| Author |
 Topic Search  Topic Options
|
l15aRd 
Groupie
Joined: 24 May 2002
Location: England
Status: Offline
Points: 121
|
 Post Options
 Thanks(0)
 Quote  Reply
 Posted: 22 September 2003 at 9:47am |
we use Go.stats as it's a totally seperate site, which logs IP's/Country/Browser, etc, plus our hardware and software firewall logs
Access, and it's outside of the webroot area...
Edited by l15aRd
|
|
|
 |
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 22 September 2003 at 1:11pm |
 l15aRd wrote:
how about adding a number of password tries into a future
version then it suspends the account, pending an unlock by
admin/moderators, abit like NT based network logins? |
The problem being if it is the admin account that the person is trying
to guess if the account is suspended after 3 attempts the admin can't
login to re-activate their own account.
But I shall look into other solutions.
|
|
|
|
Eftie
Groupie
Joined: 17 March 2003
Location: Netherlands
Status: Offline
Points: 140
|
Post Options
Thanks(0)
Quote Reply
Posted: 23 September 2003 at 12:20am |
-boRgThe problem being if it is the admin account that the person is trying to guess if the account is suspended after 3 attempts the admin can't login to re-activate their own account.
But I shall look into other solutions.
[/QUOTE wrote:
Maybe not a suspension but an hour time out?? |
Maybe not a suspension but an hour time out??
|
|
Eftie
|
|
Badaboem
Senior Member
Joined: 12 April 2002
Location: Netherlands
Status: Offline
Points: 600
|
Post Options
Thanks(0)
Quote Reply
Posted: 23 September 2003 at 3:43am |
the sollution could be a newly generated long password after first three attempts. It will be mailed to the admin who obviously only has access to his mail account.
Only problem is not all folks have the email function enabled.
Another fix could be a simple database table with yes/no since the hacker probably wasn't able to download the database. Yes for suspended (lockdown of admin acount after three false logins). Then u could simply change yes to no it in the database and quickly change your password.
Edited by Badaboem
|
|
michael
Senior Member
Joined: 08 April 2002
Location: United States
Status: Offline
Points: 4670
|
Post Options
Thanks(0)
Quote Reply
Posted: 23 September 2003 at 9:36am |
|
This all could become an administration nightmare though, people knowing that can keep doing it and you never have peace with your password. One idea could be, that admins are able to associate their account with one or more ip classes. so if you i.e. have in your account that you can only login from 125.2.*.* as well as 128.0.*.* (multiple cause you might use more then one computer) sure problem if you are somewhere else you could not log in but to have it as an option maybe.
For the lockout itself, you could add the ip address of the user to the block list after three attempts, that way they would have to change their ip every time which would become annoying for the hacker last but not least, deny login attempts for like 20 minutes after three attempts so brite force attacks would take forever
|
|
|
|
l15aRd
Groupie
Joined: 24 May 2002
Location: England
Status: Offline
Points: 121
|
Post Options
Thanks(0)
Quote Reply
Posted: 23 September 2003 at 1:02pm |
Sounds like the dail-back on a RAS server, sounds good the adding the IP to a banned list after three attempts, and to add maybe send out an alert to a certain group, like in mine,
We have the admin group, but I did'nt want to risk having more than one user with admin rights, so I created a super moderator group, they can do everything in every forum, bar administer the back end settings, so if someone does hack their password, the most they can do is deleted/edit some posts and delted the SM account (which is no biggy).
The three main owners all know the admin password and if they want to make changes we consult each other first.
This is turning into quite a good brain storming session... :)
Edited by l15aRd
|
|
|
|
God_Struth
Senior Member
Joined: 07 August 2003
Location: United Kingdom
Status: Offline
Points: 218
|
Post Options
Thanks(0)
Quote Reply
Posted: 23 September 2003 at 7:31pm |
The IP solution is a no goer, there are simply too many people on dial up who will never have a static IP address, which would be required to be able to do this.
Simplest way to keep security tight is to create another "power" user and use it as your main login, only using the admin account to make back end changes. Most people go and give a hacker a head start by calling themselves "Admin" or "Boss Dude" (or something else which implies authority).
A hacker is half way there once he finds out which account to target, so make it difficult by losing the easy to guess Admin names..
(PS. Have a real real hard to guess password, using numbers and letters  )
|
|
He02
Newbie
Joined: 23 September 2003
Location: United Kingdom
Status: Offline
Points: 13
|
Post Options
Thanks(0)
Quote Reply
Posted: 23 September 2003 at 7:54pm |
[QUOTE=l15aRd]
I'm using 7.01, I agree with the brute force thing, most probably Lopthcrack or something similar.
QUOTE]
Lopthcrack remotely ??
|
|
