Once Banned, Always Banned? Once Banned, Always Banned?
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Once Banned, Always Banned?

Started by BigHank, January 03, 2020, 02:36:23 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

BigHank

I am testing with Coppermine 1.6 with Bitnami LAMP Stack VM (Deb 9: 4.9.0-11) in VMWare Workstation.  I have gotten the stack up and running, and have mostly configured Coppermine.  Everything went well until I added a new user.  I set up the user, including an easy-for-testing password, and logged out of Coppermine.

I tried to log in as my new user with what I am certain is the valid password, from my same machine, and was told that the password was invalid.  I tried twice, and quit.  Then I tried to log in again as "user" with what I am certain is the valid password, and got told that I was banned.  I started reading up on "Banning", and then I checked the cpg16xbanned table and there i was.  My "user" was banned.

The new user I created and my admin "user" have different email addresses in their profiles, but I am working on all of this from the same IP address.  Despite all I have read about why banning based on IP address is such a bad idea, it would appear that the default in Coppermine is to do just that.   

I have also found that once the ban expires and is cleaned up in the database, I am immediately banned again next time I try to log in, regardless of the correct password.  This does not seem to be in keeping with how I read/understood the documentation, although in reality it does not seem to be mentioned at all.  Does the banning mechanism in 1.6 maintain some kind of "reputation history" that behaves differently if a user was banned, then forgiven, then...

My questions:
1)  Am I correct that Coppermine uses IP address tracking for banning?
2)  Is banning by email or username or IP address configured somewhere I can get to since I am not able to log in as an admin user?
3)  Why might I be getting banned every time I try to log in, now that I have been banned once (well, now multiple times) before?

Last question:  What do I do now that I am not able to log in as either of the defined users?

Thanks in advance


ron4mac


BigHank

Thank you very much.  I was looking for things named ban..._xxxx.  My mistake.

With this information I updated the database config directly:

login_threshold :  set to 99

login_expiry :  set to 1

purge_expired_bans : already set to  1 (I assume this meas "Yes, do purge expired bans", but they don't appear to be purging any longer.  They did earlier, but apparently no longer.)

Note:  Initial setting of login_threshold to 998 caused an error
--
--  From database.log.php:
     ---
     Jan 02, 2020 at 09:12 PM - While executing query 'INSERT INTO cpg16xbanned (ip_addr, expiry, brute_force) VALUES ('10.0.0.132', '2020-01-02 21:13:47', 998)' in login.php on line 91 the following error was encountered:
     1264 : Out of range value for column 'brute_force' at row 1
     ---
Apparently the documented maximum value of 999 is not actually supported.  Reverted to value of 99, which worked.

After updating these settings it was also necessary to manually delete the prior ban record from table cpg16xbanned.
The expiry time had already expired, but it failed to be purged after several hours.

I attempted to log in as "user" with the correct password, but login failed, and I found a new ban record in table cpg16xbanned.  This new record did show the correct brute_force parameter as "99", which matches the parameter value I set.  Regardless, however, an immediate ban was still applied.  After waiting a few minutes I checked, and this ban record, although expired, was still present.  I may not have purge_expired_bans set correctly.

I am stumped, and am open to suggestions for how to proceed from here.  I must be overlooking something because every login attempt now results in being banned, even with the new thresholds.  Coppermine does not tell me I have been banned, though.  It just says "Login failed. Try again."  This is different behavior from what I saw earlier, when it actually did say "You have been banned from this site".  Seems like something very odd is going on.

Hope someone canprovide some insight on this.
Thanks in advance

ron4mac

#3
Since you are testing/experimenting, I suggest you start over.  Drop the tables (or use a different prefix) and install again.  You can remove all files in coppermine and use the installer stub.  I also recommend, for clarity, that you leave the underscore at the end of the db prefix.  You've gone down some rabbit hole and this is probably the best way out.

BigHank

Good idea.  I will try that.  I did start over yesterday by dumping the whole VM and reloading the Bitnami image, but if that VM is the source of the issues I'm running into, it obviously doesn't and won't resolve them.  Your idea gets me ready for a true install too.

BigHank

I completed the removal and reinstall with little trouble.  Kudos for the simplicity of this!  I hit a couple of oddities in the process, but worked through them, and brought up Coppermine.  I logged in as my admin user (name changed from "user" to "CopperDb") successfully, and completed the configuration.  In that configuration I set login_method to email, and after that I could not log in as any user by the email address in the user record.  Once I changed the method  back to "username" that cleared up.

I was surprised that the admin user was affected by this change.  I expected the admin user to be a "special case", similar to root. 

Questions:
1)  Was this behavior correct, in that if I want users to log in by their registered email address, I must do the same with the admin account?

2)  Is there a "lifetime count" for banning somewhere?  I found during this testing that once my IP address was banned, it was banned again on every failed login.

Thanks for the tip to try the reinstall.  It looks like this has moved me forward a lot.