of failed tokens have been entered. So far, Limesurvey can't do this or at least in any way that I'm aware of.

Not sure if it is still implemented in 3.x, but before if you had a couple of failed attempts you were blocked for a while from trying again. Was quite annoying because sometimes it wouldn't let you try again after the time (e.g. 10min). Haven't run into this problem for a while, so either I don't get my passwords wrong anymore or the feature has been taken out.

I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.

The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
4 years 7 months ago - 4 years 7 months ago #187755 by DenisChenu

bulgin wrote: Thank you @DenisChenu I've installed the ShowResponse and see it listed in the plugins page, but I'm lost on how to use your code to now make it log somewhere.

Add this (not tested) in the function

\Yii::log("Bad token entered", error, 'plugin.logToken.Error');

Use Yii to log it where you want exactly : manual.limesurvey.org/Optional_settings#Logging_settings


I wanted to add a note to mantis report (bugs.limesurvey.org/view.php?id=14710) but it is impossible to tell from the login screen there if I am logged in as a guest or my username. I can't find a link on mantis to add a note.

I mean :

1. You can create a light plugin to log only token error
2. You can use Yii to log it at a specific file
3. Then you can use fail2ban to disable IP access

For 2:
Code:
'log' => array(
      'routes' => array(
        'fileError' => array(
          'class' => 'CFileLogRoute',
          'logFile' => 'tokenaccess.log',
          'levels' => 'warning, error',
          'categories' => 'plugin.logToken.Error',
        ),
      ),
    ),

Here log is done at tmp/runtime/tokenaccess.log

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Last edit: 4 years 7 months ago by DenisChenu.
The topic has been locked.
  • bulgin
  • bulgin's Avatar Topic Author
  • Offline
  • Elite Member
  • Elite Member
More
4 years 7 months ago #187787 by bulgin
Thanks @DenisChenu I'll try to make this work (but I'm not exactly a coding expert). Appreciate the tips. Have a good day!
The topic has been locked.
  • bulgin
  • bulgin's Avatar Topic Author
  • Offline
  • Elite Member
  • Elite Member
More
4 years 7 months ago #188006 by bulgin
I realized that my method of doing an external lookup in a database that then redirects to the correct token-ized URL is not so great - a malicious user only has to extract the URL for the survey after a successful access (a malicious survey participant) and lift the good, working URL from the successful login in limesurvey, and start brute-forcing it. So it's back to the drawing board for me.

I'd like to be able to use @DenisChenu method but I can't get the log file to work. . .
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
4 years 7 months ago #188011 by DenisChenu
Did you create the plugin ? Really light plugin …

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.

Lime-years ahead

Online-surveys for every purse and purpose