Home Page Forums StayLDS Board Discussion [Moderators and Admins Only] SECURITY ALERT!!! Please read

  • This topic is empty.
Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • February 17, 2011 at 3:34 pm #205734
    Anonymous
    Guest

    Good news: recent updates to phpBB software have crippled spam bots’ abilities to penetrate boards with new user registrations. After implementing those changes a couple weeks ago, we haven’t had a single bogus attempted registration. We were up to a dozen or more a day before that.

    Bad news: bot operators and hackers are getting desperate. I’ve been noticing that I have to re-answer the CAPTCHA question when I try to log in to the Administrator Panel lately. It says that I had too many failed attempts. If you get this, it is probably because your username is now in a hacker/bot database. They are trying as often as possible to blunt-force guess your password and login as an admin.

    SOLUTIONS:

    1. I made a small change to the board phpBB code so that only logged-in users can see the user names of other people currently viewing the board, and also see the name of the newest registered user. This prevents bots from sweeping the forum index page for valid user names (especially for admin user names shown in red text).

    2. PLEASE PLEASE PLEASE make sure your password is NOT something really easy to guess, like “password,” your user name, or something else like that. As long as it is somewhat personal and random, it should be OK. They are only going to get a couple of tries a day. It locks them out after 3 attempts.

    Unfortunately, there really isn’t a way I can see so far to stop them from doing this once they have a user name. The best defense is the “mormon” question we use as security because it isn’t worth it for hackers to spend any time trying to look that stuff up. They have to attack thousands of sites a day to make it worth their efforts economically.

    February 17, 2011 at 3:54 pm #240008
    Anonymous
    Guest

    Thanks for staying on top of this Brian.

    February 17, 2011 at 4:22 pm #240009
    Anonymous
    Guest

    ditto

    February 22, 2011 at 7:42 am #240010
    Anonymous
    Guest

    I got a message about too many failed login attempts today. I have a pretty good password with letters and numbers.

    February 22, 2011 at 5:38 pm #240011
    Anonymous
    Guest

    I have a feeling they will try for a short window of time and then give up. They will probably try a couple dozen obviously bad ones like “password” or “admin” or something like that. If it isn’t those, the brute-force dictionary attack simply takes too long to be worth it.

    February 22, 2011 at 11:03 pm #240012
    Anonymous
    Guest

    mormonheretic wrote:

    I got a message about too many failed login attempts today. I have a pretty good password with letters and numbers.


    My login failed for the same reason today. Hopefully this doesn’t last too long.

    March 16, 2011 at 4:20 am #240013
    Anonymous
    Guest

    I got another message saying I had exceeded login attempts.

    March 16, 2011 at 12:17 pm #240014
    Anonymous
    Guest

    I’ve been on hiatus for a while during my move to Singapore. No problem with login today, but I’ll be on the lookout.

    March 16, 2011 at 2:54 pm #240015
    Anonymous
    Guest

    It might still happen occasionally as different hackers get a list of sites to attack. Old hackers might also occasionally go back and attempt it again. They should get frustrated quickly and drop our site off their rosters. It really isn’t a profitable use of time unless they succeed immediately within a few attempts guessing dumb boilerplate passwords like “password” or “admin,” etc.

  • Author
    Posts
Viewing 9 posts - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.