Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
How to block Brute force attack
I guess Vanilla is admin account is unprotected against brute force attack since there is no log in attempt limits in Vanilla.
Please correct me if I am wrong.
0
Best Answer
-
peregrine
MVP
you could also easily block logins for admin accounts from any ip except those in a whitelist ( a ip block or list of allowed ips). pm me if you are interested.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
2
Answers
No, but there is rate limiting for logins if you have a cache enabled.
My themes: pure | minusbaseline - My plugins: CSSedit | HTMLedit | InfiniteScroll | BirthdayModule | [all] - PM me about customizations
VanillaSkins.com - Plugins, Themes and Graphics for Vanillaforums OS
Explain please..
There's rate limiting enabled regardless of caching, which blocks any brute force attempts.
The basic idea is that we do not allow more than 1 login attempt per X seconds, where X is a speed no human can achieve, but slow enough it would take a bot decades to brute force your password.
It's much more elegant than locking your account because a troll decided to mess with you.
you could also easily block logins for admin accounts from any ip except those in a whitelist ( a ip block or list of allowed ips). pm me if you are interested.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
@Linc doesn't that mean it won't ratelimit if no cache is enabed?
https://github.com/vanilla/vanilla/blob/master/applications/dashboard/models/class.usermodel.php#L3482
My themes: pure | minusbaseline - My plugins: CSSedit | HTMLedit | InfiniteScroll | BirthdayModule | [all] - PM me about customizations
VanillaSkins.com - Plugins, Themes and Graphics for Vanillaforums OS
@Bleistivt I don't really have time to dig into this right now, but I'll say that if that truly is the only rate limiting functionality, it's problematic and should be addressed as a bug in my opinion. We should never have a no-cache fallback that provides less security.
How can I enable cache ? Also any chance we can have 2 factor authentication in place like Joomla and Gmail ?
Yes, seems to be the only rate limiting functionality. Started a pull request: https://github.com/vanilla/vanilla/pull/2346
See your other thread.
What kind of 2 factor authentification?
You could switch to social-login only and leave the authentification to GooglePlus, for example.
My themes: pure | minusbaseline - My plugins: CSSedit | HTMLedit | InfiniteScroll | BirthdayModule | [all] - PM me about customizations
VanillaSkins.com - Plugins, Themes and Graphics for Vanillaforums OS
You might be interested in @businessdad paid plugin which provides some brute force protection.
grep is your friend.
Soon to become free, I have to add.
My shop | About Me
Does version 2.2 have login rate limiting?
Yes. And if you have an active cache, 2.1 already has it.
My themes: pure | minusbaseline - My plugins: CSSedit | HTMLedit | InfiniteScroll | BirthdayModule | [all] - PM me about customizations
VanillaSkins.com - Plugins, Themes and Graphics for Vanillaforums OS