Please suggest brute force protection other than built-in captcha

More
6 months 2 weeks ago #182547 by bulgin
I'm looking for a solution or at least deterrent to slow down a brute force attack on tokens. As our survey will require the participant to manually enter the token, they are therefore short in characters - 5 or 6 in length automatically generated by LS.

I am familiar with mod_sec (which can't help in this case) and csf firewall which I believe won't help also. I am also familiar with the built-in captcha which although helpful, I believe this version can hold attackers at bay for a while but not for too long.

Currently our survey is not publicly available on the site but the nature of how participants are notified of the survey is very public and someone could track down the survey link and go at it with a brute force tool. As well, because we reward the participant with a digital redemption card upon completion, this makes our site all the more attractive.

Please Log in or Create an account to join the conversation.

LimeSurvey Partners
More
6 months 2 weeks ago #182561 by bulgin
If we could come up with a way to enter failed login attempts into a log file, the rest would be easy to solve by simply monitoring that log file via csf or some other log file watcher. I did activate the log file feature plugin, but alas that doesn't seem to log to a flat file as well as it doesn't seem to capture failed attempts. Perhaps instituting this could be done? What do people think?
Thanks.
The following user(s) said Thank You: DenisChenu

Please Log in or Create an account to join the conversation.

More
6 months 2 weeks ago - 6 months 2 weeks ago #182599 by DenisChenu
We don't log (usage of Yii::log) bad token entered. I think it's a great option to log all of this error.

Unsure it must be log as 401 or 403 , maybe.
or maybe need to create own log ? application.limesurvey.survey.token.invalid.SID for example ?

Please report a feature request.


About log file : what do you put inside your config ?

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
An error happen ? Before make a new topic : remind the Debug mode .
Last edit: 6 months 2 weeks ago by DenisChenu.

Please Log in or Create an account to join the conversation.

More
6 months 2 weeks ago #182615 by bulgin
401 requires the originating server to send a WWW-Authenticate header field which I don't think happens in this case and 403 has similar requirements. From RFC 2616 I think a 400 would be the best:

400 Bad Request

The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications.

I'll submit on that and see if there is any likehood that we can do this. A lot of misery could be avoided by implementing some method to log bad requests. Then it would be a simple matter of getting a log monitor of some sort to implement an ip block.

Please Log in or Create an account to join the conversation.

More
6 months 2 weeks ago #182618 by bulgin
The following user(s) said Thank You: DenisChenu, cdorin

Please Log in or Create an account to join the conversation.

More
2 months 1 week ago - 2 months 1 week ago #187534 by bulgin
Thank you @DenisChenu I've installed the ShowResponse and see it listed in the plugins page, but I'm lost on how to use your code to now make it log somewhere.

Add this (not tested) in the function

\Yii::log("Bad token entered", error, 'plugin.logToken.Error');

Use Yii to log it where you want exactly : manual.limesurvey.org/Optional_settings#Logging_settings


I wanted to add a note to mantis report (bugs.limesurvey.org/view.php?id=14710) but it is impossible to tell from the login screen there if I am logged in as a guest or my username. I can't find a link on mantis to add a note.
Last edit: 2 months 1 week ago by bulgin.

Please Log in or Create an account to join the conversation.

More
2 months 3 days ago #187667 by bulgin
For many a useful tool would be tool deny access to the survey by IP address when X number of failed tokens have been entered. So far, Limesurvey can't do this or at least in any way that I'm aware of.

So my solution which may work for some but not all involves the following and requires a server running mod_security.

1) Provide a method whereby the token is entered NOT into the usual token entry form provided by limesurvey, but another form that does a database lookup on the entered token and, if correct, redirects the user to the correct survey link which includes the proper token and lands them on the start of the survey. This will require some mysql kung fu.
2) If incorrect the participant is redirected to an error page.
3) Setup mod_security to block the user's IP after X number of failed attempts to the URL error page.

Of course, this requires some work outside of Lime with a submission form addon or plugin that does the verification. But it works.

Please Log in or Create an account to join the conversation.

More
2 months 3 days ago #187694 by holch

For many a useful tool would be tool deny access to the survey by IP address when X number of failed tokens have been entered. So far, Limesurvey can't do this or at least in any way that I'm aware of.

Not sure if it is still implemented in 3.x, but before if you had a couple of failed attempts you were blocked for a while from trying again. Was quite annoying because sometimes it wouldn't let you try again after the time (e.g. 10min). Haven't run into this problem for a while, so either I don't get my passwords wrong anymore or the feature has been taken out.

I'm not a LimeSurvey GmbH member. I answer at the LimeSurvey forum in my spare time. No support via private message.
Some helpful links: Manual (EN) | Question Types | Workarounds

Please Log in or Create an account to join the conversation.

More
2 months 9 hours ago - 2 months 9 hours ago #187755 by DenisChenu

bulgin wrote: Thank you @DenisChenu I've installed the ShowResponse and see it listed in the plugins page, but I'm lost on how to use your code to now make it log somewhere.

Add this (not tested) in the function

\Yii::log("Bad token entered", error, 'plugin.logToken.Error');

Use Yii to log it where you want exactly : manual.limesurvey.org/Optional_settings#Logging_settings


I wanted to add a note to mantis report (bugs.limesurvey.org/view.php?id=14710) but it is impossible to tell from the login screen there if I am logged in as a guest or my username. I can't find a link on mantis to add a note.

I mean :

1. You can create a light plugin to log only token error
2. You can use Yii to log it at a specific file
3. Then you can use fail2ban to disable IP access

For 2:
'log' => array(
			'routes' => array(
				'fileError' => array(
					'class' => 'CFileLogRoute',
					'logFile' => 'tokenaccess.log',
					'levels' => 'warning, error',
					'categories' => 'plugin.logToken.Error',
				),
			),
		),

Here log is done at tmp/runtime/tokenaccess.log

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
An error happen ? Before make a new topic : remind the Debug mode .
Last edit: 2 months 9 hours ago by DenisChenu.

Please Log in or Create an account to join the conversation.

More
2 months 3 hours ago #187787 by bulgin
Thanks @DenisChenu I'll try to make this work (but I'm not exactly a coding expert). Appreciate the tips. Have a good day!

Please Log in or Create an account to join the conversation.

More
1 month 3 weeks ago #188006 by bulgin
I realized that my method of doing an external lookup in a database that then redirects to the correct token-ized URL is not so great - a malicious user only has to extract the URL for the survey after a successful access (a malicious survey participant) and lift the good, working URL from the successful login in limesurvey, and start brute-forcing it. So it's back to the drawing board for me.

I'd like to be able to use @DenisChenu method but I can't get the log file to work. . .

Please Log in or Create an account to join the conversation.

More
1 month 3 weeks ago #188011 by DenisChenu
Did you create the plugin ? Really light plugin …

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
An error happen ? Before make a new topic : remind the Debug mode .

Please Log in or Create an account to join the conversation.

More
1 month 3 weeks ago - 1 month 3 weeks ago #188016 by bulgin
hello @denischenu and thank you for your continued interest. I'm happy about that.

I don't know how to make a lite plugin out of:

'log' => array(
'routes' => array(
'fileError' => array(
'class' => 'CFileLogRoute',
'logFile' => 'tokenaccess.log',
'levels' => 'warning, error',
'categories' => 'plugin.logToken.Error',
),
),
),
Last edit: 1 month 3 weeks ago by bulgin.

Please Log in or Create an account to join the conversation.

More
1 month 3 weeks ago #188031 by DenisChenu
No,

PLugin must be here only to add the
\Yii::log("Bad token entered", error, 'plugin.logToken.Error');

In onSurveyDenied event.

After you can update config.php to log in on a specific file and use fail2ban configuration to disable IP access to whole system.

Alternative : create a more complete plugin to disable access directly in onSurveyDenied event.

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
An error happen ? Before make a new topic : remind the Debug mode .

Please Log in or Create an account to join the conversation.

More
1 month 3 weeks ago #188064 by bulgin
So appreciate your efforts to help me DenisChenu. Really, I do. You are great, but my coding skills are very primitive. I need to see a single file that contains all the necessary commands as a plugin - I cannot figure out how to glue the pieces together.

From what I see of existing plugins there is one file that is the plugin. You examples, are they just one file or multiple files?

Please Log in or Create an account to join the conversation.

Start now!

Just create your account and start using Limesurvey today.

Register now
Join our Newsletter!