Security feature after several attempts of login

Mehr
3 Jahre 6 Monate her #103449 von holch
holch erstellte das Thema Security feature after several attempts of login
Hi!

I have problem with the security feature that blocks the access for 10 minutes when you try to login and have several failed attempts. My colleague did this last week and suddenly the access to Limesurvey was blocked for all of us. So I assume that limesurvey blocks the IP. As we all access via the same IP of course, this blocks Limesurvey for all of us. This is of course not really ideal when more than 1 person works on this.

The next problem is, that it took more than 10min until it got liberated. Actually, at the end I did restart our router which solved the problem. But after 10, 15 or 20min we still couldn't access Limesurvey.

So I wanted to know how this feature exactly works:
  • blocking via IP?
  • Blocking via anything else?

How can I best solve this problem?

how does it measure the time? Because obviously it is not 10min.

I'm not a LimeSurvey GmbH member. I answer at the LimeSurvey forum in my spare time. No support via private message.
Some helpful links: Manual (EN) | Question Types | Workarounds

Bitte Anmelden um der Konversation beizutretten.

Mehr
3 Jahre 6 Monate her #103450 von Ben_V
Ben_V antwortete auf das Thema: Security feature after several attempts of login
Hi Holch and happy 2014 :cheer:

I suppose that all the security functions you are looking for, live in:
application/models/Failed_login_attemts.php

BTW, maybe the easiest and most reversible way to avoid this control is to open
application/config/config-defaults.php

and increase the default value (= 3)
$config = 3 ; // Lock them out after 3 attempts


Ben

Benoît

EM Variables => bit.ly/1TKQyNu | EM Roadmap => bit.ly/1UTrOB4
Last Releases => 2.6x.x goo.gl/ztWfIV | 2.06/2.6.x => bit.ly/1Qv44A1
Demo Surveys => goo.gl/HuR6Xe (already included in /docs/demosurveys)

Bitte Anmelden um der Konversation beizutretten.

Mehr
3 Jahre 6 Monate her #103456 von holch
holch antwortete auf das Thema: Security feature after several attempts of login
Hi Ben!

A Happy New Year to you as well.

Thanks for your response. I prefer not to make changes to LS code, as it is a headache when updating.

To increase the default value might help in some cases, but I think if I would have increased it to 5 attempts, or 10, the colleague would probably also run into the same problem.

With the same result that he would have locked us all out, it would have just taken him a little longer. ;-)

But having a whole IP switched out sounds quite dangerous to me as a security measure, especially if the 10min limit isn't working properly.

I'm not a LimeSurvey GmbH member. I answer at the LimeSurvey forum in my spare time. No support via private message.
Some helpful links: Manual (EN) | Question Types | Workarounds

Bitte Anmelden um der Konversation beizutretten.

Mehr
3 Jahre 6 Monate her #103473 von DenisChenu
DenisChenu antwortete auf das Thema: Security feature after several attempts of login
Hi,

We can not really change this security measure , this system is for 'password dictionary' test, someone using this system can use same IP.

And i think we have to block by user too (because attacker can use 'transparent proxy' but try with same user).

I think you can use timeOutTime config to 1 : then it's blocked for 1 second.

Denis

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .

Bitte Anmelden um der Konversation beizutretten.

Haben Sie schon bei unserer Kundenumfrage mitgemacht?

Verpassen Sie nicht Ihre Chance auf tolle Preise.

Klicken sie hier um teilzunehmen:

Jetzt starten

Jetzt loslegen!

Melden Sie sich jetzt an, und erstellen Sie in wenigen Minuten Ihre erste Umfrage.

Account einrichten