P_I wrote:Where can an admin find information on how to use this new feature and it settings?
Under ACP > GENERAL tab > Security settings:
Maximum number of login attempts per IP address:
The threshold of login attempts allowed from a single IP address before an anti-spambot task is triggered. Enter 0 to prevent the anti-spambot task from being triggered by IP addresses.
There is a second setting on ACP > GENERAL tab > Security settings that seems to be involved also:
"IP address login attempt expiration time:
Login attempts expire after this period." Default is 21600 seconds.
Thanks for the reply. We had noticed the new setting and explanation. We've had spambot problems in the past and took action as described in http://www.phpbb.com/community/viewtopi ... #p12965888
. We're trying to understand the "Security settings" default values and determine appropriate settings for our boards and whether we should to use our MOD.
Based on some experimentation, it appears that upon a failed login attempt, an entry is put into xxx_login_attempts. From my read of the ACP settings information, one should expect if the Maximum number of login attempts per IP address:
value is exceeded then attempts on IP address will see a CAPTCHA. Is that correct?
Should one also expect that after IP address login attempt expiration time:
entries are removed from the xxx_login_attempts table?
Another scenario to consider, what happens if a user login fails with a bad password and then the user correctly logs in? Does this remove the failure from the xxx_login_attempts table and thus lower the count of login attempts?
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams