Please suggest brute force protection other than built-in captcha

Plus d'informations
il y a 5 mois 3 semaines #182547 par bulgin
I'm looking for a solution or at least deterrent to slow down a brute force attack on tokens. As our survey will require the participant to manually enter the token, they are therefore short in characters - 5 or 6 in length automatically generated by LS.

I am familiar with mod_sec (which can't help in this case) and csf firewall which I believe won't help also. I am also familiar with the built-in captcha which although helpful, I believe this version can hold attackers at bay for a while but not for too long.

Currently our survey is not publicly available on the site but the nature of how participants are notified of the survey is very public and someone could track down the survey link and go at it with a brute force tool. As well, because we reward the participant with a digital redemption card upon completion, this makes our site all the more attractive.

Connexion ou Créer un compte pour participer à la conversation.

LimeSurvey Partners
Plus d'informations
il y a 5 mois 3 semaines #182561 par bulgin
If we could come up with a way to enter failed login attempts into a log file, the rest would be easy to solve by simply monitoring that log file via csf or some other log file watcher. I did activate the log file feature plugin, but alas that doesn't seem to log to a flat file as well as it doesn't seem to capture failed attempts. Perhaps instituting this could be done? What do people think?
Thanks.
Les utilisateur(s) suivant ont remercié: DenisChenu

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 5 mois 3 semaines - il y a 5 mois 3 semaines #182599 par DenisChenu
We don't log (usage of Yii::log) bad token entered. I think it's a great option to log all of this error.

Unsure it must be log as 401 or 403 , maybe.
or maybe need to create own log ? application.limesurvey.survey.token.invalid.SID for example ?

Please report a feature request.


About log file : what do you put inside your config ?

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
An error happen ? Before make a new topic : remind the Debug mode .
Dernière édition: il y a 5 mois 3 semaines par DenisChenu.

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 5 mois 3 semaines #182615 par bulgin
401 requires the originating server to send a WWW-Authenticate header field which I don't think happens in this case and 403 has similar requirements. From RFC 2616 I think a 400 would be the best:

400 Bad Request

The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications.

I'll submit on that and see if there is any likehood that we can do this. A lot of misery could be avoided by implementing some method to log bad requests. Then it would be a simple matter of getting a log monitor of some sort to implement an ip block.

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 5 mois 3 semaines #182618 par bulgin
Les utilisateur(s) suivant ont remercié: DenisChenu, cdorin

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 1 mois 1 semaine - il y a 1 mois 1 semaine #187534 par bulgin
Thank you @DenisChenu I've installed the ShowResponse and see it listed in the plugins page, but I'm lost on how to use your code to now make it log somewhere.

Add this (not tested) in the function

\Yii::log("Bad token entered", error, 'plugin.logToken.Error');

Use Yii to log it where you want exactly : manual.limesurvey.org/Optional_settings#Logging_settings


I wanted to add a note to mantis report (bugs.limesurvey.org/view.php?id=14710) but it is impossible to tell from the login screen there if I am logged in as a guest or my username. I can't find a link on mantis to add a note.
Dernière édition: il y a 1 mois 1 semaine par bulgin.

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 1 mois 1 semaine #187667 par bulgin
For many a useful tool would be tool deny access to the survey by IP address when X number of failed tokens have been entered. So far, Limesurvey can't do this or at least in any way that I'm aware of.

So my solution which may work for some but not all involves the following and requires a server running mod_security.

1) Provide a method whereby the token is entered NOT into the usual token entry form provided by limesurvey, but another form that does a database lookup on the entered token and, if correct, redirects the user to the correct survey link which includes the proper token and lands them on the start of the survey. This will require some mysql kung fu.
2) If incorrect the participant is redirected to an error page.
3) Setup mod_security to block the user's IP after X number of failed attempts to the URL error page.

Of course, this requires some work outside of Lime with a submission form addon or plugin that does the verification. But it works.

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 1 mois 1 semaine #187694 par holch

For many a useful tool would be tool deny access to the survey by IP address when X number of failed tokens have been entered. So far, Limesurvey can't do this or at least in any way that I'm aware of.

Not sure if it is still implemented in 3.x, but before if you had a couple of failed attempts you were blocked for a while from trying again. Was quite annoying because sometimes it wouldn't let you try again after the time (e.g. 10min). Haven't run into this problem for a while, so either I don't get my passwords wrong anymore or the feature has been taken out.

I'm not a LimeSurvey GmbH member. I answer at the LimeSurvey forum in my spare time. No support via private message.
Some helpful links: Manual (EN) | Question Types | Workarounds

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 1 mois 4 jours - il y a 1 mois 4 jours #187755 par DenisChenu

bulgin écrit: Thank you @DenisChenu I've installed the ShowResponse and see it listed in the plugins page, but I'm lost on how to use your code to now make it log somewhere.

Add this (not tested) in the function

\Yii::log("Bad token entered", error, 'plugin.logToken.Error');

Use Yii to log it where you want exactly : manual.limesurvey.org/Optional_settings#Logging_settings


I wanted to add a note to mantis report (bugs.limesurvey.org/view.php?id=14710) but it is impossible to tell from the login screen there if I am logged in as a guest or my username. I can't find a link on mantis to add a note.

I mean :

1. You can create a light plugin to log only token error
2. You can use Yii to log it at a specific file
3. Then you can use fail2ban to disable IP access

For 2:
'log' => array(
			'routes' => array(
				'fileError' => array(
					'class' => 'CFileLogRoute',
					'logFile' => 'tokenaccess.log',
					'levels' => 'warning, error',
					'categories' => 'plugin.logToken.Error',
				),
			),
		),

Here log is done at tmp/runtime/tokenaccess.log

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
An error happen ? Before make a new topic : remind the Debug mode .
Dernière édition: il y a 1 mois 4 jours par DenisChenu.

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 1 mois 4 jours #187787 par bulgin
Thanks @DenisChenu I'll try to make this work (but I'm not exactly a coding expert). Appreciate the tips. Have a good day!

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 4 semaines 2 jours #188006 par bulgin
I realized that my method of doing an external lookup in a database that then redirects to the correct token-ized URL is not so great - a malicious user only has to extract the URL for the survey after a successful access (a malicious survey participant) and lift the good, working URL from the successful login in limesurvey, and start brute-forcing it. So it's back to the drawing board for me.

I'd like to be able to use @DenisChenu method but I can't get the log file to work. . .

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 4 semaines 1 jour #188011 par DenisChenu
Did you create the plugin ? Really light plugin …

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
An error happen ? Before make a new topic : remind the Debug mode .

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 4 semaines 1 jour - il y a 4 semaines 1 jour #188016 par bulgin
hello @denischenu and thank you for your continued interest. I'm happy about that.

I don't know how to make a lite plugin out of:

'log' => array(
'routes' => array(
'fileError' => array(
'class' => 'CFileLogRoute',
'logFile' => 'tokenaccess.log',
'levels' => 'warning, error',
'categories' => 'plugin.logToken.Error',
),
),
),
Dernière édition: il y a 4 semaines 1 jour par bulgin.

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 4 semaines 8 heures #188031 par DenisChenu
No,

PLugin must be here only to add the
\Yii::log("Bad token entered", error, 'plugin.logToken.Error');

In onSurveyDenied event.

After you can update config.php to log in on a specific file and use fail2ban configuration to disable IP access to whole system.

Alternative : create a more complete plugin to disable access directly in onSurveyDenied event.

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
An error happen ? Before make a new topic : remind the Debug mode .

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 4 semaines 1 heure #188064 par bulgin
So appreciate your efforts to help me DenisChenu. Really, I do. You are great, but my coding skills are very primitive. I need to see a single file that contains all the necessary commands as a plugin - I cannot figure out how to glue the pieces together.

From what I see of existing plugins there is one file that is the plugin. You examples, are they just one file or multiple files?

Connexion ou Créer un compte pour participer à la conversation.

Commencez dès maintenant !

Créez simplement un compte et commencez à utiliser LimeSurvey dès aujourd'hui.

Inscrivez-vous maintenant

Inscrivez-vous à notre Newsletter!