Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

Security feature after several attempts of login

  • holch
  • holch's Avatar Topic Author
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
10 years 2 months ago #103449 by holch
Hi!

I have problem with the security feature that blocks the access for 10 minutes when you try to login and have several failed attempts. My colleague did this last week and suddenly the access to Limesurvey was blocked for all of us. So I assume that limesurvey blocks the IP. As we all access via the same IP of course, this blocks Limesurvey for all of us. This is of course not really ideal when more than 1 person works on this.

The next problem is, that it took more than 10min until it got liberated. Actually, at the end I did restart our router which solved the problem. But after 10, 15 or 20min we still couldn't access Limesurvey.

So I wanted to know how this feature exactly works:
  • blocking via IP?
  • Blocking via anything else?

How can I best solve this problem?

how does it measure the time? Because obviously it is not 10min.

I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.

The topic has been locked.
More
10 years 2 months ago #103450 by Ben_V
Hi Holch and happy 2014 :cheer:

I suppose that all the security functions you are looking for, live in:
application/models/Failed_login_attemts.php

BTW, maybe the easiest and most reversible way to avoid this control is to open
application/config/config-defaults.php

and increase the default value (= 3)
$config = 3 ; // Lock them out after 3 attempts


Ben

Benoît

EM Variables => bit.ly/1TKQyNu | EM Roadmap => bit.ly/1UTrOB4
Last Releases => 2.6x.x goo.gl/ztWfIV | 2.06/2.6.x => bit.ly/1Qv44A1
Demo Surveys => goo.gl/HuR6Xe (already included in /docs/demosurveys)
The topic has been locked.
  • holch
  • holch's Avatar Topic Author
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
10 years 2 months ago #103456 by holch
Hi Ben!

A Happy New Year to you as well.

Thanks for your response. I prefer not to make changes to LS code, as it is a headache when updating.

To increase the default value might help in some cases, but I think if I would have increased it to 5 attempts, or 10, the colleague would probably also run into the same problem.

With the same result that he would have locked us all out, it would have just taken him a little longer. ;-)

But having a whole IP switched out sounds quite dangerous to me as a security measure, especially if the 10min limit isn't working properly.

I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.

The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
10 years 2 months ago #103473 by DenisChenu
Replied by DenisChenu on topic Security feature after several attempts of login
Hi,

We can not really change this security measure , this system is for 'password dictionary' test, someone using this system can use same IP.

And i think we have to block by user too (because attacker can use 'transparent proxy' but try with same user).

I think you can use timeOutTime config to 1 : then it's blocked for 1 second.

Denis

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
More
4 years 7 months ago #186815 by uibklime1
Replied by uibklime1 on topic Security feature after several attempts of login
Mysql DB:

truncate failed_login_attempts;

You can more selective:

delete from failed_login_attempts where ip = 'xxxx' ;
The topic has been locked.
  • tpartner
  • tpartner's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
4 years 7 months ago #186824 by tpartner
Huh?

A very cryptic reply to a 5 year old thread.

Cheers,
Tony Partner

Solutions, code and workarounds presented in these forums are given without any warranty, implied or otherwise.
The topic has been locked.

Lime-years ahead

Online-surveys for every purse and purpose