Same problem on our forum over recent days. A quick look in the database shows about 50 of our members have reached 2 failed logins. I also had to enter the reCaptcha on here when I logged in. I've implemented the mod above and it seems to be working, many thanks. One request though, would you be able to make it so that I can click the IP address in the log and then compare that against any posts, user accounts registered from that IP, users active from that IP, any other failed logins from the same IP and also view the whois for it? That would be extremely usefulnfs wrote:We've just started to see this on a forum I administer too. I considered the MOD above but decided it doesn't solve the problem. A log entry that says someone has gone over the login limit is no use to me unless the problem is self-inflicted user error. What I need logged are the password failures that caused the overlimit condition.
Our board is not ridiculously busy. So, a quick hack toincludes/functions.php
...
FINDBEFORE, ADD:Code: Select all
// Username, password, etc... default:
The log entries will be shown in ACP > Maintenance > User logs. Critically, it gets me an IP address without trolling through apache's logs looking for patterns.Code: Select all
case LOGIN_ERROR_PASSWORD: add_log('user', $user->data['user_id'], 'Password failure', $username);
Hope it helps.
P.S. Something like this should be standard and ACP configurable in future releases IMHO.
Code: Select all
mysql $mysqlargs -te " SELECT log_ip AS 'IP Address', FROM_UNIXTIME(log_time) AS Date, log_data FROM <phpbb>_log WHERE log_operation='Password failure' AND log_time > $ts_cutoff ORDER BY INET_ATON(log_ip);"
Code: Select all
max_loginattempts=$(mysql $mysqlargs -s -e "SELECT config_value FROM <phpbb>_config WHERE config_name='max_login_attempts';");
users_overlimit=$(mysql $mysqlargs -s -e "SELECT count(user_login_attempts) FROM <phpbb>_users WHERE user_login_attempts >= $max_loginattempts");
echo "$users_overlimit users have exceeded limit of $max_loginattempts login failures";
Absolutely. I've proposed logging guest access to see what guests tried accessing the register or admin pages, and this seems like a logical extension. To avoid getting too much data, the logging of events should be configurable by the admin.nfs wrote: P.S. Something like this should be standard and ACP configurable in future releases IMHO.