Loading...
 
Skip to main content

Architecture / Installation

Forum List Topic List

Forums » Architecture / Installation » Brute force captcha attacks
 
Thread actions
Print this page
  • Print all pages

    • Brute force captcha attacks

    Posted by PhilJollans posts: 138

    I have big problems with bots registering in my forum and posting spam messages.

    I recently set the option "Require validation by Admin", after which I was getting at least 50 requests per day.

    I have increased the length of the captcha to 18 characters, which has reduced this down to around 5 per day, maybe less. Obviously, this is not friendly to real users.

    This suggests to me that the captcha is being broken with a brute force attack.

    Does Tiki have any feature to stop repeated attempts to enter the catpcha from the same IP-Address?

    Are there any other measures against brute force attacks, or plans to add them?

    Are other sites suffering from this kind of problem?

    I am currently using Tiki 10.2,

    thanks in advance
    Phil

    Reads: 4397

    Posted by Xavier de Pedro posts: 1817 Catalan Countries

    Hi Phil:

    The easiest effective solution (proven to many of us that were affected by massive spam registrations and posts) is adding the passcode and showing it for your users in the registration form. See:
    http://doc.tiki.org/Anti-spam

    And in order to remove the hundreds of fake or spam users (or user requests) plus banning their ip's, if you want, you can have a look at:
    http://doc.tiki.org/How+to+Ban+many+IP+from+fake+registrations

    Posted by PhilJollans posts: 138

    Hi Xavi,

    thanks for the quick reply.

    Enabling the passcode, but showing it on the registration form sounds just like a second captcha!

    If it works I will try it, but I am having difficulty finding the right fields.

    I have found the option Require passcode to register on the page tiki-admin.php?page=login (not tiki-admin.php?page=security), but I can't find the field Show passcode on registration form anywhere.

    I am using tiki 10.2. Can you point me in the right direction?

    Phil


    Posted by Tom Jarvis posts: 215

    Phil,

    In a recent #tikiwiki irc chat, the "show passcode..." was mentioned as not working in 10.2. You can see the irc log here: #tikiwiki 2013-08-12,Mon.

    Tom


    Posted by Xavi (as xavidp - admin) posts: 957

    Phil, use the second way to configure it, as documented, while you are no in latest tiki code.
    Cheers

    Posted by PhilJollans posts: 138

    Thanks for the replies.

    Since I have my own style, I have copied register-passcode.tpl into my style directory and edited it there.

    To avoid harassing real users too much, I have reduced the captcha to 10 characters. I will be interested to see whether this works.

    Does anyone know how bots get past the captcha?

    • Do they analyse the image?
    • Do they try billions of combinations?
    • Do they exploit vulnerabilities in tiki which they have found (but we have not)?


    Either way, they presumably make a lot of failed attempts. Would it possible to log failed attempts and block the IP address after a fixed number (say 10)?

    (If nobody has done this, I could try myself, although I am not a PHP expert.)

    Phil