Please suggest brute force protection other than built-in captcha

Plus d'informations
il y a 1 mois 3 semaines #182547 par bulgin
COM_KUNENA_MESSAGE_CREATED_NEW
I'm looking for a solution or at least deterrent to slow down a brute force attack on tokens. As our survey will require the participant to manually enter the token, they are therefore short in characters - 5 or 6 in length automatically generated by LS.

I am familiar with mod_sec (which can't help in this case) and csf firewall which I believe won't help also. I am also familiar with the built-in captcha which although helpful, I believe this version can hold attackers at bay for a while but not for too long.

Currently our survey is not publicly available on the site but the nature of how participants are notified of the survey is very public and someone could track down the survey link and go at it with a brute force tool. As well, because we reward the participant with a digital redemption card upon completion, this makes our site all the more attractive.

Connexion ou Créer un compte pour participer à la conversation.

LimeSurvey Partners
Plus d'informations
il y a 1 mois 3 semaines #182561 par bulgin
COM_KUNENA_MESSAGE_REPLIED_NEW
If we could come up with a way to enter failed login attempts into a log file, the rest would be easy to solve by simply monitoring that log file via csf or some other log file watcher. I did activate the log file feature plugin, but alas that doesn't seem to log to a flat file as well as it doesn't seem to capture failed attempts. Perhaps instituting this could be done? What do people think?
Thanks.
Les utilisateur(s) suivant ont remercié: DenisChenu

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 1 mois 3 semaines - il y a 1 mois 3 semaines #182599 par DenisChenu
COM_KUNENA_MESSAGE_REPLIED_NEW
We don't log (usage of Yii::log) bad token entered. I think it's a great option to log all of this error.

Unsure it must be log as 401 or 403 , maybe.
or maybe need to create own log ? application.limesurvey.survey.token.invalid.SID for example ?

Please report a feature request.


About log file : what do you put inside your config ?

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand .
An error happen ? Before make a new topic : remind the Debug mode .
Last edit: il y a 1 mois 3 semaines by DenisChenu.

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 1 mois 3 semaines #182615 par bulgin
COM_KUNENA_MESSAGE_REPLIED_NEW
401 requires the originating server to send a WWW-Authenticate header field which I don't think happens in this case and 403 has similar requirements. From RFC 2616 I think a 400 would be the best:

400 Bad Request

The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications.

I'll submit on that and see if there is any likehood that we can do this. A lot of misery could be avoided by implementing some method to log bad requests. Then it would be a simple matter of getting a log monitor of some sort to implement an ip block.

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 1 mois 3 semaines #182618 par bulgin
COM_KUNENA_MESSAGE_REPLIED_NEW
feature request submitted. You can vote on it here:

bugs.limesurvey.org/view.php?id=14710
Les utilisateur(s) suivant ont remercié: DenisChenu, cdorin

Connexion ou Créer un compte pour participer à la conversation.

Commencez dès maintenant !

Créez simplement un compte et commencez à utiliser LimeSurvey dès aujourd'hui.

Inscrivez-vous maintenant

Inscrivez-vous à notre Newsletter!