that message which locks you out after incorrect attempts does NOT protect a vbulletin forum from remote bruteforce attacks. I know because I have tried online tools and while it does take a long time to actually get a password, if you do, this still does not protect a vbulletin. A feedback of mine would be to upgrade that to actually work.
The Incorrect Login Counter does not protect...
Collapse
X
-
Tags: None
-
Hello, I believe the system was not designed to protect the board from brute force attempts.Shamil Nunhuck, - Radon Systems Ltd.
█ VPS + Dedicated Server Hosting and Management
█ vBulletin Hosting and Services
█ Server / Website Consultation -
That's interesting. I am being brute forced at the moment. Several long-abandoned accounts with stupidly easy passwords have been accessed, but nothing done with them.MARK.B
vBulletin Support
------------
My Unofficial vBulletin 6.0.0 Demo: https://www.talknewsuk.com
My Unofficial vBulletin Cloud Demo: https://www.adminammo.comComment
-
MARK.B
vBulletin Support
------------
My Unofficial vBulletin 6.0.0 Demo: https://www.talknewsuk.com
My Unofficial vBulletin Cloud Demo: https://www.adminammo.comComment
-
Comment
-
After 5 bad logins, no furture logins will be taken until the 15 min expire, regardless of what is sent to the login script.Comment
-
Thanks Zachery.
I seem to have been getting attacked for about two days now, first time this has happened to this extent. About half a dozen very old abandoned accounts got logged in, though they didn't do anything. Examination of Who's Online shows about half a dozen failed log in attempts every ten to fifteen minutes, and one of my test accounts received the "failed login" email.
Hopefully they'll get bored soon. the admin passwords a pretty strong.MARK.B
vBulletin Support
------------
My Unofficial vBulletin 6.0.0 Demo: https://www.talknewsuk.com
My Unofficial vBulletin Cloud Demo: https://www.adminammo.comComment
-
How do you know they had stupid easy passwords? How can you know what your old members password used are? I always thought vBulletin encrypted them so there no way you could know that information, not even as admin.Last edited by MRGTB; Tue 28 Dec '10, 8:54pm.Comment
-
It sets a cookie and session right? Or is it by IP address? If it's by cookie and session, then someone could simply delete those and try again. If it's by IP then that's harder and they would have to release/renew with their ISP, or rotate IPs on their proxy/vpn.Comment
-
You know the build up how its coded with current GPU's you can brute force a password in matter of seconds. After you know the build up you can also make a rainbow table of the most used combinations.Comment
-
I seem to have been getting attacked for about two days now, first time this has happened to this extent. About half a dozen very old abandoned accounts got logged in, though they didn't do anything. Examination of Who's Online shows about half a dozen failed log in attempts every ten to fifteen minutes, and one of my test accounts received the "failed login" email.Comment
-
It should be based on a session/ip. Its not based on cookies.Comment
-
Yep, it's IP based. Have a look at the strikes table.Shamil Nunhuck, - Radon Systems Ltd.
█ VPS + Dedicated Server Hosting and Management
█ vBulletin Hosting and Services
█ Server / Website ConsultationComment
-
Comment
-
Shamil Nunhuck, - Radon Systems Ltd.
█ VPS + Dedicated Server Hosting and Management
█ vBulletin Hosting and Services
█ Server / Website ConsultationComment
Related Topics
Collapse
-
by reddyashHello,
I am facing a with a problem in my forum. For some reason all the members of the forum are not able to login to the forum. When they provide the username, password and hit login the...-
Channel: Support Issues & Questions
-
Comment