Failed login notifications

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • fwulfers
    Senior Member
    • Jul 2010
    • 147
    • 4.2.x

    Failed login notifications

    I am seeing an increase of members on our forum who are getting these notification messages in the last month. I have seen reports from other forums as well. Is this a reason for concern or not much you can do about it?

    Is there a way to turn off these notification emails to the members?

    Dear _______,

    Someone has tried to log into your account on ______ with an incorrect password at least 5 times. This person has been prevented from attempting to login to your account for the next 15 minutes.

    The person trying to log into your account had the following IP address: xx.xx.xx.xx
    Last edited by fwulfers; Thu 26 Feb '15, 4:57am.
    SaabWorld
  • kh99
    Senior Member
    • Aug 2009
    • 533

    #2
    We've seen these recently as well. It's someone trying to guess passwords by trying the most common. I don't think you have to worry too much but you might want to remind members to make sure they have strong passwords, especially your admins and moderators. Also, I think these people might do it by using the member list, and I think you can disable access to the member list for guests by editing the usergroup and setting "Can View Member Info" to No (although that also makes it so guests can't see user profiles).

    I think you can stop the emails by setting everyone's "Receive Admin Emails" to No (whch you can do in Maintenance > Execute SQL Query), but obviously that will stop other emails as well (I don't know which ones offhand). Otherwise I think you'd need a code modification.

    Comment

    • fwulfers
      Senior Member
      • Jul 2010
      • 147
      • 4.2.x

      #3
      Thanks, that's good info. We always had the member list and view member info disabled for guests. But someone targeting a site can easily become a member.

      Thanks for the tip for disabling receiving admin emails. I ran the query for all members not to receive admin emails so let's see if the notifications will stop. I actually only know about these notifications because members respond to those emails saying it's not them trying to log in.
      SaabWorld

      Comment

      • kh99
        Senior Member
        • Aug 2009
        • 533

        #4
        Um...I hate to say this but it looks like I was wrong about that. I thought someone told me that at some point, but I was just looking at the code and it doesn't look like it checks the 'adminemail' option before sending that email. It looks like setting that option to 'No' stops Happy Birthday emails, infraction emails, and emails sent from the admincp.

        I apologize for that, I really should have checked the code before posting an answer. In any case it doesn't look like there is any way to stop those emails except to modify the code in includes/functions_login.php where it's sent (or by turning off the strike system, but I wouldn't recommend doing that).

        Comment

        • fwulfers
          Senior Member
          • Jul 2010
          • 147
          • 4.2.x

          #5
          Thanks for the follow up and PM. It wasn't really a big deal those admin notifications are disabled now and it can easily be reversed. I'll take a look at that php file and see if there is anything I can find that will disable these failed login emails.
          SaabWorld

          Comment

          • Black Tiger
            Senior Member
            • Mar 2001
            • 668

            #6
            I would rather choose to block the ip addresses from the people trying to bruteforce these accounts.
            It's fairly easy to explain to your uses they can ignore the emails or pass the ip to you if they get more then one email about it.

            Disabling would mean you don't have a mean to check how much bruteforcing is going on and where it's coming from.
            I had some problems with it on vb.org but it stops after some time, because they won't get in.

            Disabling the memberlist makes it a bit more difficult, but on an open forum, all posting members are named anyway, so they can try that way to bruteforce.
            Greetings, Black Tiger

            Comment

            • Wayne Luke
              vBulletin Technical Support Lead
              • Aug 2000
              • 73981

              #7
              If you look up the IP addresses, you'll find that a number will come from the same country or region. You can ban that country or region on the server level using large IP Blocks and prevent them from attempting to access your forums. The reason for the increase is a list of 500 MIllion usernames, emails and passwords that was released a few months ago. People may think your users are on that list or they may be. The list wasn't obtained from vBulletin forums but many people use the same username and password repeatedly.
              Translations provided by Google.

              Wayne Luke
              The Rabid Badger - a vBulletin Cloud demonstration site.
              vBulletin 5 API

              Comment

              • Lynne
                Former vBulletin Support
                • Oct 2004
                • 26255

                #8
                We've had this going on for a month of so on my site. Once they 'hack' the account, they spam the users via PM. Just something you may want to check on your sites.

                Please don't PM or VM me for support - I only help out in the threads.
                vBulletin Manual & vBulletin 4.0 Code Documentation (API)
                Want help modifying your vbulletin forum? Head on over to vbulletin.org
                If I post CSS and you don't know where it goes, throw it into the additional.css template.

                W3Schools <- awesome site for html/css help

                Comment

                • mrad
                  New Member
                  • May 2007
                  • 10

                  #9
                  I guess if you are looking where the ips are comming from the result will either be russia or china. If you dont have users from this countries, I suggest to block the whole country. You can find ready-to-use htaccess files in the net. But be aware that these htaccess file can and will bring down the performance of the board. So be warned.
                  Another option is iptables.

                  Comment

                  • Wayne Luke
                    vBulletin Technical Support Lead
                    • Aug 2000
                    • 73981

                    #10
                    Using iptables is the best option for performance. If you have your own dedicated switch in the data center, blocking it there or at the router level is even better.
                    Translations provided by Google.

                    Wayne Luke
                    The Rabid Badger - a vBulletin Cloud demonstration site.
                    vBulletin 5 API

                    Comment

                    • woodmj
                      Senior Member
                      • Mar 2013
                      • 205
                      • 5.7.5

                      #11
                      This is exactly how my problems came about over the past few weeks. Loads of members getting mails saying someone was repeatedly trying to logon to their account unsuccessfully and getting really stressed about it, and me.
                      The brute force attacks come in frequent mass raids of chunks of usernames in alphabetical order according to some logging I enabled. First they came from China and Hong Kong but after I placed IP blocks for those 2 countries in Apache they started to come from all over. I know of a couple of accounts that were hacked and used for PM spamming. There's no doubt more I might not be aware of.

                      May I ask if there is an effective solution? Things got so bad I closed my forum and went to try and find a solution hence my other post here today.

                      Comment

                      • Wayne Luke
                        vBulletin Technical Support Lead
                        • Aug 2000
                        • 73981

                        #12
                        When all you have available is an IP address, there aren't many conclusive solutions. IP Addresses are transient and easy obtainable. Banning country blocks where they originate is often the best and only solution.
                        Translations provided by Google.

                        Wayne Luke
                        The Rabid Badger - a vBulletin Cloud demonstration site.
                        vBulletin 5 API

                        Comment

                        • woodmj
                          Senior Member
                          • Mar 2013
                          • 205
                          • 5.7.5

                          #13
                          This still seems to continue. Wave after wave of it. Big chunks of usernames. Even trying to block proxies and placing the usual suspect country IP blocks.

                          The IPs the attacks come from seem to just be faked now as that of valid member ones and so the member ends up getting blocked and the hacker continues to hack.

                          Comment

                          • fwulfers
                            Senior Member
                            • Jul 2010
                            • 147
                            • 4.2.x

                            #14
                            There wasn't really a pattern in the IP addresses that were used. I checked a few but gave up after a while.

                            I deleted 5000 user accounts (about 60%) of users that signed more than 6 months ago and never posted. We also had an issue with user PM spamming (possibly from a hacked account) so I enabled pm throttling so users can not send more that 5 PMs per hour. And users with post count of less than 5 don't have access to PM at all. Reports of these failed logged in notifications seemed to have slowed down after I deleted the old user accounts.
                            SaabWorld

                            Comment

                            • woodmj
                              Senior Member
                              • Mar 2013
                              • 205
                              • 5.7.5

                              #15
                              Just out of interest is the latest VB5 more secure against these kind of attacks? I just caught a bit of a write-up over at vb.org saying that it was 'the most secure version of VB ever' If it is I might revisit migrating.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...