From: LuKreme <kr...@kr...> - 2010-10-03 19:41:29
|
I'm looking at adding the Captcha plugin to my login screen, but I wanted to know if it allows white listing users (IPs) once they've successfully authenticated against the Captcha? I do not want to force users to use the Captcha everytime they login, but rather only the first time they login from the IP address they are using. Most users have fairly static IPs (they may change every few months unless they are road-warriors). -- DILLIGAF? |
From: Mike O. <og...@el...> - 2010-10-04 01:48:24
|
just my opinion, but I think that you would want the user to always use the captcha login. The purpose of Captcha is to prevent "robots" from trying to log in. I know that it is a hassle, but that is what security is about. See the article about the inconvenience of security from the Sans Institute: Survey: Cyber Security Hampering Productivity (September 30, 2010) A survey conducted by the Government Business Council found that officials at US federal government agencies feel that cyber security has a negative impact on productivity. Two of the most often cited issues are restricted access to information and delayed communications. Nearly two-thirds of the 162 respondents from 28 agencies said that security controls prevented them from accessing certain websites or applications they needed for their jobs. The officials said they often circumvented security controls to get their jobs done; some reported using non-agency devices to access the information they needed. The respondents also noted that security measures slowed down computers' performance. The respondents said that the most important consideration in implementing security policies should be access to information. http://www.eweek.com/c/a/Security/CyberSecurity-Cutting-Federal-Government-Productivity-Survey-744792/ [Editor's Note (Pescatore): The blade guard on my power saw hampers my productivity in cutting wood, but chopping off my hand or even just a few fingers tends to also have an impact on my productivity. That said, there are a lot of very, very silly URL blocking and email policies in place out there that *do* impact productivity, *don't* increase security and *do* encourage users to bypass IT systems.] On Sun, October 3, 2010 2:41 pm, LuKreme wrote: > I'm looking at adding the Captcha plugin to my login screen, but I > wanted to know if it allows white listing users (IPs) once they've > successfully authenticated against the Captcha? > > I do not want to force users to use the Captcha everytime they login, > but rather only the first time they login from the IP address they are > using. Most users have fairly static IPs (they may change every few > months unless they are road-warriors). > > -- > DILLIGAF? > > ------------------------------------------------------------------------------ > Virtualization is moving to the mainstream and overtaking non-virtualized > environment for deploying applications. Does it make network security > easier or more difficult to achieve? Read this whitepaper to separate the > two and get a better understanding. > http://p.sf.net/sfu/hp-phase2-d2d > ----- > squirrelmail-plugins mailing list > Posting guidelines: http://squirrelmail.org/postingguidelines > List address: squ...@li... > List archives: http://news.gmane.org/gmane.mail.squirrelmail.plugins > List info (subscribe/unsubscribe/change options): > https://lists.sourceforge.net/lists/listinfo/squirrelmail-plugins > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- -------------------------------------------------- "Choose a job you love, and you will never have to work a day in your life" - Confucius -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |
From: Paul L. <pa...@sq...> - 2010-10-04 06:50:10
|
On Sun, Oct 3, 2010 at 12:41 PM, LuKreme <kr...@kr...> wrote: > I'm looking at adding the Captcha plugin to my login screen, but I > wanted to know if it allows white listing users (IPs) once they've > successfully authenticated against the Captcha? > > I do not want to force users to use the Captcha everytime they login, > but rather only the first time they login from the IP address they are > using. Most users have fairly static IPs (they may change every few > months unless they are road-warriors). Mike's reply is interesting, but in any case, you might be most interested in using the Lockout plugin. It can be configured to use the CAPTCHA plugin when needed, which should catch the bot attacks someone referenced. It uses the opposite logic that you asked for, but should accomplish what you want. If there were a compelling enough reason to add it, I might be convinced to take a look at your idea, but I think you should see what's already there and consider that. -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php |
From: LuKreme <kr...@kr...> - 2010-10-04 17:42:11
|
On 3-Oct-2010, at 19:22, Mike Ogden wrote: > just my opinion, but I think that you would want the user to always use > the captcha login. The purpose of Captcha is to prevent "robots" from > trying to log in. Once I've verified that a particular IP is not a robot, i don't see the utility of forcing a captcha on the user. -- 'Never trust a ruler who puts his faith in tunnels and bunkers and escape routes. The chances are that his heart isn't in the job.' |
From: Paul L. <pa...@sq...> - 2010-10-04 18:43:26
|
On Mon, Oct 4, 2010 at 10:42 AM, LuKreme <kr...@kr...> wrote: > > On 3-Oct-2010, at 19:22, Mike Ogden wrote: > >> just my opinion, but I think that you would want the user to always use >> the captcha login. The purpose of Captcha is to prevent "robots" from >> trying to log in. > > Once I've verified that a particular IP is not a robot, i don't see the utility of > forcing a captcha on the user. Because most people are on ISPs that hand out dynamically allocated IP addresses, I don't think this is necessarily a good idea. -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php |
From: LuKreme <kr...@kr...> - 2010-10-04 18:17:43
|
On 4-Oct-2010, at 00:49, Paul Lesniewski wrote: > Mike's reply is interesting, but in any case, you might be most > interested in using the Lockout plugin. It can be configured to use > the CAPTCHA plugin when needed, which should catch the bot attacks > someone referenced. It uses the opposite logic that you asked for, > but should accomplish what you want. If there were a compelling > enough reason to add it, I might be convinced to take a look at your > idea, but I think you should see what's already there and consider > that. Ah… yes, that should work. Actually, it will make it even easier as my primary login is a form on the wordpress blog and I was wondering how I was going to integrate the CAPTCHA into that anyway. So I can just set it to invoke the captcha if the user fails a login attempt, which means most users will never even see it. Quick question about $activate_CAPTCHA_after_failed_attempts. If I set the value to '1:0:0' does that mean that if the user fails a single login EVER they will FOREVER have to use the CAPTCHA, or that the CAPTCHA will remain in effect for their IP until they login successfully? I would like the CAPTCHA to show up once the user has failed a login and to remain active on that IP until they successfully login, even if that is 5 minutes or 5 months. Once they login, I don't want them to have to use the CAPTCHA (unless their login fails again). On testing, it looks like it remains active forever. Anyway to do what I want and clear the CAPTCHA once a valid login occurs? After the max_login_attempts has been reached, the message is "Access denied, please contact your system administrator" on the redirect page. Is it possible to set this to something like: "Too many login failure, your IP has been blocked from any more login attempts for x minutes. Please contact your system administrator." This way the user, maybe possibly, has some idea what has happened as opposed to just thinking squirrelmail is b0rk3d. -- IT'S BECAUSE OF THE UNCERTAINITY PRINCIPLE. 'What's that?' I'M NOT SURE. --The Fifth Elephant |
From: Paul L. <pa...@sq...> - 2010-10-04 18:46:05
|
Please wrap long lines in your responses, thanks. On Mon, Oct 4, 2010 at 11:17 AM, LuKreme <kr...@kr...> wrote: > On 4-Oct-2010, at 00:49, Paul Lesniewski wrote: >> Mike's reply is interesting, but in any case, you might be most >> interested in using the Lockout plugin. It can be configured to use >> the CAPTCHA plugin when needed, which should catch the bot attacks >> someone referenced. It uses the opposite logic that you asked for, >> but should accomplish what you want. If there were a compelling >> enough reason to add it, I might be convinced to take a look at your >> idea, but I think you should see what's already there and consider >> that. > > Ah… yes, that should work. Actually, it will make it even easier as my primary login is a form on the wordpress blog and I was wondering how I was going to integrate the CAPTCHA into that anyway. So I can just set it to invoke the captcha if the user fails a login attempt, which means most users will never even see it. > > Quick question about $activate_CAPTCHA_after_failed_attempts. If I set the value to '1:0:0' does that mean that if the user fails a single login EVER they will FOREVER have to use the CAPTCHA, or that the CAPTCHA will remain in effect for their IP until they login successfully? IIRC, yes, this is correct. > I would like the CAPTCHA to show up once the user has failed a login and to remain active on that IP until they successfully login, even if that is 5 minutes or 5 months. Once they login, I don't want them to have to use the CAPTCHA (unless their login fails again). > > On testing, it looks like it remains active forever. Anyway to do what I want and clear the CAPTCHA once a valid login occurs? I'll think about adding this as a configurable option when I can find the time. > After the max_login_attempts has been reached, the message is "Access denied, please contact your system administrator" on the redirect page. Is it possible to set this to something like: > > "Too many login failure, your IP has been blocked from any more login attempts for x minutes. Please contact your system administrator." You can grep the code for that string and change it directly. The text was chosen because it doesn't give attackers any more information than they deserve. -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php |
From: Paul L. <pa...@sq...> - 2010-11-12 03:48:52
|
On Mon, Oct 4, 2010 at 11:45 AM, Paul Lesniewski <pa...@sq...> wrote: > Please wrap long lines in your responses, thanks. > > On Mon, Oct 4, 2010 at 11:17 AM, LuKreme <kr...@kr...> wrote: >> On 4-Oct-2010, at 00:49, Paul Lesniewski wrote: >>> Mike's reply is interesting, but in any case, you might be most >>> interested in using the Lockout plugin. It can be configured to use >>> the CAPTCHA plugin when needed, which should catch the bot attacks >>> someone referenced. It uses the opposite logic that you asked for, >>> but should accomplish what you want. If there were a compelling >>> enough reason to add it, I might be convinced to take a look at your >>> idea, but I think you should see what's already there and consider >>> that. >> >> Ah… yes, that should work. Actually, it will make it even easier as my primary login is a form on the wordpress blog and I was wondering how I was going to integrate the CAPTCHA into that anyway. So I can just set it to invoke the captcha if the user fails a login attempt, which means most users will never even see it. >> >> Quick question about $activate_CAPTCHA_after_failed_attempts. If I set the value to '1:0:0' does that mean that if the user fails a single login EVER they will FOREVER have to use the CAPTCHA, or that the CAPTCHA will remain in effect for their IP until they login successfully? > > IIRC, yes, this is correct. > >> I would like the CAPTCHA to show up once the user has failed a login and to remain active on that IP until they successfully login, even if that is 5 minutes or 5 months. Once they login, I don't want them to have to use the CAPTCHA (unless their login fails again). >> >> On testing, it looks like it remains active forever. Anyway to do what I want and clear the CAPTCHA once a valid login occurs? > > I'll think about adding this as a configurable option when I can find the time. Version 1.7, which has just been released, adds this feature. Just add ":1" (without quotes) to the end of $activate_CAPTCHA_after_failed_attempts to enable it. Cheers, Paul -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php |
From: Paul L. <pa...@sq...> - 2010-11-12 04:11:34
|
On Mon, Oct 4, 2010 at 11:45 AM, Paul Lesniewski <pa...@sq...> wrote: > Please wrap long lines in your responses, thanks. > > On Mon, Oct 4, 2010 at 11:17 AM, LuKreme <kr...@kr...> wrote: >> On 4-Oct-2010, at 00:49, Paul Lesniewski wrote: >>> Mike's reply is interesting, but in any case, you might be most >>> interested in using the Lockout plugin. It can be configured to use >>> the CAPTCHA plugin when needed, which should catch the bot attacks >>> someone referenced. It uses the opposite logic that you asked for, >>> but should accomplish what you want. If there were a compelling >>> enough reason to add it, I might be convinced to take a look at your >>> idea, but I think you should see what's already there and consider >>> that. >> >> Ah… yes, that should work. Actually, it will make it even easier as my primary login is a form on the wordpress blog and I was wondering how I was going to integrate the CAPTCHA into that anyway. So I can just set it to invoke the captcha if the user fails a login attempt, which means most users will never even see it. >> >> Quick question about $activate_CAPTCHA_after_failed_attempts. If I set the value to '1:0:0' does that mean that if the user fails a single login EVER they will FOREVER have to use the CAPTCHA, or that the CAPTCHA will remain in effect for their IP until they login successfully? > > IIRC, yes, this is correct. > >> I would like the CAPTCHA to show up once the user has failed a login and to remain active on that IP until they successfully login, even if that is 5 minutes or 5 months. Once they login, I don't want them to have to use the CAPTCHA (unless their login fails again). >> >> On testing, it looks like it remains active forever. Anyway to do what I want and clear the CAPTCHA once a valid login occurs? > > I'll think about adding this as a configurable option when I can find the time. Version 1.7, which has just been released, adds this feature. Just add ":1" (without quotes) to the end of $activate_CAPTCHA_after_failed_attempts to enable it. Cheers, Paul -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php |