ljacqu
commented
8 years ago You raise some excellent points.
We're trying to prevent two scenarios:
- Some IP address submitted several false login attempts -> IP address is up to no good, ban it.
- We're getting a lot of false logins for a certain username -> Username is being targeted and should be temporarily locked.
Both require different metrics to detect. We don't want an IP address trying 5 common passwords on 20 different accounts, and we don't want 20 people trying 5 common passwords on one username.
As for resetting the counter after a certain time, one idea is to keep a timestamp per entry. If a new failed login arrives, we can check the timestamp and if it's longer ago than some configured time (say, it was over 1 hour ago), the counter is reset to 1.
Alternatively, some sort of regularly scheduled task? Not sure how heavy that is on the server. Otherwise if there's one (legitimate) failed login attempt it might stay in the counter for days.
EbonJaeger
Currently the tempban counter will only be reset on a successful login and (I presume) a server restart. This means that a user can attempt to log in to his own account and fail x times, and that count will never be reset. Worse, an attacker can log in incorrectly without hitting the tempban threshold, potentially allowing the account's legitimate owner to be tempbanned should he make a typo in his password.
Perhaps after a time the counter should be reset, likely after the user leaves the server. This time will have to be long enough to severely discourage brute-force attacks, however.
Another solution to look into might be to use the player's IP instead of the name as the key for the counter? But then that opens the door to restarting their modem, getting a new IP, and another bunch of tries, so I guess that isn't viable after all.