Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
 All Forums
 Snitz Forums 2000 MOD-Group
 MOD Add-On Forum (W/O Code)
 IP-ban after 3 unsuccessfull login attempts?

Note: You must be registered in order to post a reply.
To register, click here. Registration is FREE!
Before posting, make sure you have read this topic!

Screensize:
UserName:
Password:
Format Mode:
Format: BoldItalicizedUnderlineStrikethrough Align LeftCenteredAlign Right Horizontal Rule Insert HyperlinkInsert EmailInsert Image Insert CodeInsert QuoteInsert List
   
Message:

* HTML is OFF
* Forum Code is ON
Smilies
Smile [:)] Big Smile [:D] Cool [8D] Blush [:I]
Tongue [:P] Evil [):] Wink [;)] Clown [:o)]
Black Eye [B)] Eight Ball [8] Frown [:(] Shy [8)]
Shocked [:0] Angry [:(!] Dead [xx(] Sleepy [|)]
Kisses [:X] Approve [^] Disapprove [V] Question [?]

 
   

T O P I C    R E V I E W
OJJE Posted - 27 May 2009 : 15:23:56
Hi,

I'm in big need of help to tackle some hacking attempts made by persons hiding behinde anonymous online proxys and trying to hack various user accounts on my forum by trying to guess the passwords.

My logfiles are full of unsuccessfull login attempts from various ip's. Is there a MOD or some code that I could implement in my snitz 3.4.06 forum so that the IP is Blocked (not the user account) from the forum after 3 failed login attempts?

I'm using MySql as the database..

<moved from="Help: General / Current Version (v3.4.xx)" by="Shaggy" />
9   L A T E S T    R E P L I E S    (Newest First)
Carefree Posted - 31 May 2009 : 11:19:04
You could go an additional step further with this idea. If you lock an account (for example) as a result of 3 failed login attempts, you could have the server automatically EMail the owner of the account advising him/her to change the password due to the attempted hack.

To include that as a feature, replace the sub routine (middle section of my earlier reply) with the following:


Sub chkLoginSession()
	strSql="SELECT LFAIL1, LFAIL2, LFAIL3 FROM " & strTablePrefix & "LOGINFAIL WHERE M_NAME='" & FNAME & "'"
	set rsFail=my_Conn.Execute(strSql)
	if rsFail.EOF then
		rsFail.Close
		set rsFail=Nothing
		strSql="INSERT INTO " & strTablePrefix & "LOGINFAIL (M_NAME, LFAIL1) VALUES ('" & FNAME & "', #" & strForumTimeAdjust & "#)"
		my_Conn.Execute (strSql),,adCmdText + adExecuteNoRecords
		set rsFail=Nothing
	else
		if DateDiff("d",  StrToDate(rsFail("LFAIL1")),  strForumTimeAdjust)	> 1 then
			rsFail.Close
			set rsFail=Nothing
			strSql="DELETE * FROM " & strTablePrefix & "LOGINFAIL WHERE M_NAME='" & FNAME & "'"
			my_Conn.Execute (strSql),,adCmdText + adExecuteNoRecords
			set rsFail=Nothing
			strSql="INSERT INTO " & strTablePrefix & "LOGINFAIL (M_NAME, LFAIL1) VALUES ('" & FNAME & "', #" & strForumTimeAdjust & "#)"
			my_Conn.Execute (strSql),,adCmdText + adExecuteNoRecords
			set rsFail=Nothing
		else
			if rsFail("LFAIL2")="" then
				strSql="INSERT INTO " & strTablePrefix & "LOGINFAIL (M_NAME, LFAIL2) VALUES ('" & FNAME & "', #" & strForumTimeAdjust & "#)"
				my_Conn.Execute (strSql),,adCmdText + adExecuteNoRecords
				set rsFail=Nothing
			end if
			if rsFail("LFAIL3")="" then
				strSql="INSERT INTO " & strTablePrefix & "LOGINFAIL (M_NAME, LFAIL3) VALUES ('" & FNAME & "', #" & strForumTimeAdjust & "#)"
				my_Conn.Execute (strSql),,adCmdText + adExecuteNoRecords
				set rsFail=Nothing
			else
				'	Notify account holder
				strSql="SELECT M_NAME, M_EMAIL FROM " & strMemberTablePrefix & "MEMBERS WHERE M_NAME='" & FNAME & "'"
				set rsNotify=my_Conn.Execute(strSql)
				if not rsNotify.EOF then
					strRecipientsName = FNAME
					strRecipients = rsNotify("M_EMAIL")
					strFrom = strSender
					strFromName = strForumTitle
					strsubject = "Possible Hacking Attempt on Your Account at " & strForumTitle
					strMessage = "Hello " & FNAME & vbNewline & vbNewline
					strMessage = strMessage & "You received this message from " & strForumTitle & " because there were three consecutive unsuccessful attempts to login using your user name at " & strForumURL & "." & vbNewline & vbNewline
					strMessage = strMessage & "If these attempts WERE made by you and you have forgotten your password, you can reset it by clicking the link below." & vbNewLine & vbNewLine
					pwkey = GetKey("none")
					strSql = "UPDATE " & strMemberTablePrefix & "MEMBERS "
					strSql = strSql & " SET M_PWKEY = '" & chkString(pwkey,"SQLString") & "'"
					strSql = strSql & " WHERE M_NAME = " & FNAME
					my_Conn.Execute (strSql),,adCmdText + adExecuteNoRecords
					strMessage = strMessage & strForumURL & "password.asp?pwkey=" & pwkey & vbNewline & vbNewline
					strMessage = strMessage & "If these attempts WERE NOT made by you, you should change your password using your profile page (" & strForumURL & "pop_profile.asp?mode=Edit) as soon as possible to prevent an eventual 'brute force' password breaking." & vbNewLine & vbNewLine
					%>
					<!--#INCLUDE FILE="inc_mail.asp" -->
					<%
					rsNotify.Close
				end if
				set rsNotify=Nothing
				Response.Redirect "127.0.0.1"
				Response.End
			end if
		end if
	end if
End Sub
Carefree Posted - 31 May 2009 : 11:15:30
You're welcome. Please let me know if you have any problem.
OJJE Posted - 31 May 2009 : 09:13:36
thanks for the code Carefree! I will test it soons.
I found something intresting yesterday.

I have the following Javascript-code in my header in my forum:

	<script type="text/javascript">
	if (top.location != self.location)
	top.location = self.location;
	</script>





The funny thing is that all of the online proxy servces I have tested today to try to login to my forum stops the user logging in trough the proxyserver.

The script reloads the login-page over and over again and stops the user who is surfing trough the proxy-service from even trying to login. Many of these proxy-services have the option to deactivade javascript, but it does not seems to deactive it on my forumpage...

Many of these free online proxy services show ads and ifram-pages and the scripts tries to break out the forumpage from the iframes..
Carefree Posted - 28 May 2009 : 15:10:29
Why not use a database value. You could post a time of initial login failure, then a second time, then if a third time occurs within a specified period; redirect. No need for cookies at all.

If anyone sees something I've overlooked (or a better approach), please feel free.

This would require creating a table. Save the following in your forum directory as "dbs_hackbar.asp". Run it from the admin console (mod setup).

Hack Bar 1.0
[DROP]
LOGINFAIL
[END]

[CREATE]
LOGINFAIL

M_NAME#VARCHAR(75)##
LFAIL1#VARCHAR(14)##
LFAIL2#VARCHAR(14)##
LFAIL3#VARCHAR(14)##
[END]


Append the following to the bottom of "inc_func_common.asp" above the "%>"


Sub chkLoginSession()
	strSql="SELECT LFAIL1, LFAIL2, LFAIL3 FROM " & strTablePrefix & "LOGINFAIL WHERE M_NAME='" & FNAME & "'"
	set rsFail=my_Conn.Execute(strSql)
	if rsFail.EOF then
		rsFail.Close
		set rsFail=Nothing
		strSql="INSERT INTO " & strTablePrefix & "LOGINFAIL (M_NAME, LFAIL1) VALUES ('" & FNAME & "', #" & strForumTimeAdjust & "#)"
		my_Conn.Execute (strSql),,adCmdText + adExecuteNoRecords
		set rsFail=Nothing
	else
		if DateDiff("d",  StrToDate(rsFail("LFAIL1")),  strForumTimeAdjust)	> 1 then
			rsFail.Close
			set rsFail=Nothing
			strSql="DELETE * FROM " & strTablePrefix & "LOGINFAIL WHERE M_NAME='" & FNAME & "'"
			my_Conn.Execute (strSql),,adCmdText + adExecuteNoRecords
			set rsFail=Nothing
			strSql="INSERT INTO " & strTablePrefix & "LOGINFAIL (M_NAME, LFAIL1) VALUES ('" & FNAME & "', #" & strForumTimeAdjust & "#)"
			my_Conn.Execute (strSql),,adCmdText + adExecuteNoRecords
			set rsFail=Nothing
		else
			if rsFail("LFAIL2")="" then
				strSql="INSERT INTO " & strTablePrefix & "LOGINFAIL (M_NAME, LFAIL2) VALUES ('" & FNAME & "', #" & strForumTimeAdjust & "#)"
				my_Conn.Execute (strSql),,adCmdText + adExecuteNoRecords
				set rsFail=Nothing
			end if
			if rsFail("LFAIL3")="" then
				strSql="INSERT INTO " & strTablePrefix & "LOGINFAIL (M_NAME, LFAIL3) VALUES ('" & FNAME & "', #" & strForumTimeAdjust & "#)"
				my_Conn.Execute (strSql),,adCmdText + adExecuteNoRecords
				set rsFail=Nothing
			else
				'	Redirect or Temporary Ban   routine
			end if
		end if
	end if
End Sub


Note the portion in red. You'll need to add your own ban or redirect routine. You could lock the account, etc.

You would have to add one more line to "inc_func_common.asp". 


Search for the following:

	if rsCheck.BOF or rsCheck.EOF or not(ChkQuoteOk(fName)) or not(ChkQuoteOk(fPassword)) then


After that, insert the following:


		Call chkLoginSession
cripto9t Posted - 28 May 2009 : 14:38:51
quote:
I'm thinking of using session cookies instead and make so sort of check with now() > last attempt or something, where in the code/file would be the best place to put the login flood control code?


I read your post this morning and sessions came to my mind too. I got it working by using a sub routine in the chkUser function. I just need to know what to do with them once they reach the limit. My idea is to bypass the chkUser function once they reach the limit and a fake login process begins.

Here's what I have
Sub chkLoginSession()
    dim intAttempts
    dim strRedirect
    dim blnCookie

    '# number of attempts before being redirected
    intAttempts = 3

    '# url of redirct page
    strRedirect = "default.asp"

    '# set to 1 to drop a cookie 
    blnCookie = 1


    '# do not edit below this line

    '# do cookie things
    if blnCookie = 1 then
        if strSetCookieToForum = 1 then
            Response.Cookies(strUniqueID & "login").Path = strCookieURL
	else
            Response.Cookies(strUniqueID & "login").Path = "/"
	end if
    end if

    '# do session things
    if trim(Session(strCookieURL & "login")) = "" then
        Session(strCookieURL & "login") = 1
    else
        if isNumeric(Session(strCookieURL & "login")) = true then
            Session(strCookieURL & "login") = cLng(Session(strCookieURL & "login")) + 1
        else
            Session(strCookieURL & "login") = 1
        end if
    end if

    '# set cookie and redirect 
    if cLng(Session(strCookieURL & "login")) > intAttempts then 
        'if blnCookie = 1 then 
            'if trim(Request.Cookies(strUniqueID & "login")) <> "failed" then
                'Response.Cookies(strUnique & "login") = "failed"
            'end if
        'end if
        Response.Redirect(strRedirect)
    end if
End Sub

as you can see it redirects to a new page after the limit has been reached, I just want to redirect them to a "log in failed" page, so they think they are still trying to log in legitimately.

quote:
The use of regular cookies would not work because many of the online proxyservers block cookies
grrrr... that was part of my plan.


Barring distractions, I should have something by tomorrow
OJJE Posted - 28 May 2009 : 12:28:51
A flood control would obe the perfect solution, so that the user has to wait 1 minute before he can try to login again. The use of regular cookies would not work because many of the online proxyservers block cookies, I'm thinking of using session cookies instead and make so sort of check with now() > last attempt or something, where in the code/file would be the best place to put the login flood control code?
AnonJr Posted - 28 May 2009 : 09:31:40
Maybe less of a ban and more of some sort of rate-limiting?

While looking at a white paper on CAPATCHAs I randomly thought of your problem and this Coding Horror article. I don't have any code handy, nor do I have the time to write this up at the moment, but one avenue to look down would be to record the number of attempts on a given account and after x failed attempts pose a gatekeeper question or start progressively delaying the response time between submission and notification. Just a random thought.

Addendum: it may be easier to tie it into the existing flood control mechanisms...
OJJE Posted - 27 May 2009 : 16:07:06
That's not a problem for us in this case. We only have members from the nordic countries and if a IP is banned, we have admins who will make a check and see if the IP is legitim or belongs to a proxy-server and the banned user has the possibility to send a request to have it unblocked.

We do not have ISP's that route their customers though a proxy-server so that they all share the same IP..

(checked my logfile now and the anonymous user is back trough a new proxyserver and pounding away at the login-page trying to hack..)

quote:
Originally posted by bobby131313

It could likely be done but it's dangerous. If an AOL user screws up logging in you could automagically ban 100s of members.
bobby131313 Posted - 27 May 2009 : 15:44:36
It could likely be done but it's dangerous. If an AOL user screws up logging in you could automagically ban 100s of members.

Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.05 seconds. Powered By: Snitz Forums 2000 Version 3.4.07