Question Failed Mass Logins ??

Status
Not open for further replies.

sjmcl

Customer
When I logged in to my XF admin, I once mistyped my password. Immediately after I typed it correctly and logged in.

But then I got a 'Failed Mass Logins' email :

[Sep 15, 2016 at 6:17 PM] Attempted User Names: FridaSage, magdalena, <my username> - IP Address: <my ip address>

The user FridaSage is not a member of my forum, but has been showing up in other 'Failed Mass Logins' and 'Failed Non-Existent Logins', either in combination with other usernames or by itself.

The user magdalena is a member of my forum and has been showing up in similar 'Failed Mass Logins' emails, either alone or in combination with non existent usernames.

In all of these instances, sometimes the IP address is from the existent member, sometimes it is not, ie from Latvia, Poland, etc..

Am I reading these logs wrong, or is there indeed something or someone using these fake and real usernames to log in to my forum, from dodgy locations ?
 
Hi there,

That means that someone has tried to login with that user information, and your failed login hit the threshold.

Failed Mass Logins will track both existing and non-existing, whereas Failed Non-Existing will track only non-existing ones. The reason for this is that someone might be trying a dump of random usernames, which you can handle differently.

If you were to set up your rules in such a way to only alert you in the event of X failed logins from the same IP address, then you would not be receiving that particular email. You should be able to configure the rule set in such a way that you can have f.ex. 5 failed logins in 1 hour from the same IP address triggering an email alert.

Does that make sense?

Feel free to let me know if you have any specific questions :)
 
Ok, if I understand correctly, then the email I received listed 3 failed logins (because the threshold was set to 3 and triggered by the third user with a failed login), but they were NOT from the same IP address, even though the error message gave only one IP address, which is the one from the last user that actually reached the threshold. Correct ?

If so, are the IP addresses of the other users also recorded somewhere ?
 
Just one final suggestion. In order to avoid confusion, it may be better to somehow make it clear in the 'Failed Mass Logins' error message that the IP address at the end of the message only refers to the last user name in the list, and not to all names in that list. It got me confused, so I guess other unwary customers may be left wondering too.

Thanks for the support.
 
Hello sjmcl,

This ticket has now been closed with the status Answered.

We hope your issue or question has been addressed to your satisfaction. If not, please feel free to re-open it by clicking this link.

If you have any further issues or questions, please feel free to start a new support ticket via the button at the top of every page.

Thank you!
 
Status
Not open for further replies.

DragonByte Security

XenForo 1.5.3+ XenForo 2.0.x XenForo 2.1.x XenForo 2.2.x
Seller
DragonByte Technologies
Release date
Last update
Total downloads
2,090
Customer rating
5.00 star(s) 1 ratings
Back
Top