cancel
Showing results for 
Search instead for 
Did you mean: 

I need an explanation for the contents of brute-force.ini

I need an explanation for the contents of brute-force.ini

Hey,

 

I try to find out more about the brute-force.ini

I understand the reason for this file. But I am missing some information about the file:

 

brute-force-bad-attempts-count = xx
brute-force-diff-time-to-attempt = yy
brute-force-attempts-count = zz
brute-force-last-bad-time = timestamp
 
xx is the overall count of brute-force attempts?
why bad-attempts? Does it mean, that xx times a login did not succeed? 
 
yy. What does brute-force-diff-time-to-attempt mean?
zz. What does brute-force-attempts-count mean?
 
Maybe somebody can shed some light or give me a link to read more about this file?
Thanks und greetings
Richard
 
I edit my question because I cannot seem to make a reply?!
 

Do I understand it right?

Example:

brute-force-bad-attempts-count = 1158
brute-force-diff-time-to-attempt = 69480
brute-force-attempts-count = 3
brute-force-last-bad-time = 1513255628

 

After 1158 tries the /downloader login gets blocked for 69480 seconds.

After that an attacker can try two more time this 1158.

This means after a total of 3474 tries the /downloader login gets blocked permanently and the last line is being added to the brute-force.ini?

Or is just the timestamp added?

Can I say that a brute-force attack was unsucessful when the /download login is blocked permanently and there is a timestamp in the last line of the brute-force.ini?

If I want to unblock the /downloader login do I simply erase the timestamp? Or the whole last line?

 

thanks and greetings 

2 REPLIES

Re: I need an explanation for the contents of brute-force.ini

xx is how many times you try the password before the 1st block. 

after yy time - you can try the password again. 

when you have done this wrong zz times you are permantly blocked out. 

Timestamp is the time it uses between each time to check

Re: I need an explanation for the contents of brute-force.ini

Hi @hanuman42,


Magento creates brute-force.ini when login attempts to downloader get failed. This feature is available from Magento 1.9.3.

@ptomter explained well about xx, yy, zz parameters

brute-force-bad-attempts-count = 10
brute-force-diff-time-to-attempt = 230
brute-force-attempts-count = 3

If the access is blocked after the mentioned attempts, reset the brute-force-bad-attempts-count to 0 and you should be able to log in again. But still, it is recommended to remove or rename the downloader folder to avoid the attack itself.

--------
Give Kudos if it helped or Accept it as solution