codeling / bfstop

Brute Force Stop Plugin (for Joomla!)
https://bfstop.bfroehler.info
GNU General Public License v3.0
36 stars 20 forks source link

Adaptive Delay bugged? #188

Closed LuxLOL closed 2 years ago

LuxLOL commented 2 years ago

Hi, I thing the "Adaptive Delay" option isn't working. Because if I enable it then the wafting time to login will not increase.

codeling commented 2 years ago

If I have time I'll set up some tests for it. How are you testing it, could you describe your testing procedure?

Note that this is implemented in a "global" way - meaning that the delay grows the more failed login attempts there currently are for the whole site. It's not (directly) an increasing delay for each sequential login atttempt from a single location.

LuxLOL commented 2 years ago

I tested it by doing 6 failed logins attempts, but nothing changes. If I set the Fixed Delay to 15 then I have to wait 15 seconds before I get logged in.

I also didn't know that this option is a global setting. Would be nice to make it IP based. Otherwise this can be easily be abused by anyone.

codeling commented 2 years ago

I tested it by doing 6 failed logins attempts, but nothing changes. If I set the Fixed Delay to 15 then I have to wait 15 seconds before I get logged in.

Did you take a closer look at the plugin configuration? especially at the tooltips of the Minimum threshold / Maximum threshold parameters. In a default configuration with Minimum threshold=50, Maximum threshold=200, you will of course not notice any delay on 6 attempts - the delay only kicks in when 50 failed attempts are noticed per hour and will reach the Maximum delay at 200 failed attempts per hour.

I also didn't know that this option is a global setting. Would be nice to make it IP based. Otherwise this can be easily be abused by anyone.

Abused how exactly? Successful logins or normal page use is not delayed. The setting is actually more or less targeted at slowing down a distributed attack (as typically happens these days, only very few failed logins / attempts come from the same IP). And only a failed login will be delayed.

Note: It is also documented in the wiki how the adaptive delay works.

LuxLOL commented 2 years ago

Ahh. Looks like I got the options a bit mixed up. I now retried it and it looks like the daily will increase after 25 failed login attempts. So everything is fine. :D