Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Any alternatives to LoginGuard?

Lots of accounts on my forums are stolen, and I believe it's because of the weak password and login abuse.

However, I don't find a proper plugin/feature to prevent the login abuse. I know that Vanilla will return error message if the attacker is trying too fast, but is there a way to prevent user logging in if they've tried more than 5 times for example?

It looks like LoginGuard is a plugin for this: https://aelia.co/shop/loginguard-for-vanilla-forums-2-0/ , but it only supports to 2.0.

Comments

  • BleistivtBleistivt Moderator

    Lots of accounts on my forums are stolen, and I believe it's because of the weak password and login abuse.

    Sorry, but this is the wrong way to go about a security issue. If lots of accounts are stolen there seems to be a major problem with your website (or server software) and it is not Vanillas login, as other Vanilla forums don't seem to have such problems. You need to check your server access logs to find out how intruders gain access.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    You can try using https://vanillaforums.org/addon/loginguard-plugin

    Just remove the line that says version requirements or update line to the new vanilla version if you get a fatal error. Follow the instructions for the plugin.

  • R_JR_J Ex-Fanboy Munich Admin

    The plugin relies on the plugin Logger and this plugin does not work with the current Vanilla version. I'm not sure if implementing one missing method in the logger would be enough to get it going and I haven't tried.

    I was of the opinion that it should be able to create such a plugin without the need of a custom logger and so I gave it a try. Although I think that such a plugin would be nice, I realized I've started with the wrong idea. And so I barely finished it but there might be some glitches. See the additional info text for my thoughts: https://vanillaforums.org/addon/loginthrottle-plugin

    I think it would be better to monitor requests and prevent hammering some methods also based on the callers IP.

    By the way: there already is a method rateLimit() in the usermodel. Users are not allowed to try logging in more than one time per second. The value of this login rate cannot be changed without changing a core file. But with this limit attackers are only able to check 86400 password a day. That's not very much.

  • businessdadbusinessdad Stealth contributor MVP

    @vrijvlinder said:
    You can try using https://vanillaforums.org/addon/loginguard-plugin

    Just remove the line that says version requirements or update line to the new vanilla version if you get a fatal error. Follow the instructions for the plugin.

    That's the same plugin, i.e. mine ;)

  • businessdadbusinessdad Stealth contributor MVP

    @R_J said:
    The plugin relies on the plugin Logger and this plugin does not work with the current Vanilla version. I'm not sure if implementing one missing method in the logger would be enough to get it going and I haven't tried.

    I was of the opinion that it should be able to create such a plugin without the need of a custom logger.

    Yes, that's correct. The logger didn't exist in Vanilla 2.0, that's why it was introduced. Unfortunately, since I stopped using Vanilla Forums over a year ago, I didn't update the plugins for the newer versions.

    Note: you can also remove all the calls to the logging entirely, and the blocking logic should work.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    @businessdad said:
    That's the same plugin, i.e. mine ;)

    I know, but he did not get it from the add-on section here, he got it from another site I think or github. Since I recall you made them free plugins and updated some, I thought they might work still with tweaking. ie.

    the blocking logic should work.

  • businessdadbusinessdad Stealth contributor MVP

    @vrijvlinder said:

    @businessdad said:
    That's the same plugin, i.e. mine ;)

    I know, but he did not get it from the add-on section here, he got it from another site I think or github. Since I recall you made them free plugins and updated some, I thought they might work still with tweaking. ie.

    the blocking logic should work.

    That makes sense. However, the page on my site redirects to the plugin one on vanillaforums.org. :smile:

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    Before you leave for good , maybe you can give the community the gift of your updated plugins ? <3

Sign In or Register to comment.