Author Topic: How do I extend the bad password timeout? (Read 2037 times)

dtrack · « **on:** October 30, 2006, 08:05:55 pm »

I know nothing about programing but I'm hoping someone can point me to the line in the script where I can extend the bad password attempt timeout.

After months and months of MAYBE one or two outside password attempts a month, I'm suddenly being hit with ten or more a day. They don't seem to be a serious threat as most of them are trying "" or things like qwertyhdfdyekdbsy but it's annoying to get all the "Bad Password Entered!" emails every day.

I figured if I could extend the timeout from seven seconds to 700 seconds it would cut down on the attempts. I use Roboform to log in myself so it shouldn't cause a problem for me.

Thanks

Dean

DW · « **Reply #1 on:** October 30, 2006, 10:39:39 pm »

Hi Dean,

Do a search for "sleep" in the login.php file. The value given to the function is the number of seconds to pause.

Regards

mike2 · « **Reply #2 on:** October 31, 2006, 05:41:16 am »

I was thinking for additional security you could add a .htaccess file to only allow your IP or IP range of your ISP access to the login file...

I don't get a lot of reports of this kind of attempt, but I think this would still be a good idea.

dtrack · « **Reply #3 on:** November 05, 2006, 08:59:50 am »

Thanks Dean, I increased the 'sleep' tp 700 seconds which has cut down on the password attempts, but I'm still getting 2 or 3 every day.

Thanks too Mike, although I'm not sure how to set up a .htaccess file.

I was wondering if a simple fix might be to just rename login.php to something else, like loginzz33q.php for example.

Could I do that or is 'login.php' referenced in other listmail files?

If I could do that, I would then change 'login.php' into a php redirect to a money page :-)

Thanks

Dean

DW · « **Reply #4 on:** November 05, 2006, 05:52:49 pm »

I wonder if they are even finding the login.php file or if they are simply browsing to index.php (or your ListMail base folder). You could replace index.php then simply browse to login.php directly to login.

You -could- rename the login PHP file, I think. The only thing is you won't be able to logout and when you browse to a page without logging in you won't be redirected properly (it's hard coded into almost every file). The login cookie will automatically be deleted when you close your browser, however.

dtrack · « **Reply #5 on:** November 05, 2006, 07:28:08 pm »

Ahhh... good point. I didn't realize that my base url (index.php) forwarded to login.php

I just renamed index.php and uploaded a new plain Jane index.htm

Lets see if that works.

Thanks for the quick reply Dean