MyBB Community Forums

Full Version: IP Lockouts
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
https://github.com/mybb/mybb/blob/featur....php#L6362
https://github.com/mybb/mybb/blob/b0873d....php#L1768
https://github.com/mybb/mybb/blob/2697b3.../login.php

Euan seems to think the feature exists, but IP rate-limits on login attempts seems to be missing.
I'm not sure if it ever existed or if it went missing somewhere along the line or if I'm just missing something important. The relevant lines and files are above.

If an IP brute forces one account, then the account itself will get locked out, but the IP could try to brute force every account simultaneously, while hoping that at-least one will have a weak password or one they expect. Someone could respond to the IP lockouts by changing their IP (e.g. with a proxy, etc.) but that would wind up being a lot of IP changes as the number of accounts increases.
Hi,

Thank you for your report. We have pushed this issue to our Github repository for further analysis where you can track our commits and progress with fixing this bug. Discussions regarding this bug may also take place there too.

Follow this link to visit the issue on Github: https://github.com/mybb/mybb/issues/3333

Thanks for contributing to MyBB!

Regards,
The MyBB Group