Check out the LimeSurvey source code on GitHub!

Security feature after several attempts of login

More
3 years 1 week ago #103449 by holch
Hi!

I have problem with the security feature that blocks the access for 10 minutes when you try to login and have several failed attempts. My colleague did this last week and suddenly the access to Limesurvey was blocked for all of us. So I assume that limesurvey blocks the IP. As we all access via the same IP of course, this blocks Limesurvey for all of us. This is of course not really ideal when more than 1 person works on this.

The next problem is, that it took more than 10min until it got liberated. Actually, at the end I did restart our router which solved the problem. But after 10, 15 or 20min we still couldn't access Limesurvey.

So I wanted to know how this feature exactly works:
  • blocking via IP?
  • Blocking via anything else?

How can I best solve this problem?

how does it measure the time? Because obviously it is not 10min.

I'm not a LimeSurvey GmbH member. I answer at the LimeSurvey forum in my spare time. No support via private message.
Some helpful links: Manual (EN) | Question Types | Workarounds

Please Log in to join the conversation.

More
3 years 1 week ago #103450 by Ben_V
Hi Holch and happy 2014 :cheer:

I suppose that all the security functions you are looking for, live in:
application/models/Failed_login_attemts.php

BTW, maybe the easiest and most reversible way to avoid this control is to open
application/config/config-defaults.php

and increase the default value (= 3)
$config = 3 ; // Lock them out after 3 attempts


Ben

Benoît

EM Variables => bit.ly/1TKQyNu | EM Roadmap => bit.ly/1UTrOB4
All LS releases => bit.ly/1VMuTDu | 2.06lts => bit.ly/1Qv44A1
Demo surveys => goo.gl/HuR6Xe (already included in /docs/demosurveys)

Please Log in to join the conversation.

More
3 years 1 week ago #103456 by holch
Hi Ben!

A Happy New Year to you as well.

Thanks for your response. I prefer not to make changes to LS code, as it is a headache when updating.

To increase the default value might help in some cases, but I think if I would have increased it to 5 attempts, or 10, the colleague would probably also run into the same problem.

With the same result that he would have locked us all out, it would have just taken him a little longer. ;-)

But having a whole IP switched out sounds quite dangerous to me as a security measure, especially if the 10min limit isn't working properly.

I'm not a LimeSurvey GmbH member. I answer at the LimeSurvey forum in my spare time. No support via private message.
Some helpful links: Manual (EN) | Question Types | Workarounds

Please Log in to join the conversation.

More
3 years 1 week ago #103473 by DenisChenu
Hi,

We can not really change this security measure , this system is for 'password dictionary' test, someone using this system can use same IP.

And i think we have to block by user too (because attacker can use 'transparent proxy' but try with same user).

I think you can use timeOutTime config to 1 : then it's blocked for 1 second.

Denis

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).

Please Log in to join the conversation.

Imprint                   Privacy policy         General Terms & Conditions         Revocation information and revocation form