Saturday, January 19, 2013

Login attempts when more than 5 attempts failed - [Resolved]

Tips for clear drupal flood table

Drupal 7 prevents brute force attacks on accounts. It does so by refusing login attempts when more than 5 attempts failed. The amount of failed logins is recorded in the table 'flood'. You can either wait before trying to login again or clean the flood table with the procedure below.
If you forgot your password, generate a new password and update the database.
Execute the following query on the Drupal database: 
DELETE FROM `flood`;
To execute this query it will be necessary to login to the database. This is typically done through the command line or through a GUI interface such as phpMyAdmin. If Drush is installed on your server, the drush sql-cli command provides quick access to an SQL command-line interface.
From the command line, with Drush installed:
drush php-eval 'db_query("DELETE FROM `flood`");'

Change number of failed login attempts before lockout?

Looks like that code is in user_login_authenticate_validate(). There seems to be two separate flood types: one per IP, and one per user.
The number of attempts and the time windows are stored as variables, so you can override them. Not sure if there's a UI for it directly; if not, you can just do:

<?php
// Set per-IP failed login attempt limit and window.
variable_set('user_failed_login_ip_limit', 10); // Changed from 50 attempts to 10.
variable_set('user_failed_login_ip_window', 1800); // Changed from 3600 (one hour) to 1800 (half-hour).

// Set per-user failed login attempt limit and window.
variable_set('user_failed_login_user_limit', 10) // Changed from 5 attempts to 3.
variable_set('user_failed_login_user_window', 10800); // Changed from 21600 (6 hours) to 10800 (3 hours).
?>


or control using with settings.php
For a 64-bit machine, PHP_INT_MAX is 9223372036854775807; for a 32-bit machine its value is 2147483647. that is the number of attempts in 5 seconds. If the number of attempts are lower than that, the IP/user is not blocked.
$conf['user_failed_login_user_limit'] = PHP_INT_MAX;
$conf['user_failed_login_user_window'] = 5;

drupal contribute module
This module makes it possible for site administrators to remove ip-adresses from the flood table, or to remove all ip-adresses from the table depending on the event type.
http://drupal.org/project/flood_unblock
at

1 comment:

  1. jshamleyJuly 8, 2013 at 8:55 AM

    Just what we needed. The Flood Unblock module will come in very handy. Thank you.

    ReplyDelete

Subscribe to: Post Comments (Atom)