Hi List,
I've searched Google, mediawiki.org, the mailing list archives, and looked through the listed extensions, but I have been unable to find anything about keeping mediawiki accounts from being brute-forced. I'm specifically looking for something that locks an account down after a specified number of login attempts or which adds time between login requests when the password is given incorrectly. Do measures like this exist? Did I just use the wrong search terms?
Thanks! Courtney Christensen
On 30/11/2007, Christensen, Courtney ChristensenC@battelle.org wrote:
Hi List,
I've searched Google, mediawiki.org, the mailing list archives, and looked through the listed extensions, but I have been unable to find anything about keeping mediawiki accounts from being brute-forced. I'm specifically looking for something that locks an account down after a specified number of login attempts or which adds time between login requests when the password is given incorrectly. Do measures like this exist? Did I just use the wrong search terms?
After a quick look at the relevant code, I can't see any such feature. It looks like MediaWiki will accept unlimited numbers of attempts. You can use an external authentication plugin which could have such a feature. Whether such a plugin already exists, I don't know - mediawiki.org would be the place to look.
Christensen, Courtney wrote:
Hi List,
I've searched Google, mediawiki.org, the mailing list archives, and looked through the listed extensions, but I have been unable to find anything about keeping mediawiki accounts from being brute-forced. I'm specifically looking for something that locks an account down after a specified number of login attempts or which adds time between login requests when the password is given incorrectly. Do measures like this exist? Did I just use the wrong search terms?
Thanks! Courtney Christensen
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/wikitech-l
ConfirmEdit has a feature where user logins are CAPTCHA-ed if a login attempt fails. This only applies if you have caching enabled though.
MinuteElectron.
On 11/30/07, Christensen, Courtney ChristensenC@battelle.org wrote:
Hi List,
I've searched Google, mediawiki.org, the mailing list archives, and looked through the listed extensions, but I have been unable to find anything about keeping mediawiki accounts from being brute-forced. I'm specifically looking for something that locks an account down after a specified number of login attempts or which adds time between login requests when the password is given incorrectly. Do measures like this exist? Did I just use the wrong search terms?
There were no such features until recently, I think, at least for logins. Now I think the ConfirmEdit extension has been updated so this is an option, as MinuteElectron says. However, this does nothing against a manual attacker or a bot that can crack the captcha, I don't think. A general lockout for logins to an account can be used for DoS unless it's IP-specific, in which case it can be pretty effectively bypassed by anyone using open proxies, *and* used for DoS by anyone who can spoof IP addresses (e.g., using AOL's different-IP-per-page thing to block a big chunk of AOL users from logging into an account).
Simetrical wrote:
On 11/30/07, Christensen, Courtney wrote:
Hi List,
I've searched Google, mediawiki.org, the mailing list archives, and looked through the listed extensions, but I have been unable to find anything about keeping mediawiki accounts from being brute-forced. I'm specifically looking for something that locks an account down after a specified number of login attempts or which adds time between login requests when the password is given incorrectly. Do measures like this exist? Did I just use the wrong search terms?
There were no such features until recently, I think, at least for logins. Now I think the ConfirmEdit extension has been updated so this is an option, as MinuteElectron says.
I think it's on the other way. There's a time limit that you can bypass by solving the captcha. Discussion about api login lead me to think it's in core.
However, this does nothing against a manual attacker or a bot that can crack the captcha, I don't think.
If he can solve the captcha, there's no limit.
A general lockout for logins to an account can be used for DoS
Agree.
unless it's IP-specific, in which case it can be pretty effectively bypassed by anyone using open proxies,
*and* used for DoS by anyone who can spoof IP addresses (e.g., using AOL's different-IP-per-page thing to block a big chunk of AOL users from logging into an account).
Can they? They would still need to perform the TCP handshake. I hope the server's TCP sequence number aren't predictable! However, would be easy to fix (and painful for bots).
On 11/30/07, Platonides Platonides@gmail.com wrote:
*and* used for DoS by anyone who can spoof IP addresses (e.g., using AOL's different-IP-per-page thing to block a big chunk of AOL users from logging into an account).
Can they? They would still need to perform the TCP handshake. I hope the server's TCP sequence number aren't predictable!
You can handshake if you cycle through all the AOL addresses, as an AOL subscriber (or any other ISP with similar features). Just repeatedly enter wrong passwords, getting a different IP address assigned for each time, until you've entered wrong passwords from every address AOL is willing to assign you. Since you share the pool with at least other AOL users in your region, none of them can log in anymore to that user.
Otherwise you can spoof the handshake if the sequence numbers are predictable, as you say.
Þann 2007/11/30 skrifaði Simetrical Simetrical+wikilist@gmail.com:
You can handshake if you cycle through all the AOL addresses, as an AOL subscriber (or any other ISP with similar features). Just repeatedly enter wrong passwords, getting a different IP address assigned for each time, until you've entered wrong passwords from every address AOL is willing to assign you. Since you share the pool with at least other AOL users in your region, none of them can log in anymore to that user.
Doesn't AOL use X-Forwarded-For now?
On 11/30/07, Schneelocke schneelocke@gmail.com wrote:
Þann 2007/11/30 skrifaði Simetrical Simetrical+wikilist@gmail.com:
You can handshake if you cycle through all the AOL addresses, as an AOL subscriber (or any other ISP with similar features). Just repeatedly enter wrong passwords, getting a different IP address assigned for each time, until you've entered wrong passwords from every address AOL is willing to assign you. Since you share the pool with at least other AOL users in your region, none of them can log in anymore to that user.
Doesn't AOL use X-Forwarded-For now?
For Wikipedia, I think, yes, but not for random third-party MediaWiki installations.
Þann 2007/11/30 skrifaði Simetrical Simetrical+wikilist@gmail.com:
On 11/30/07, Schneelocke schneelocke@gmail.com wrote:
Doesn't AOL use X-Forwarded-For now?
For Wikipedia, I think, yes, but not for random third-party MediaWiki installations.
Ah, they make a difference there? Shame. :/
wikitech-l@lists.wikimedia.org