FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum Development » FUDforum 3.0+ » Brake inn
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
Brake inn [message #17064] Mon, 15 March 2004 01:29 Go to next message
aircool5(at)bellsouth(dot)net is currently offline  aircool5(at)bellsouth(dot)net   United States
Messages: 132
Registered: March 2003
Karma: 0
Senior Member
I will like to know how some one can brake inn the password and the name and post somthin in the Forum ?
That is happening to me...
Re: Brake inn [message #17067 is a reply to message #17064] Mon, 15 March 2004 13:34 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
What version of the forum are you using?

The most likely case is that someone simply guessed the password or you left a logged in account on a public machine allowing someone to post as you.


FUDforum Core Developer
Re: Brake inn [message #17078 is a reply to message #17067] Mon, 15 March 2004 18:03 Go to previous messageGo to next message
aircool5(at)bellsouth(dot)net is currently offline  aircool5(at)bellsouth(dot)net   United States
Messages: 132
Registered: March 2003
Karma: 0
Senior Member
FUDforum 2.6.0
None of that , I only use the computer at home , and was not brake inn from my house of course.
Re: Brake inn [message #17079 is a reply to message #17078] Mon, 15 March 2004 18:05 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
Sounds like someone guessed your password... Try changing your password to something more difficult to guess and clear the sessions table.
Re: Brake inn [message #17080 is a reply to message #17079] Mon, 15 March 2004 19:07 Go to previous messageGo to next message
aircool5(at)bellsouth(dot)net is currently offline  aircool5(at)bellsouth(dot)net   United States
Messages: 132
Registered: March 2003
Karma: 0
Senior Member
OK I will
Re: Brake inn [message #17211 is a reply to message #17064] Fri, 19 March 2004 19:03 Go to previous messageGo to next message
Gribnif is currently offline  Gribnif   United States
Messages: 82
Registered: December 2003
Karma: 0
Member
I have a couple of suggestions that might help to prevent people from brute-force guessing passwords. Either one would probably work:

1. Limit the number of times a username can have wrong password guesses before it is temporarily disabled. So, if someone tries (and fails) to guess the password for user "Joe" 10 times in a row, the account is disabled for an hour. This should probably also leave a message in the log.

2. Take progressively longer to respond to bad logins. The first time a user enters the wrong password, respond immediately. The second time, sleep for 5 seconds before responding; the third time in a row, 10 seconds.

Either way, it will take a very long time to guess a user's password.
Re: Brake inn [message #17212 is a reply to message #17211] Fri, 19 March 2004 19:12 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
FUDforum already logs failed logins to admin account(s).

Making loggins progressively longer is a bad idea in a web environment, since sleep(X seconds) would put the apache child to sleep making it unable to serve requests (potential DOS).

I suppose it could be implemented with JavaScript, but that won't affect automated tools, which brute force attempts will be done with.

Temporary disabling of login for an account could be done fairly easily, but I am not certain it would accomplish much other then take brute forcing a password slightly longer. Keep in mind, most 'brute' force attempts are accomplished by guessing 1 password that the user uses in many places and then simply trying it in the apps that they use. A multi-request bruteforce would be very easy to notice, through numerous log web server entries and forum's "who's online".
Re: Brake inn [message #17213 is a reply to message #17212] Fri, 19 March 2004 19:37 Go to previous messageGo to next message
aircool5(at)bellsouth(dot)net is currently offline  aircool5(at)bellsouth(dot)net   United States
Messages: 132
Registered: March 2003
Karma: 0
Senior Member
What I see wrong is the administrator name appear each time I post a massage , I know I can change that , but in the mean while I found it , some one can take a note of that , and only have to guess the password , which is more ease.
Re: Brake inn [message #17214 is a reply to message #17213] Fri, 19 March 2004 19:38 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
Cause you are using the admin account.
Re: Brake inn [message #17215 is a reply to message #17214] Fri, 19 March 2004 19:42 Go to previous message
aircool5(at)bellsouth(dot)net is currently offline  aircool5(at)bellsouth(dot)net   United States
Messages: 132
Registered: March 2003
Karma: 0
Senior Member
Yes I am the only one , [Administrador] [Moderador] and every thing in my Forum.
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: Virusi a thought.
Next Topic: Post 2.6.0 TODO
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Fri Nov 22 12:19:25 GMT 2024

Total time taken to generate the page: 0.15681 seconds