PennMUSH Community

Ticket #7496 (new suggested feature)

Opened 8 months ago

Last modified 2 months ago

Locking out Accounts

Reported by: parusso Assigned to: raevnos
Priority: major Milestone: 1.8.2p9
Keywords: safety, password Cc:
Visibility: Public

Description

Elsemu, there has been a sucessful attack from superstar.insol.be that gained access to another players account... and changed settings and such. The incident is currently being investigated. I'd imagine, that who ever attacked this mush, did so with a password cracking script... If that is the case, then even M*U*S*H is defenseless. I would like to suggest locking out the account after the third failed attempt... and severing the connection from that port. I understand that Unix already has this feature in place... And it seems to work well. ATM, PennMUSH does not have any structure/support for such a task. Is this possible?

Change History

01/06/08 02:37:59 changed by raevnos

  • owner set to raevnos.
  • milestone set to 1.8.2p9.

This is a good idea; probably worth doing for 1.8.2 as well as 1.8.3. Blocks for per-player login attempts, and maybe track each IP address and sitelock those with more than some number of failed logins in a row...

03/03/08 05:16:02 changed by Boris

How would you conceptually go about this? I was poking around player.c last night and thinking.

Every connection is written to connect.log with a date/time stamp. Is this as simple as checking that logfile against failed attmepts in X seconds before allowing login?

player.c (line 165) has this:

/* validate password */ if (!Guest(player))

if (!password_check(player, password)) {

/* Increment count of login failures */ Mod Time(player)++; check_lastfailed(player, host); return NOTHING;

}

I know nothing about c, but I would like to learn, and if this is that easy, I'd like to take a stab at it.

03/24/08 05:38:17 changed by Mercutio

I must note that this has a possibility of being abused. If there's hate between players, a player can try to log into that person's account a few times to force it to get locked up.

I realize that the staffer would be able to figure out the IP adress of the player and thus find out who the culprit was, but I may want to suggest something higher than three? After all, if someone is running a password-hacking tool, it likely starts with using a 4-letter password and slowly works its way up.

Asuming it can be 36 types of signs, 4 characters has about 1679616 possibilities. --> 364

I doubt a player who really has it in for another player will take his time to fail a connection that many times.

About 46656 failed attempts may be a good place to start? --> 363

04/21/08 15:47:04 changed by loki

Yay for config options, says I. ;) It seems like a good idea, but it ought to be a simple config option like fail_attempts ... default it to -1 (the current behaviour; 'infinite'). Then you can do like fail_attempts 3 to lock out after 3 failed attempts, and so on.

05/31/08 09:20:04 changed by dbwiddis

I think a failed login timer would work much better than a number. Simply require a 5 second delay after a failed login attempt.

This solves the cracking problem (there are only 86400 in a day, so 17280 login attempts) as well as the annoying another user problem (no matter what, the login is available again 5 seconds after the attacking player finishes their tantrum).

This is also much easier to implement, by simply tracking the LASTFAILED attribute (which records both the IP and time of last failed connection).

Delay should be higher (say, 1 minute) for wizard accounts.

05/31/08 09:24:34 changed by dbwiddis

Also, the IP tracking could assign a shorter delay for a failed connection attempt from the user's last successful IP (more likely to be their own computer) than a different IP (more likely to be a cracker)