Does anyone know of a way to limit admin login attempts, like wordpress / wordfence plugin has?
We're getting many hundreds of attempts every day, many from the same IP. If I can block access after one or two incorrect attempts it should reduce this considerably.
You on version 3 of OC? I'm looking to upgrade to 3 from 2.3.
One of the reasons is simply the number of simpler security related things that I assumed would be in v3 now.
The lack of what you are describing will fail any Penetration test.
For now you could just manually block the IP address... I block whole countries with my housing... I don't have customers in china , Russia , Philippines etc. So why let them in?
One of the reasons is simply the number of simpler security related things that I assumed would be in v3 now.
The lack of what you are describing will fail any Penetration test.
For now you could just manually block the IP address... I block whole countries with my housing... I don't have customers in china , Russia , Philippines etc. So why let them in?
Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk
V3 has Max Login Attempts
this
and that
this
is just plain dumbFor now you could just manually block the IP address... I block whole countries with my housing... I don't have customers in china , Russia , Philippines etc. So why let them in?
and that
that is a terrible solution for anyting.
Crystal Light Centrum Taiwan
Extensions: MailQueue | SUKHR | VBoces
“Data security is paramount at [...], and we are committed to protecting the privacy of anyone who is associated with our [...]. We’ve made a lot of improvements and will continue to make them.”
When you know your life savings are gone.
solution for what?
1) you always password protect your admin folders via httpd.conf or htaccess
2) if you have a fixed ip address, you only allow that ip to access admin via httpd.conf or htaccess
3) V3 blocks login for 1 hour after X failed attempts (X set in your server settings in admin)
looks like enough to me.
Blocking ip addresses in the age of cloud services and high ip ownership turn-over is futile unless you are talking DDOS but I doubt any OC store is worthy of such an effort and even then you would do that via a firewall, not some half-baked php or htaccess solution.
1) you always password protect your admin folders via httpd.conf or htaccess
2) if you have a fixed ip address, you only allow that ip to access admin via httpd.conf or htaccess
3) V3 blocks login for 1 hour after X failed attempts (X set in your server settings in admin)
looks like enough to me.
Blocking ip addresses in the age of cloud services and high ip ownership turn-over is futile unless you are talking DDOS but I doubt any OC store is worthy of such an effort and even then you would do that via a firewall, not some half-baked php or htaccess solution.
Crystal Light Centrum Taiwan
Extensions: MailQueue | SUKHR | VBoces
“Data security is paramount at [...], and we are committed to protecting the privacy of anyone who is associated with our [...]. We’ve made a lot of improvements and will continue to make them.”
When you know your life savings are gone.
Can I ask as to why? I've used it many times and find it works well and stops a lot of bot traffic etc. Just interested as to why it gets bad press. If it's that bad I'll remove it from all my sites.letxobnav wrote: ↑Tue Jun 09, 2020 8:06 amV3 has Max Login Attempts
thisis just plain dumbFor now you could just manually block the IP address... I block whole countries with my housing... I don't have customers in china , Russia , Philippines etc. So why let them in?
and thatthat is a terrible solution for anyting.
Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk
It is under system->settings->option-Max Login Attempts
But it seems to only be for customers, not users.
If you want it to also apply to admin users you will have to do the following:
add a table (watch the prefix):
in admin/model/user/user.php
add these functions:
in admin/controller/common/login.php
after:
add:
replace function validate with:
in admin/language/[LANGUAGE]/common/login.php
add:
that is it.
But it seems to only be for customers, not users.
If you want it to also apply to admin users you will have to do the following:
add a table (watch the prefix):
Code: Select all
CREATE TABLE IF NOT EXISTS `oc_user_login` (
`user_login_id` int(11) NOT NULL AUTO_INCREMENT,
`username` varchar(96) NOT NULL,
`ip` varchar(40) NOT NULL,
`total` int(4) NOT NULL,
`date_added` datetime NOT NULL,
`date_modified` datetime NOT NULL,
PRIMARY KEY (`user_login_id`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8;in admin/model/user/user.php
add these functions:
Code: Select all
public function addLoginAttempt($username) {
$query = $this->db->query("SELECT * FROM " . DB_PREFIX . "user_login WHERE username = '" . $this->db->escape(utf8_strtolower((string)$username)) . "' AND ip = '" . $this->db->escape($this->request->server['REMOTE_ADDR']) . "'");
if (!$query->num_rows) {
$this->db->query("INSERT INTO " . DB_PREFIX . "user_login SET username = '" . $this->db->escape(utf8_strtolower((string)$username)) . "', ip = '" . $this->db->escape($this->request->server['REMOTE_ADDR']) . "', total = 1, date_added = '" . $this->db->escape(date('Y-m-d H:i:s')) . "', date_modified = '" . $this->db->escape(date('Y-m-d H:i:s')) . "'");
} else {
$this->db->query("UPDATE " . DB_PREFIX . "user_login SET total = (total + 1), date_modified = '" . $this->db->escape(date('Y-m-d H:i:s')) . "' WHERE user_login_id = '" . (int)$query->row['user_login_id'] . "'");
}
}
public function getLoginAttempts($username) {
$query = $this->db->query("SELECT * FROM `" . DB_PREFIX . "user_login` WHERE username = '" . $this->db->escape(utf8_strtolower($username)) . "'");
return $query->row;
}
public function deleteLoginAttempts($username) {
$this->db->query("DELETE FROM `" . DB_PREFIX . "user_login` WHERE username = '" . $this->db->escape(utf8_strtolower($username)) . "'");
}in admin/controller/common/login.php
after:
Code: Select all
$this->document->setTitle($this->language->get('heading_title'));Code: Select all
$this->load->model('user/user');Code: Select all
protected function validate() {
// Check how many login attempts have been made.
$login_info = $this->model_user_user->getLoginAttempts($this->request->post['username']);
if ($login_info && ($login_info['total'] >= $this->config->get('config_login_attempts')) && strtotime('-1 hour') < strtotime($login_info['date_modified'])) {
$this->error['warning'] = $this->language->get('error_attempts');
}
if (!$this->error) {
if (!isset($this->request->post['username']) || !isset($this->request->post['password']) || !$this->user->login($this->request->post['username'], html_entity_decode($this->request->post['password'], ENT_QUOTES, 'UTF-8'))) {
$this->error['warning'] = $this->language->get('error_login');
$this->model_user_user->addLoginAttempt($this->request->post['username']);
} else {
$this->model_user_user->deleteLoginAttempts($this->request->post['username']);
}
}
return !$this->error;
}add:
Code: Select all
$_['error_attempts'] = 'Your account has exceeded allowed number of Sign in attempts. Please try again in 1 hour.';Crystal Light Centrum Taiwan
Extensions: MailQueue | SUKHR | VBoces
“Data security is paramount at [...], and we are committed to protecting the privacy of anyone who is associated with our [...]. We’ve made a lot of improvements and will continue to make them.”
When you know your life savings are gone.
Take note that the above database queries does not implicit the fact that users, as opposed to users, uses the admin APIs where the api_id should also be implicit in the process as to know the mount of time a user is trying to login.
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Which is why, normally, the forum does not suggest for users to post 3rd party scripts directly but rather post Marketplace extensions where they are being approved, well rated and having positive inputs and insights for future users to find their needs. Otherwise, it may create a reputable issue to a 3rd party extension being posted on the forum without reviews in the first place.johnp wrote: ↑Tue Jun 09, 2020 4:09 pmCan I ask as to why? I've used it many times and find it works well and stops a lot of bot traffic etc. Just interested as to why it gets bad press. If it's that bad I'll remove it from all my sites.letxobnav wrote: ↑Tue Jun 09, 2020 8:06 amV3 has Max Login Attempts
thisis just plain dumbFor now you could just manually block the IP address... I block whole countries with my housing... I don't have customers in china , Russia , Philippines etc. So why let them in?
and thatthat is a terrible solution for anyting.
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Who is online
Users browsing this forum: Semrush [Bot] and 17 guests
