<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:603656128;
mso-list-template-ids:-1233994386;}
@list l0:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1
{mso-list-id:1256553034;
mso-list-template-ids:-2145093650;}
@list l1:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Jules,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Awesome. Glad I was able to help.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">As for your explanation, it makes perfect sense now. If only everyone in the world was really nice and had no knowledge of brute force attacks.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">With that said however, as for not showing the message to let the user know that they have been locked out, is there a way for an email to be sent to the administrator (maybe an option that can be turned on/off
by the admin) whenever someone’s account has been locked. This way if I am the admin, I am full aware of who’s account was locked before they even generate a ticket to me. Receiving a notification email of this can be a feature I choose to turn on or off if
I don’t want to be notified but will rather manually check logs on my own schedule to see what’s happening on my ZendTo server.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Jules [mailto:Jules@Zend.To] <br>
<b>Sent:</b> Tuesday, July 21, 2020 9:43 AM<br>
<b>To:</b> ZendTo Users <zendto@zend.to><br>
<b>Cc:</b> Marlon Deerr <MDeerr@hshlawyers.com><br>
<b>Subject:</b> Re: [ZendTo] Failed to unlock user $user as did not match usernameRegexp from preferences.php<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Marlon,<br>
<br>
You are doing a thorough job of this, thank you!<br>
<br>
I have fixed the bug(s) you described. It now behaves exactly as expected, including the logging. This will be in the next release.<br>
<br>
As for the feature request, the current behaviour is by design.<br>
Someone nasty (a "bad actor" in the jargon) is using your ZendTo site to brute-force break your password.<br>
They keep trying different passwords, but always get the same simple "incorrect" response.<br>
They don't know ZendTo very well, and don't know your configuration settings at all.<br>
As a result, they can't tell if or when they should give up trying to break your username/password, and try some other username instead.<br>
<br>
As soon as you display *anything* different, the attacker knows the lock-out limit has been reached and so they should abandon their current attempt and try another one.<br>
<br>
So you *never* give away any hints as to why the login attempt failed, beyond a simple fixed error message.<br>
<br>
It logs it in the ZendTo log (/var/log/zendto/zendto.log is the file that the "System Log" button shows you the end of), so you can check there.<br>
<br>
Cheers,<br>
Jules.<br>
<br>
P.S. The "start" and "expiry" date/time selectors on the "Request a drop-off" form are nearly there. I just want to tidy up that page design layout, it's a bit of a mess and I would prefer it to use a grid or two and a flex box like the "new drop-off" form
now does.<span style="font-size:12.0pt"><o:p></o:p></span></p>
<div>
<p class="MsoNormal">On 21/07/2020 13:45, Marlon Deerr via ZendTo wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="EN-CA">Hi Jules,</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-CA"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-CA">I was testing ZendTo. I wanted to see what the log files will report when a user is locked out after 10 unsuccessful login attempts. I noticed that the log file (I think) is incorrectly reporting that a user was not unlocked
after administratively unlocking the account, when in fact the user was successfully unlocked. Here are the steps I performed.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-CA"> </span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l1 level1 lfo2"><![if !supportLists]><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]><span lang="EN-CA">Purposely attempted to log in as a user with incorrect password 10 times</span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l1 level1 lfo2"><![if !supportLists]><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]><span lang="EN-CA">Logged in as an admin user and examined the System Logs</span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l1 level1 lfo2"><![if !supportLists]><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]><span lang="EN-CA">System Log file successfully identified this locked user</span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l1 level1 lfo2"><![if !supportLists]><span style="mso-list:Ignore">4.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]><span lang="EN-CA">Clicked on “Unlock User” from the main screen and selected the user to unlock and unlocked her</span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l1 level1 lfo2"><![if !supportLists]><span style="mso-list:Ignore">5.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]><span lang="EN-CA">Examined the System Logs again, but this time it said “<b>Failed to unlock user $user as did not match usernameRegexp from preferences.php</b>”</span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l1 level1 lfo2"><![if !supportLists]><span style="mso-list:Ignore">6.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]><span lang="EN-CA">Logged out as the administrator user</span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l1 level1 lfo2"><![if !supportLists]><span style="mso-list:Ignore">7.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]><span lang="EN-CA">Tried logged in as this “supposedly” locked user
<b>BUT</b> the login was successful.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-CA"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-CA"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-CA">Does this mean that the System Log file is incorrectly reporting that the user was not unlocked, when in fact the user was unlocked?</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-CA"> </span><o:p></o:p></p>
<p class="MsoNormal"><b><span lang="EN-CA">ALSO:</span></b><span lang="EN-CA"> Feature Request (if possible)</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-CA"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-CA">When a user is approaching the maximum allowed failed login attempts can you include a message that</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-CA"> </span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo4"><![if !supportLists]><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]><span lang="EN-CA">Warns the user that you have x more attempts before you get locked out (where x is a number)</span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo4"><![if !supportLists]><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]><span lang="EN-CA">After the user has failed to login after 10 attempts, instead of just saying “Authentication Error. The username or password was incorrect”, can it not say something like “Authentication Error. You have attempted more
than the allowed failed attempts to log in. Your account therefore has been locked. Please contact your administrator to have it unlocked”</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-CA"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-CA">While testing this feature above, I found that I was not keeping track of how many times I made a failed login and must have tried over and over again waiting for a message to let me now that I was locked out. I think
having such a message will help reduce IT Tickets from staff wondering why they can’t log in. They may not even know they have been locked out.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>ZendTo mailing list<o:p></o:p></pre>
<pre><a href="mailto:ZendTo@zend.to">ZendTo@zend.to</a><o:p></o:p></pre>
<pre><a href="http://jul.es/mailman/listinfo/zendto">http://jul.es/mailman/listinfo/zendto</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><br>
<br>
<o:p></o:p></span></p>
<pre>Jules<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>-- <o:p></o:p></pre>
<pre>Julian Field MEng CEng CITP MBCS MIEEE MACM<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>The current UK shipping forecast:<o:p></o:p></pre>
<pre>Trafalgar: Cyclonic 6 to gale 8 at first in southeast, otherwise northerly 5<o:p></o:p></pre>
<pre>to 7, becoming variable 3 or 4 in southeast. Moderate or rough, occasionally<o:p></o:p></pre>
<pre>very rough. Thundery showers. Good, occasionally poor.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre><a href="http://www.Zend.To">www.Zend.To</a><o:p></o:p></pre>
<pre>Twitter: @JulesFM<o:p></o:p></pre>
</div>
</body>
</html>