Prevent Admin lockout

  • App
    WoltLab Suite Core

    On the first day I installed the Woltlab software there was a problem and I got locked out of my own site! That should never happen.

    Can you please implement a safeguard to prevent the admin/site owner from ever getting locked out of the software?

    thanks

    Jupiter

    I am a Newbie Admin. Please be gentle, I don't understand technical things.
    (Please can we have a full manual for this software)

  • There is a warning message when you edit groups you're in or your own user. Everything else would get very complex or would restrict the possibilities configuring the rights.

    I wasn't editing my usergroup., that I was aware of, but even if I had, I should not have been locked out from the software. Never had this with previous forum software before.

    Can you tell more details about your "locked out of my own site"?

    It was several weeks ago now and I cannot remember exactly what happened, But it was just after I installed the software and I was configuring it and I got locked out. I got a message to try later to reenter. It took about 90-120 minutes to get back into the software. Very frightening, considering I had only just installed the software.

    I am a Newbie Admin. Please be gentle, I don't understand technical things.
    (Please can we have a full manual for this software)

  • It was several weeks ago now and I cannot remember exactly what happened, But it was just after I installed the software and I was configuring it and I got locked out. I got a message to try later to reenter. It took about 90-120 minutes to get back into the software. Very frightening, considering I had only just installed the software.

    Typed in the password wrongly couple of times?
    It is a security thing of the software to block someone who has tried too many times with the wrong password to login.

    You can lower that locked out time in the ACP

  • That maybe what happened Throwholics. But even if that were the case, I should not ever be locked out under any circumstances.

    Thank you for the suggestion, though.

    I am a Newbie Admin. Please be gentle, I don't understand technical things.
    (Please can we have a full manual for this software)

  • But even if that were the case, I should not ever be locked out under any circumstances.

    Sit down and think about this. You want to disable a security feature that prevents you from "hacking"/bruteforcing the administrator's password? Are you serious?

    I'd prefer you just remember your password instead of decreasing the software's security just because you don't remember your password which you set 5 minutes before.

  • First of all, please cut out the little dig there.

    I don't know whether I forgot the password or not. I don't think I did, as I do have a memory span that lasts longer than 5 minutes. Thank you for that....but as I cannot remember the reason I was locked out, as Throwholics suggested that, I agreed with him, save for another explanation.

    I don't know why you are talking about hacking and bruteforicng. I don't want to do either. I want to prevent admins being locked out of their own accounts, I am sure that is possible without compromising security.

    I am a Newbie Admin. Please be gentle, I don't understand technical things.
    (Please can we have a full manual for this software)

  • https://en.wikipedia.org/wiki/Brute-force_search

    The problem in the way you described it sounds like you got x wrong passwords and hit the security limit, that prevents you from getting brute-forced. That's why I'm talking about it. ;)

    You don't need to forget the password, you just need to have a stupid typo every time you submit the data. That's pretty normal, but I don't remember I'd ever hit the limit to get banned (10 times wrong within 7200 seconds) for some time. Of course I already hit the limit for the additional reCaptcha-field (3 times wrong), but not for getting suspended for x minutes.

    I'm just saying that if this was your problem, the suggestion to disable this feature (by default) would open every door for brute-forcing.

    Btw. you should be able to check if you had some wrong submits there: https://www.forumbox.co.uk/acp/index.php?…n-failure-list/

    If we're wrong and your problem was something different, just forget what I'm talking about. But it would have been better to discuss this right after it happened and not weeks later; would have been easier to check what the problem was. :)

  • I am so overwhelmed with problems, that I simply forgot to post this earlier. Not having a manual is a major issue for me.

    I checked the link you gave, but it only shows failed logins from the 27th June onwards, so obviously the software has cleared out older failed login attempts, so I cannot say whether my lockout was due to the password or not.

    Thanks for your replies, MysteryCode, the suggestion I have made is primarily for new people setting up Woltlab for the first time, who may encounter this issue.

    When I migrated my forum over to Woltlab software, all member passwords were lost and I seem to recall then that there was a issue with password recovery too. Some of my members did not have a option to reset their password, so I don't know if my issue is password related or not.

    I am a Newbie Admin. Please be gentle, I don't understand technical things.
    (Please can we have a full manual for this software)

  • Read all the comments in this post - interesting; especially from the standpoint that I too have worried about getting "locked out" of my own account

    (but more particularly in the past when I was just starting out with Woltlab Forum Software).

    Now I am particularly careful whenever I am in an area of my admin account or somewhere else in the ACP settings

    that could possibly cause me to get "locked-out"!

    The only thing that comes to my mind is: IF someone does get "locked out" of their own account because of some action that the individual was

    careless about - or whatever the reason - there could be a "back-up" message concerning this "lock-out" sent to the Admin's Email Address

    (an address which would have been initiated when the Forum Software was FIRST uploaded).

    In that Email Message could be a link to follow through with steps to get the rightful owner (the admin who got locked out) back into his own site.

    I really don't know if such a proposal - as I mentioned above - would pose a "security risk" or not; but surely Woltlab Designers would be able to

    work this out in such a way that it would not pose a security risk.

    DJ

  • The two main reasons you lock yourself out of the system is when

    • you are editing your own user account in the admin panel and are careless with removing the user groups (e.g. Administrator group)
    • you change the permissions in the Administrator group (removing permissions)

    I would give you the advice to create a new user who has all administrator permissions and rights of a new group called "Superuser" or something like that. Use this account only as a recovery.

    Einmal editiert, zuletzt von Sonnenspeer (26. Juli 2017 um 03:41)

  • I would give you the advice to create a new user which has all administrator permissions and rights of a new group called "Superuser" or something like that. Use this account only as a recovery.

    Your suggestion is a good one; but I still believe there could be the "back up" Email - of which I mentioned above.

    Are Woltlab Designers reading this ???

  • Some of my members did not have a option to reset their password, so I don't know if my issue is password related or not.

    This is now fixed, I believe in 3.0.5 or so.

    Everyone should be able to reset passwords again without any issues.

    Your suggestion is a good one; but I still believe there could be the "back up" Email - of which I mentioned above.

    Are Woltlab Designers reading this ???

    THe one who has access to the mysql database will never get locked out completely.

    One can simply change the email adress of an account with admin rights and request new password and login.

  • In my opinion a "good" systems doesn't ask to many questions or prevents anything.

    Because a "good" system must assume, that there is a "good" admin/user.

    Take unix for example... rm -Rf /

    There will be no questions asked to the root user. The system will begin immediately do delete ANYTHING it can get hold on... local drives, network drivers, in some cases even the bios/firmware of the computer (if it is mounted rw on /dev).

  • THe one who has access to the mysql database will never get locked out completely.

    One can simply change the email adress of an account with admin rights and request new password and login.

    Understood, and I agree with your "assessment" to the extent that the Individual Admin of a Forum knows HOW to access, and make proper,

    accurate changes in mySQL.

    Failing that, he (or she) would have to reply on whoever is the Hosting Provider.

    I am one of the "lucky ones" in that my Hosting Provider has technicians that are knowledgeable AND willing to make changes for me -

    and almost always without a fee. But unfortunately, not every Hosting Provider is that accommodating! :)

  • Someone who is not able to manipulate database with phpmyadmin should not even have forum.

    An admin who installs a forum software should know bits and pieces ;)

    But you are lucky that your hosting provider helps you anyway.

    "Someone who is not able to manipulate database with phpmyadmin should not even have forum.":rolleyes:

    That comment really was a hard "blow beneath the belt-line"!

    Hope the remainder of your day is a good one;)

  • Someone who is not able to manipulate database with phpmyadmin should not even have forum.

    An admin who installs a forum software should know bits and pieces ;)

    :/ That would be me then.

    I am a Newbie Admin. Please be gentle, I don't understand technical things.
    (Please can we have a full manual for this software)

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!