IP-ban after 3 unsuccessfull login attempts?

Snitz™ Forums 2000
https://forum.snitz.com/forumTopic/Posts/68664?pagenum=1
05 November 2025, 02:10

Topic

OJJE
IP-ban after 3 unsuccessfull login attempts?
27 May 2009, 15:23


Hi,

I'm in big need of help to tackle some hacking attempts made by persons hiding behinde anonymous online proxys and trying to hack various user accounts on my forum by trying to guess the passwords.
My logfiles are full of unsuccessfull login attempts from various ip's. Is there a MOD or some code that I could implement in my snitz 3.4.06 forum so that the IP is Blocked (not the user account) from the forum after 3 failed login attempts?
I'm using MySql as the database..
<moved from="Help: General / Current Version (v3.4.xx)" by="Shaggy" />

 

Replies ...

bobby131313
27 May 2009, 15:44


It could likely be done but it's dangerous. If an AOL user screws up logging in you could automagically ban 100s of members. shock
OJJE
27 May 2009, 16:07


That's not a problem for us in this case. We only have members from the nordic countries and if a IP is banned, we have admins who will make a check and see if the IP is legitim or belongs to a proxy-server and the banned user has the possibility to send a request to have it unblocked.
We do not have ISP's that route their customers though a proxy-server so that they all share the same IP..
(checked my logfile now and the anonymous user is back trough a new proxyserver and pounding away at the login-page trying to hack..)
Originally posted by bobby131313
It could likely be done but it's dangerous. If an AOL user screws up logging in you could automagically ban 100s of members. shock
AnonJr
28 May 2009, 09:31


Maybe less of a ban and more of some sort of rate-limiting?
While looking at a white paper on CAPATCHAs I randomly thought of your problem and this Coding Horror article. I don't have any code handy, nor do I have the time to write this up at the moment, but one avenue to look down would be to record the number of attempts on a given account and after x failed attempts pose a gatekeeper question or start progressively delaying the response time between submission and notification. Just a random thought.
Addendum: it may be easier to tie it into the existing flood control mechanisms...
OJJE
28 May 2009, 12:28


A flood control would obe the perfect solution, so that the user has to wait 1 minute before he can try to login again. The use of regular cookies would not work because many of the online proxyservers block cookies, I'm thinking of using session cookies instead and make so sort of check with now() > last attempt or something, where in the code/file would be the best place to put the login flood control code?
cripto9t
28 May 2009, 14:38


The use of regular cookies would not work because many of the online proxyservers block cookies
grrrr... that was part of my plan.

Barring distractions, I should have something by tomorrow
Carefree
28 May 2009, 15:10


Why not use a database value. You could post a time of initial login failure, then a second time, then if a third time occurs within a specified period; redirect. No need for cookies at all.
If anyone sees something I've overlooked (or a better approach), please feel free.
This would require creating a table. Save the following in your forum directory as "dbs_hackbar.asp". Run it from the admin console (mod setup).
Code:

Hack Bar 1.0
[DROP]
LOGINFAIL
[END]

[CREATE]
LOGINFAIL

M_NAME#VARCHAR(75)##
LFAIL1#VARCHAR(14)##
LFAIL2#VARCHAR(14)##
LFAIL3#VARCHAR(14)##
[END]

Append the following to the bottom of "inc_func_common.asp" above the "%>"

Code:

Sub chkLoginSession()
	strSql="SELECT LFAIL1, LFAIL2, LFAIL3 FROM " & strTablePrefix & "LOGINFAIL WHERE M_NAME='" & FNAME & "'"
	set rsFail=my_Conn.Execute(strSql)
	if rsFail.EOF then
		rsFail.Close
		set rsFail=Nothing
		strSql="INSERT INTO " & strTablePrefix & "LOGINFAIL (M_NAME, LFAIL1) VALUES ('" & FNAME & "', #" & strForumTimeAdjust & "#)"
		my_Conn.Execute (strSql),,adCmdText + adExecuteNoRecords
		set rsFail=Nothing
	else
		if DateDiff("d",  StrToDate(rsFail("LFAIL1")),  strForumTimeAdjust)	> 1 then
			rsFail.Close
			set rsFail=Nothing
			strSql="DELETE * FROM " & strTablePrefix & "LOGINFAIL WHERE M_NAME='" & FNAME & "'"
			my_Conn.Execute (strSql),,adCmdText + adExecuteNoRecords
			set rsFail=Nothing
			strSql="INSERT INTO " & strTablePrefix & "LOGINFAIL (M_NAME, LFAIL1) VALUES ('" & FNAME & "', #" & strForumTimeAdjust & "#)"
			my_Conn.Execute (strSql),,adCmdText + adExecuteNoRecords
			set rsFail=Nothing
		else
			if rsFail("LFAIL2")="" then
				strSql="INSERT INTO " & strTablePrefix & "LOGINFAIL (M_NAME, LFAIL2) VALUES ('" & FNAME & "', #" & strForumTimeAdjust & "#)"
				my_Conn.Execute (strSql),,adCmdText + adExecuteNoRecords
				set rsFail=Nothing
			end if
			if rsFail("LFAIL3")="" then
				strSql="INSERT INTO " & strTablePrefix & "LOGINFAIL (M_NAME, LFAIL3) VALUES ('" & FNAME & "', #" & strForumTimeAdjust & "#)"
				my_Conn.Execute (strSql),,adCmdText + adExecuteNoRecords
				set rsFail=Nothing
			else
				'	Redirect or Temporary Ban   routine
			end if
		end if
	end if
End Sub

Note the portion in red. You'll need to add your own ban or redirect routine. You could lock the account, etc.
You would have to add one more line to "inc_func_common.asp".

Code:

Search for the following:

	if rsCheck.BOF or rsCheck.EOF or not(ChkQuoteOk(fName)) or not(ChkQuoteOk(fPassword)) then


After that, insert the following:


		Call chkLoginSession
OJJE
31 May 2009, 09:13


thanks for the code Carefree! I will test it soons. I found something intresting yesterday.
I have the following Javascript-code in my header in my forum:

Code:
	<script type="text/javascript">
	if (top.location != self.location)
	top.location = self.location;
	</script>




The funny thing is that all of the online proxy servces I have tested today to try to login to my forum stops the user logging in trough the proxyserver.
The script reloads the login-page over and over again and stops the user who is surfing trough the proxy-service from even trying to login. Many of these proxy-services have the option to deactivade javascript, but it does not seems to deactive it on my forumpage...
Many of these free online proxy services show ads and ifram-pages and the scripts tries to break out the forumpage from the iframes..
bigsmile
Carefree
31 May 2009, 11:15


You're welcome. Please let me know if you have any problem.
Carefree
31 May 2009, 11:19


You could go an additional step further with this idea. If you lock an account (for example) as a result of 3 failed login attempts, you could have the server automatically EMail the owner of the account advising him/her to change the password due to the attempted hack.
To include that as a feature, replace the sub routine (middle section of my earlier reply) with the following:

Code:

Sub chkLoginSession()
	strSql="SELECT LFAIL1, LFAIL2, LFAIL3 FROM " & strTablePrefix & "LOGINFAIL WHERE M_NAME='" & FNAME & "'"
	set rsFail=my_Conn.Execute(strSql)
	if rsFail.EOF then
		rsFail.Close
		set rsFail=Nothing
		strSql="INSERT INTO " & strTablePrefix & "LOGINFAIL (M_NAME, LFAIL1) VALUES ('" & FNAME & "', #" & strForumTimeAdjust & "#)"
		my_Conn.Execute (strSql),,adCmdText + adExecuteNoRecords
		set rsFail=Nothing
	else
		if DateDiff("d",  StrToDate(rsFail("LFAIL1")),  strForumTimeAdjust)	> 1 then
			rsFail.Close
			set rsFail=Nothing
			strSql="DELETE * FROM " & strTablePrefix & "LOGINFAIL WHERE M_NAME='" & FNAME & "'"
			my_Conn.Execute (strSql),,adCmdText + adExecuteNoRecords
			set rsFail=Nothing
			strSql="INSERT INTO " & strTablePrefix & "LOGINFAIL (M_NAME, LFAIL1) VALUES ('" & FNAME & "', #" & strForumTimeAdjust & "#)"
			my_Conn.Execute (strSql),,adCmdText + adExecuteNoRecords
			set rsFail=Nothing
		else
			if rsFail("LFAIL2")="" then
				strSql="INSERT INTO " & strTablePrefix & "LOGINFAIL (M_NAME, LFAIL2) VALUES ('" & FNAME & "', #" & strForumTimeAdjust & "#)"
				my_Conn.Execute (strSql),,adCmdText + adExecuteNoRecords
				set rsFail=Nothing
			end if
			if rsFail("LFAIL3")="" then
				strSql="INSERT INTO " & strTablePrefix & "LOGINFAIL (M_NAME, LFAIL3) VALUES ('" & FNAME & "', #" & strForumTimeAdjust & "#)"
				my_Conn.Execute (strSql),,adCmdText + adExecuteNoRecords
				set rsFail=Nothing
			else
				'	Notify account holder
				strSql="SELECT M_NAME, M_EMAIL FROM " & strMemberTablePrefix & "MEMBERS WHERE M_NAME='" & FNAME & "'"
				set rsNotify=my_Conn.Execute(strSql)
				if not rsNotify.EOF then
					strRecipientsName = FNAME
					strRecipients = rsNotify("M_EMAIL")
					strFrom = strSender
					strFromName = strForumTitle
					strsubject = "Possible Hacking Attempt on Your Account at " & strForumTitle
					strMessage = "Hello " & FNAME & vbNewline & vbNewline
					strMessage = strMessage & "You received this message from " & strForumTitle & " because there were three consecutive unsuccessful attempts to login using your user name at " & strForumURL & "." & vbNewline & vbNewline
					strMessage = strMessage & "If these attempts WERE made by you and you have forgotten your password, you can reset it by clicking the link below." & vbNewLine & vbNewLine
					pwkey = GetKey("none")
					strSql = "UPDATE " & strMemberTablePrefix & "MEMBERS "
					strSql = strSql & " SET M_PWKEY = '" & chkString(pwkey,"SQLString") & "'"
					strSql = strSql & " WHERE M_NAME = " & FNAME
					my_Conn.Execute (strSql),,adCmdText + adExecuteNoRecords
					strMessage = strMessage & strForumURL & "password.asp?pwkey=" & pwkey & vbNewline & vbNewline
					strMessage = strMessage & "If these attempts WERE NOT made by you, you should change your password using your profile page (" & strForumURL & "pop_profile.asp?mode=Edit) as soon as possible to prevent an eventual 'brute force' password breaking." & vbNewLine & vbNewLine
					%>
					<!--#INCLUDE FILE="inc_mail.asp" -->
					<%
					rsNotify.Close
				end if
				set rsNotify=Nothing
				Response.Redirect "127.0.0.1"
				Response.End
			end if
		end if
	end if
End Sub
© 2000-2021 Snitz™ Communications