b2evolution b2evolution

  • Sign in
  • Sign up
  • About
  • Downloads
  • Hosting
  • Docs
  • Support
  • Sign in
  • Sign up
  • Manuals Home
  • Latest Updates
 
  1. b2evolution CMS User Manual
  2. Operations Reference
  3. Security
  4. Brute force password attacks

Brute force password attacks

Brute force password attacks

b2evolution includes code to prevent brute force password attacks.

By default, if an (existing) user account receives 10 wrong passwords within 10 minutes, that account will be locked for 10 minutes. When the account is locked, even a login with the correct password will not work (otherwise it would not be an effective lock).

Once the lock times out and once the legitimate user logs in, he will see a report of the failed login attempts.

See _advanced.php for variables controlling this:

/**
 * If user tries to log in {$failed_logins_before_lockout} times
 * during the last {$failed_logins_lockout} seconds,
 * we refuse login (even if password is correct) and display that
 * the account is locked out until the above condition is no longer true.
 * If {$failed_logins_lockout} is set to 0, there will never be a lockout.
 */
$failed_logins_before_lockout = 10; // 10 times, Max is 197
$failed_logins_lockout = 600; // 10 minutes

Note: we block by user account, not by IP, because any serious attacker would use a botnet of 10 000+ IPs to deploy the attack. Blocking IPs would not be an effective security mesure.

Note: if your concern is to block annoying IPs that bloat your log files, or even DoS attacks, please use a solution at the webserver level.

Attachments:

  • test-graphic-failed-logins-lockout.png (8.7 MB)
Created by fplanque • Last edit by fplanque on 2019-01-23 16:54 • •

No feedback yet

Search the Manual

Content Hierarchy

  • b2evolution CMS User Manual
  • User's Guide
  • Installation / Upgrade
  • Front-office Reference
  • Back-office Reference
  • Developer Reference
  • Operations Reference
    • Security
      • File Permissions
      • Using SSL
      • Exposing PHP Errors to Visitors
      • Crumbs (nonces)
      • mod_security
      • .htaccess Files
      • Brute force password attacks
      • How to change the location of admin.php
    • Fighting Spam
    • Performance
    • Using Multiple Domains
    • Intranet setup
    • LDAP Integration
    • Troubleshooting
    • Bundled Plugins
  • Advanced Topics
  • Glossary
  • Archives
CCMS

This online manual is powered by b2evolution CMS – A complete engine for your website.

About b2evolution

  • What is it?
  • Features
  • Getting Started
  • Screenshots
  • Online demo
  • Testimonials
  • Design philosophy
  • Free & open source
  • Terms of service

Downloads

  • Latest releases
  • Skins
  • Plugins
  • Language packs

About us

  • About us
  • Contact

Webhosting Guide

  • Web hosting blog
  • Best web hosting
  • Cheap web hosting
  • Green web hosting
  • Hosting with SSH
  • VPS hosting
  • Dedicated servers
  • Reseller hosting
  • Int'l: UK / France

Docs & Support

  • Online manual
  • Forums
  • Hire a pro !

Other

  • Adsense
  • Press room
  • Privacy policy

Stay in touch

  • GitHub
  • Twitter
  • Facebook
  • LinkedIn
  • News blog
  • RSS feed
  • Atom feed

Founded & Maintained by François Planque