Loading...
 
Architecture / Installation

Architecture / Installation


Brute force captcha attacks

posts: 135

I have big problems with bots registering in my forum and posting spam messages.

I recently set the option "Require validation by Admin", after which I was getting at least 50 requests per day.

I have increased the length of the captcha to 18 characters, which has reduced this down to around 5 per day, maybe less. Obviously, this is not friendly to real users.

This suggests to me that the captcha is being broken with a brute force attack.

Does Tiki have any feature to stop repeated attempts to enter the catpcha from the same IP-Address?

Are there any other measures against brute force attacks, or plans to add them?

Are other sites suffering from this kind of problem?

I am currently using Tiki 10.2,

thanks in advance
Phil


posts: 1801 Catalan Countries

Hi Phil:

The easiest effective solution (proven to many of us that were affected by massive spam registrations and posts) is adding the passcode and showing it for your users in the registration form. See:
http://doc.tiki.org/Anti-spam

And in order to remove the hundreds of fake or spam users (or user requests) plus banning their ip's, if you want, you can have a look at:
http://doc.tiki.org/How+to+Ban+many+IP+from+fake+registrations

posts: 135

Hi Xavi,

thanks for the quick reply.

Enabling the passcode, but showing it on the registration form sounds just like a second captcha!

If it works I will try it, but I am having difficulty finding the right fields.

I have found the option Require passcode to register on the page tiki-admin.php?page=login (not tiki-admin.php?page=security), but I can't find the field Show passcode on registration form anywhere.

I am using tiki 10.2. Can you point me in the right direction?

Phil


posts: 212

Phil,

In a recent #tikiwiki irc chat, the "show passcode..." was mentioned as not working in 10.2. You can see the irc log here: #tikiwiki 2013-08-12,Mon.

Tom


posts: 947

Phil, use the second way to configure it, as documented, while you are no in latest tiki code.
Cheers

posts: 135

Thanks for the replies.

Since I have my own style, I have copied register-passcode.tpl into my style directory and edited it there.

To avoid harassing real users too much, I have reduced the captcha to 10 characters. I will be interested to see whether this works.

Does anyone know how bots get past the captcha?

  • Do they analyse the image?
  • Do they try billions of combinations?
  • Do they exploit vulnerabilities in tiki which they have found (but we have not)?


Either way, they presumably make a lot of failed attempts. Would it possible to log failed attempts and block the IP address after a fixed number (say 10)?

(If nobody has done this, I could try myself, although I am not a PHP expert.)

Phil


Upcoming Events

No records to display

Why Register?

Register at tiki.org and you'll be able to use the account at any *.tiki.org site, thanks to the InterTiki feature. A valid email address is required to receive site notifications and occasional newsletters. You can opt out of these items at any time.