Ban user after set # of failed login attempts

Involved Joined: Dec 27, 2005 Posts: 296

I'm not sure if this should be posted in Sentinel or wanted modules/add-ons. I'd like to know if it is possible to, by either using Sentinel or another method, to ban any user after a set number of failed login attempts, whether the login attempts are for regular users or for admins. Haven't come up with anything in google or the forums.

registered · Posted: Sat Dec 31, 2005 8:03 am

srhh, I am going to move this topic to the NukeSentinel Enhancement Requests forum. I'll let Raven then decide if this should really be outside the realm of NS.

Regards, montego

Sells PC To Pay For Divorce Joined: Posts: 5661

Well i guess it should use something like....(sample i found)..

$sql = "SELECT COUNT(*) AS `failedlogins` FROM `tblLoginAttempts` WHERE `user_id` = '".$_POST["username"]."' AND `reset` = 'N'";

$loginResult = mysql_query($sql, $link_id) or die("Problems checking number of login attempts.");

if ($row['failedlogins'] > 3)
{
die("Your account is locked due to the number of failed logins. Please contact your administrator to re-activate your account");
}
else
{

New Member Joined: May 01, 2005 Posts: 21 Location: GB

I think this would be a good addition.

But I would prefer to see a timed login method, where if someone tries to login and fails it gives a period (set by an admin) before a login attempt is allowed again.

This would at least help to slow down and deter script kiddies from using dictionary attacks.

Just a thought!

Posted: Sat Dec 31, 2005 3:00 pm

UnLeasheD wrote:

I think this would be a good addition.

But I would prefer to see a timed login method, where if someone tries to login and fails it gives a period (set by an admin) before a login attempt is allowed again.

This would at least help to slow down and deter script kiddies from using dictionary attacks.

Just a thought!

If you were to restrict log-in attempts by building in a delay, you would also have to have some mechanism to advise the person attempting the second log-in attempt of that delay thus it may be self-defeating.
However, restricting the actual number of *allowable* attempts would seem a more viable approach and I think Chatserv has incorporated something along these lines in the next BBtonuke upgrade.

Posted: Sat Dec 31, 2005 8:49 pm

hitwalker wrote:

Well i guess it should use something like....(sample i found)..

$sql = "SELECT COUNT(*) AS `failedlogins` FROM `tblLoginAttempts` WHERE `user_id` = '".$_POST["username"]."' AND `reset` = 'N'";

$loginResult = mysql_query($sql, $link_id) or die("Problems checking number of login attempts.");

if ($row['failedlogins'] > 3)
{
die("Your account is locked due to the number of failed logins. Please contact your administrator to re-activate your account");
}
else
{

What files should I plug this into to test it?

Posted: Sat Dec 31, 2005 9:04 pm

hi srhh,its just a simple sample i picked up...
Its not that easy to create this...
better wait untill someone replies to this...raven or bob....etc...

Posted: Sun Jan 01, 2006 1:08 am

You mean, nobody wants to spend new years eve pondering nuke questions? Bahh!! What' the matter with you guys! :moon:

Posted: Sun Jan 01, 2006 7:24 am

no i mean that you dont write this in a few hours.
It can be complicated..specially when it integrates with sentinel.
you dont want the wrong person banned do you...
they also have to figure out how they will count the total logins and that info has to be stored including the persons ip,otherwise they can try again after they close the browser..

Posted: Sun Jan 01, 2006 3:09 pm

I really do understand all the work that goes into this, I was just poking fun (at myself really) for celebrating New Years in front of my PC like a geek. Smile

Posted: Sun Jan 01, 2006 3:30 pm

It appears that the max # of login attempts is already out there! Not sure if I understand what BBtoNuke is or if it is still usable with Sentinel. Here is the link:

http://www.nukeresources.com/downloadview-details-1117-BBtoNuke_2.0.19_for_Nuke_Patched.html

Posted: Sun Jan 01, 2006 3:39 pm

well thats for dictionary attacks....
that means....

A method used to break security systems, specifically password-based security systems, in which the attacker systematically tests all possible passwords beginning with words that have a higher possibility of being used, such as names and places.
The word “dictionary” refers to the attacker exhausting all of the words in a dictionary in an attempt to discover the password.
Dictionary attacks are typically done with software instead of an individual manually trying each password.

But bbtonuke is just your forum..if you upgrade to the newest it will be in there ...

but i just prefer only the max login...

Posted: Sun Jan 01, 2006 6:40 pm

I see. Wow, its really pathetic what lengths some people will go to to get into an account!
I don't have my forums active, so I'd prefer just a direct max login too.

Worker Joined: Nov 10, 2004 Posts: 110

Hey guys,
It seems CNB Your Account has been off the radar for a while.
This is due to me getting married this April...

Anyway, the max numbers of failed logins combined with a delay for the next attempt is such a good idea that I'm gonna include it in the current version.

Stay tuned...

Cheers,
Richard

Posted: Wed Jan 04, 2006 5:52 am

menelaos61 wrote:

Hey guys,
It seems CNB Your Account has been off the radar for a while.
This is due to me getting married this April...

Anyway, the max numbers of failed logins combined with a delay for the next attempt is such a good idea that I'm gonna include it in the current version.

Stay tuned...

Cheers,
Richard

You would have to employ some method of reminding users that they have to wait until they try again or they will end up banning themselves and thus create more work for admins in re-instating accounts - perhaps a count down timer, bar graph displayed on the page etc might help?