Projects ⇒ Bugs ⇒ #877: Security admin module 1.12 banning users too quickly for flooding ⇒ CPG Dragonfly™ CMS
Bug #877 Security admin module 1.12 banning users too quickly for flooding
Project: Dragonfly 9.0.3 -> 9.3 Category: Security
Submitted: Saturday, December 30, 2006 (21:04:30) Modified: Saturday, June 09, 2007 (00:28:05)
Status: Closed Assigned to:
PHP Version: Irrelevant HTTPD Server: Apache 1.3
Votes: 1
Vote results:
Avg. Score: 5.0 ± 0.0 Reproduced: 1 of 1 (100.0%)
Same PHP Version: 1 (100.0%) Same HTTPD Server: 0 (0.0%)

View/Vote Add Comment

by: Beldak
Description:
------------
A recent change in the admin security module is banning users for 'flooding' after browsing just a few forum threads.

The sensitivity is set way too high currently. Unsure how to offer advice on correction.

Also, on a side note there is not a way to individually delete 24-hr bans. (I had to go into the database to delete ban_type 7 bans.) There should be a way to delete them from the security module and not wait the full 24 hours for them to expire.
by: NanoCaiordo
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation
and the instructions on how to report a bug.

Flooding system have been just "activated" and it is not a bug.

I'm pretty sure that all banned users are using Tabbed Browsers. If so they should stop hammering the website with "Open in a new tab" for any link they found in the page.

The security system show for 3 times, which is a very reasonable quantity of times, a full screen warning, then they have to wait for 24 hours.

If you think I should add a new feature to "wipe all" flooding bans, then please use our "add a feature" within this project. (new df feature for users only)
by: NanoCaiordo
seems that the flood count is not being cleared.
by: NanoCaiordo
Please try using one of these CVS snapshots:

Latest tar.gz
Latest tar.bz2

or apply this patch
--- html/includes/classes/security.php:9.31 Sat Dec 30 06:40:00 2006 +++ html/includes/classes/security.php Sun Dec 31 05:49:20 2006 @@ -225,6 +225,9 @@ } cpg_error('', 803); } + } else { + $flood_time = $_SESSION['SECURITY']['flood_time'] = 0; + $flood_count = $_SESSION['SECURITY']['flood_count'] = 0; } Security::_flood_log($ip, $flood_count); unset($flood_time, $flood_count);
by: NanoCaiordo
This bug has been fixed in the CVS.

Snapshots of the sources are packaged every 6 hours; this change
will be in the next snapshot. You can grab the snapshot at the
Downloads section.

Thank you for the report, and for helping us to make Dragonfly 9.0.3 -> 9.1 better.
by: Beldak
I've updated to the newest CVS, (including security module 1.12) and users are still getting banned far too easily. In 10 minutes I had 13 banned users. We either need the ability to set our own threshold/sensitivity or the default "flooding' needs to be reduced to a more reasonable number. I'm happy to help with testing.
by: NanoCaiordo
initially there it was a bug but now that all its working properly it cannot be classified as bug.

It sounds more like a feature request.
by: Beldak
I tested it yet again today with the newest CVS. I had 9 users banned in about 15 minutes. I checked with several of them and they are just browsing the site like normal, reading posts, checking the calendar etc.

There is no way it can be working properly.

Let me know if you need help testing this.
by: NanoCaiordo
does your .htaccess includes those changes?
http://dragonflycms.org/cvs/html/.htaccess?d=9.18-9.17

does your robots.txt includes those changes?
http://dragonflycms.org/cvs/html/robots.txt?d=9.5-9.4
by: DJ Maze
Closed, seems google and other web accelerators cause the issue.
User Info

Welcome Anonymous



(Register)
Community

Support for DragonflyCMS in a other languages:

Deutsch
Español