Within the last week, it has come to our attention that phpBB.com was unsuccessfully attacked by a malicious party attempting to brute-force account login credentials. This attack was facilitated by a query for "powered by phpbb" on a search engine. Though this attack was not successful as phpBB includes several features to ensure it is not vulnerable to such attacks, users should take measures to ensure that their forums are properly protected.
Attack anatomy
To perform the attack, the attacker registers an account on the forum and tests that the memberlist is available for them to obtain lists of users. The attacker then uses an automated process to login and download thousands of user names from the memberlist, the attacker here grabbed a little over 5000 user names. After collecting this data the attacker attempts to brute-force account credentials by repeatedly sending login requests to the forum. As the attack does not attempt to solve the invalid login attempts CAPTCHA, it is limited to the amount of attempts specified in the "Maximum number of login attempts" configuration option.
Signs
Visible signs of this attack include:
- Users being required to enter a CAPTCHA after an initial login attempt.
- Increased server load.
- Repeated POST requests to ucp.php?mode=login from the same IP address.
phpBB provides several tools that enable users to mitigate these efforts.
- To prevent successful brute-forcing, an administrator may ensure that "Maximum number of login attempts" (accessible via the Administration Control Panel under "Security settings") to a small number (the default of 3), ensuring that a CAPTCHA will be required if an excessive number of failed login attempts occur.
- Furthermore, an administrator may wish to prevent Newly Registered Users from viewing the memberlist. To do this, ensure that the Newly Registered Users group is enabled (accessible via "User registration settings"; ensure that the "New member post limit" is greater than 0), then navigate to Permissions -> User roles -> "Newly registered user" -> Profile -> set "Can view profiles, memberlist and online list" to Never.
- Additionally, this attack may be mitigated by proper password selection. Ensure that your password (and the passwords of your users) contain letters and numbers and are not common words, phrases, combinations (password, 1234, etc.). Requirements for password complexity for your forum may be set on the "User registration settings" page of the Administration Control Panel.
If you have any questions regarding these implementation of these processes, please create a new topic in the Support Forum.
Search
About This Entry
- You’re currently reading “Password brute force attacks,” an entry on The Staff Lounge
- Published at 1.19.10 / 1pm
Related Entries
- Weblog Tools Collection: Old WordPress version? Attack warning. Please upgrade! - Wordpress
- Integrating Google Adsense Authorization - vBulletin Quick Tips and CustomizationsvBulletin Tips
- Protect your Members Area login information - AnnouncementsvBulletin Fans
- Protect your Members Area login information - AnnouncementsvBulletin Fans
- Protect your Members Area login information - AnnouncementsvBulletin Fans
Recent Entries
- Linking back to new vbulletin post - SEO vBulletinvBulletin SEO
- Mass emails being sent out / not from me / but an error - ExtremePixelsSite Announcements
- WordPress Podcast: BuddyPress Social Networking - Wordpress
- Mike Little: Interview with Matt Mullenweg and Mike Little - Wordpress
- WordPress.tv: Jayson Cote: The Power of WordPress, You, and Your Business - Wordpress
Popular Resources
- Phorum-5.2.8 final released (13 replies) - 29821 Views
- Phorum-5.2.9a released (10 replies) - 26531 Views
- IPB Resources - 10816 Views
- Weblog Tools Collection: WordPress Theme Releases for 01/14 - 9370 Views
- Weblog Tools Collection: WordPress Theme Releases for 01/10 - 8686 Views
Powered By
No Responses to “Password brute force attacks”
Please Wait
Leave a Reply