Simetrical wrote:
On 11/30/07, Christensen, Courtney wrote:
Hi List,
I've searched Google,
mediawiki.org, the mailing list archives, and
looked through the listed extensions, but I have been unable to find
anything about keeping mediawiki accounts from being brute-forced. I'm
specifically looking for something that locks an account down after a
specified number of login attempts or which adds time between login
requests when the password is given incorrectly. Do measures like this
exist? Did I just use the wrong search terms?
There were no such features until recently, I think, at least for
logins. Now I think the ConfirmEdit extension has been updated so
this is an option, as MinuteElectron says.
I think it's on the other way.
There's a time limit that you can bypass
by solving the captcha. Discussion about api login lead me to think it's
in core.
However, this does nothing
against a manual attacker or a bot that can crack the captcha, I don't
think.
If he can solve the captcha, there's no limit.
A general lockout for logins to an account can be used
for DoS
Agree.
unless it's IP-specific, in which case it can be
pretty effectively
bypassed by anyone using open proxies,
*and* used for DoS by anyone
who can spoof IP addresses (e.g., using AOL's different-IP-per-page
thing to block a big chunk of AOL users from logging into an account).
Can they? They would still need to perform the TCP handshake. I hope the
server's TCP sequence number aren't predictable!
However, would be easy to fix (and painful for bots).