Bug Email on Banned IP

[Bravo]

Bel,

I was looking into a banned IP and I could never find the email alerting me about the action. looking via phpmyadmin I do see the entry in the dbtech_vbsecurity_loginstrike. But I never got the email on that one and a few others, I do get the emails though, apparently not all of them though. Any ideas why I didn't get some of the emails about the alert??

I get quiet a few everyday.

 

[Fillip H.]

It will only send the email when the threshold has been reached, but it will always insert into the loginstrikes.

Check that the webmaster email vBOption is filled out, and also check your spam folders.

 

[Bravo]

The options are set, as I get alot of emails already from vbSecurity, its just some I don't appear to be getting cause when I search for a particular IP that vbsecurity has banned, I can not find it in my emails. Also nothing in the spam folder.
The threshold is obvious reached if it bans the IP correct?

 

[Fillip H.]

Since you are talking about the loginstrike action, I'm guessing you're talking about either of the mass login failure watchers?

 

[Bravo]

Yeah I have only 1 via normal Login failures, but a crap load!!! via massive login failures.

 

[Fillip H.]

So then you do get emails about both login related watchers

 

[Bravo]

Yeah, both ban. I only got a few for "Security Alert: Failed Logons Detected!"
the majority I get are "Security Alert: Failed Mass Logons Detected!" I get the emails and it bans them. Just on a few it found out that it IP banned them but I never got a email about it. and I found the strike in the vbsecurity db. vbsecurity is the only thing I have that would put ban IP's.. my other admin didnt add the ip either. So it was differently vbsecurity.

I was testing with the banned ips and I see that I could add "//vBSecurity" at the end of the IP and it didn't affect any bans.. Maybe this could be added to a future version? which will also server as proof that vbs did add the ip

ex:
127.0.0.1 //vBSecurity Failed Mass Login
127.0.0.2 //vBSecurity Failed Mass Login

 

[Fillip H.]

That doesn't work because the IP Ban interface checks the whole line.

 

[Bravo]

Would it cause errors or something? cause I had "//" in there and I did not get one error, and the IP's remained banned. everything worked that I saw.

 

[Fillip H.]

I'm not sure, but that could be based on each PHP version. It's not something I'd personally want to risk since I have to do everything to ensure maximum compatibility

 

[Bravo]

Bel,

I'm getting some emails of people who got IP banned not knowing whats going on. And when I check I see the email from vBSecurity banning the IP and said they didn't use multiple names to login.

the only watcher I have on that bans is Failed Mass Logons "5 attempts in 1 hour with the 'same ip' and 'any ip' to email webmaster and IP ban.

Any thought how it could be flagging legit users? I've actually gotten like 7 or so emails from legit users stating they got IP banned and only used one username. And some of these users have been with the site for years.

 

[Fillip H.]

If they are the 5th user (or any other multiples of 5, in your case) to fail login, it will trigger the "any IP" rule. That's how that rule works.

Setting the value to 0 will disable a rule. In your case I suggest only keeping the "same IP" rule, to ensure that only when a unique IP address fails login attempts will the rule trigger.