Question User not getting notification of lockout

[svaughn114]

Please see:

Question - No notification telling user they are locked out

Not sure if this is a "how do I?" question or a bug. Upon testing the add on before launch, I set a security watcher (failed logins) to lock the account after 5 hits from any IP. I attempted logging in to an account 9 times with random passwords. No notification ever told me I was locked out. I...

www.dragonbyte-tech.com

The security watcher that I have set isn't triggering as it should. I finally, one time, got it to trigger. It still didn't give me a notification that it was locked out when testing it.

EXAMPLE: I have a security watcher set for 5 failed logins in which the account is locked and the user must unlock (I'm assuming they receive an email to unlock it?) No emails are being sent NOR do I receive a page saying "Account has been locked" or something to that effect. Basically, it allowed me to continue attempting to log in instead of telling me the account was locked. I have tried various configurations and can't get this to work.

 

[svaughn114]

I am getting a handful of these errors when testing:

ErrorException: Template error: [E_USER_WARNING] Cannot call method getParsedRule on a non-object (NULL) src/XF/Template/Templater.php:1151
Generated by: Support Jan 26, 2021 at 11:36 PM
Stack trace
#0 [internal function]: XF\Template\Templater->handleTemplateError(512, '[E_USER_WARNING...', '/home/argointe/...', 1151, Array)
#1 src/XF/Template/Templater.php(1151): trigger_error('Cannot call met...', 512)
#2 internal_data/code_cache/templates/l1/s0/admin/dbtech_security_log_watcher_list.php(50): XF\Template\Templater->method(NULL, 'getParsedRule', Array)
#3 src/XF/Template/Templater.php(1626): XF\Template\Templater->{closure}(Object(DBTech\UserTagging\XF\Template\Templater), Array, NULL)
#4 src/XF/Template/Template.php(24): XF\Template\Templater->renderTemplate('dbtech_security...', Array)
#5 src/XF/Mvc/Renderer/Html.php(48): XF\Template\Template->render()
#6 src/XF/Mvc/Dispatcher.php(458): XF\Mvc\Renderer\Html->renderView('DBTech\\Security...', 'admin:dbtech_se...', Array)
#7 src/XF/Mvc/Dispatcher.php(440): XF\Mvc\Dispatcher->renderView(Object(XF\Mvc\Renderer\Html), Object(XF\Mvc\Reply\View))
#8 src/XF/Mvc/Dispatcher.php(400): XF\Mvc\Dispatcher->renderReply(Object(XF\Mvc\Renderer\Html), Object(XF\Mvc\Reply\View))
#9 src/XF/Mvc/Dispatcher.php(58): XF\Mvc\Dispatcher->render(Object(XF\Mvc\Reply\View), 'html')
#10 src/XF/App.php(2300): XF\Mvc\Dispatcher->run()
#11 src/XF.php(488): XF\App->run()
#12 admin.php(13): XF::runApp('XF\\Admin\\App')
#13 {main}
Request state
array(4) {
  ["url"] => string(41) "/admin.php?dbtech-security/logs/watchers/"
  ["referrer"] => string(75) "https://forums.argointel.live/admin.php?dbtech-security/logs/login-strikes/"
  ["_GET"] => array(1) {
    ["dbtech-security/logs/watchers/"] => string(0) ""
  }
  ["_POST"] => array(0) {
  }
}

 

[Fillip H.]

I am getting a handful of these errors when testing:

For this particular error, it would probably be best to truncate the watcher log. Run this SQL query: TRUNCATE TABLE xf_dbtech_security_watcher_log; - there appears to be a bug in the latest version that does not delete log entries when a watcher is deleted. I'll resolve that in the next version.

As for the watcher not triggering, can you please elaborate on your testing methodology as well as screenshot your entire watcher setup?
Are you testing with your own account or another account? Is your IP address whitelisted in DB Security maybe?

 

[svaughn114]

I have tried various settings, including all 3 "lock account" options. I did get the prompt to change my password when testing one setting. No other watchers worked when testing. I then attempted the "change password" watcher once more and it wouldn't trigger. Nonetheless, I'm still not getting a message that the account is locked UNTIL the correct password is entered. Only then does it indicate that the account is locked.

I am testing this with multiple test accounts that I have (My forums aren't currently live).

The attempted logins are being logged in the login strike log.

The watcher log is only indicating the one time that it actually worked.

I'm not sure what's going on.

 

[Fillip H.]

Nonetheless, I'm still not getting a message that the account is locked UNTIL the correct password is entered. Only then does it indicate that the account is locked.

That is working as intended. It is not intended that the user attempting to login will receive a notification that the account they are trying to access is locked.

The purpose of this feature is not to give the attacker information about the security measures in place, only that the legitimate account holder will receive the information when next they are logged in.

 

[svaughn114]

Okay, it still isn't working, then. Not only does it not give notice that the account is locked. It doesn't lock the account at all, even with the security watcher in place.

 

[Fillip H.]

In your previous post, you said you did get the message:

I'm still not getting a message that the account is locked UNTIL the correct password is entered. Only then does it indicate that the account is locked.

Which is it? Are you getting the message after logging in or not?

 

[DragonByte Technologies]

Hello @svaughn114,

We hope your ticket regarding DragonByte Security has been addressed to your satisfaction. This ticket has now been scheduled to be closed.

If your ticket has not been resolved, you can reply to this thread at any point in the next 7 days in order to reopen the ticket, afterwards this thread will be closed.

Please do not reply to this thread if your ticket has been resolved.

Thank you.


- DragonByte Technologies, Ltd.

 

[DragonByte Technologies]

Hello @svaughn114,

As we have not heard back from you, your ticket regarding DragonByte Security has now been closed.

If your ticket has not been resolved, please feel free to start a new support ticket and link back to this ticket.

If you have time, please leave a review on XenForo.com's Resource Manager.

Thank you.


- DragonByte Technologies, Ltd.