Shopsmith Forums

I would like to see Everett continue adding to this Forum but can understand his frustrations.

John,

If you have contact with Everett please pass along our thanks for all he has contributed here and our hope he decides to return. Although I have his email addresses I don't want to contact him directly at this time to avoid him feeling bombarded by more emails.

Hi- Sorry for the delay here. We don't actually force password changes to my knowledge. I will check it out.

It appears that someone may have been repeatedly attempting to log in to Everett's account to trigger the CAPTCHA. I adjusted some settings so that the CAPTCHA is triggered per IP address before it gets triggered per username. Hopefully this additional time-waster will deter people from attempting to annoy other users.

If it becomes an ongoing problem I can probably go into the logs and find the offenders by IP address, but really don't have time for this so if I find that anyone has been doing this it will definitely result in a permanent ban.

I assume that this means Everett can, if he so chooses, log in to the Shopsmith forum with his old password and username.

He can also assume a 'nom de plume'. (I assume)

…or pseudonym.

admin wrote: ↑Fri Oct 29, 2021 7:13 pm It appears that someone may have been repeatedly attempting to log in to Everett's account to trigger the CAPTCHA. I adjusted some settings so that the CAPTCHA is triggered per IP address before it gets triggered per username. Hopefully this additional time-waster will deter people from attempting to annoy other users.

If it becomes an ongoing problem I can probably go into the logs and find the offenders by IP address, but really don't have time for this so if I find that anyone has been doing this it will definitely result in a permanent ban.

If you are running on a Linux server take a look at Fail2ban.
https://www.fail2ban.org/
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.

edma194 wrote: ↑Thu Oct 28, 2021 3:26 pm If anyone can reach out to him personally I hope that they do.

Done.
I hope this can be resolved....

rlkeeney wrote: ↑Wed Nov 03, 2021 6:16 am If you are running on a Linux server take a look at Fail2ban.
https://www.fail2ban.org/

We are running fail2ban already however we don't have any specific rules set up for phpbb, and I don't know that any exist already. Do you know of any? phpbb has some of its own filtering tools built in and I adjusted those settings to hopefully deter this sort of behavior

Two-part authentication might help. It will annoy some users, but they can't get past the code entrance form. Almost every financial account I have uses two-part authentication. I turn it on in places where I have the option.

Something that helps with spammers is to not allow new users to post links and maybe photos until they have posted several valid posts that do not have links or photos. The number of posts you keep secret and don"t tell them until they try to post a link or photo. Next you delete new accounts that don't post some reasonable amount of time. Spammers will try to post a link, discover that they can't, and go away. Their accounts are deleted after the time-out has expired. Automated if possible. You will occasionally delete someone who isn;t a spammer, but not many. If they don't ever post anything it should not be much of a problem,