enderkevin13 wrote:Wait, Laser Pineapple said on Skype that he couldn't access the site. Is he banned?
wildweasel wrote:enderkevin13 wrote:Wait, Laser Pineapple said on Skype that he couldn't access the site. Is he banned?
Have him take a screenshot of whatever error he's getting and send it to you, then PM that screenshot to Randi.
This.Graf Zahl wrote:I wouldn't store anything security related in the cloud when everybody can immediately see that it's security related.
Graf Zahl wrote:faslrn wrote:What's worse is that I checked the phpbb community forums and other users have been reporting issues with brute force attacks for literally years, and the only feedback they have received is "enable captcha" and "add more Q&A questions" (where users are literally asking each other if their set of questions are fine).
Amazing that such shitty software is still so widely in use.
Honestly, the two best protections against brute-forcing are
a) increasing delays after a failed login
b) automatic account lockdown after a number of failed attempts - of course this could also be abused by the attacker to block all legitimate forum access.
Eruanna wrote:(which would force the attacker to use less and less reliable proxies).
Eruanna wrote:Blocking all legitimate forum access can be countered.
a) Automatically whitelist known "good" IP ranges to the account - this would be the IP range the account was created with, and was used most in the past 180 days of its most recent access.
b) Automatically blacklist known "bad" IP ranges to all accounts - this would be IP ranges that are known to be troublesome and have multiple failed login attempts. Any IP matching this range would a) Need to solve 2 CAPTCHAs (the SSG one which hopefully will be expanded) and an image one, and b) Have 5 maximum attempts on any account. Once it hits 5 failed logins, whether on single or multiple accounts, that IP is automatically banned for 3 hours (which would force the attacker to use less and less reliable proxies).
Graf Zahl wrote:Eruanna wrote:(which would force the attacker to use less and less reliable proxies).
If it was that easy. What about TOR?
If implemented correctly, no. It doesn't block usage from the IP if you haven't used it, it soft-blocks the IP if it fails multiple logins. So you go to your roommate's mother's house and A) have an active login/cookies or B) log in successfully, it's added to the rolling list of good IPs with no interruption to your browsing experience.wildweasel wrote:What I'd have to wonder - forgive me if I'm not particularly wise to the ways of networking as I'd like to be - is what happens in these instances:
- Suppose I've accompanied my roommate to his mother's house on the coast for the weekend, which is a thing I don't do often enough for it to be considered a "known good" IP address. Alternatively, if I'm in town surfing from my phone, I have no idea what my phone's IP address is; I imagine it'd probably change between coverage zones or something like that. Would I get locked out of my account in that instance?
Caligari87 wrote:If implemented correctly, no. It doesn't block usage from the IP if you haven't used it, it soft-blocks the IP if it fails multiple logins. So you go to your roommate's mother's house and A) have an active login/cookies or B) log in successfully, it's added to the rolling list of good IPs with no interruption to your browsing experience.
Lud wrote:But why ZDoom? Why this community? ZDoom is as neutral as you can get! There's not even a minor gain from all this...
Lud wrote:But why ZDoom? Why this community? ZDoom is as neutral as you can get! There's not even a minor gain from all this...
Eruanna wrote:Some people get off on stuff like this. The attacker is probably really proud of this thread.
Return to Rules and Forum Announcements
Users browsing this forum: No registered users and 2 guests