[unconfirmed] banned IP login attempt

[arumdev]

the ban system is massively flawed. 3 attempts is not enough. it should be customisable, but at least set to a minimum of 10 attempts.

 

The other problem with it is it doesn't honour the timezone setting, so if I am banned at 4pm local time, that time is put into the database but it is compared to the server time (which is 6 hours behind) without adjusting for the time zone, and so I have to wait 6 hours and 3 minutes (instead of just 3 minutes) until the ban is removed. it's absurd.

[jimmykl]

go to my account -->>Genera settings -->Security tab

then set Failed Admin Login Ban Time

[arumdev]

I've done that, but it doesn't work if the timezone is anything other than default because when WHMCS checks the banned IPs against the current time it is still offset by some hours.

 

Thanks for your reply. I have already filed this as a bug report on the forum. This is a BUG, not a feature request.

 

The only way I can get the login ban to behave as expected is if I set the timezone to the default, in which case server time is whatever it is in Texas (where my server is, I am based in UK). Then when I get myself banned, I only have to wait x minutes before I can try again. As soon as I change the timezone I have to wait for n hours instead, where in is the time difference in hours between the default timezone and the one I have set in the configuration file.

 

The database is storing the correct time based on the timezone settings, so it seems the problem is that when whmcs checks the stored time against the current time, it is somehow ignoring the timezone setting.

 

I can whitelist, but the main issue is that if this happens while I am on the road, I have no database access to remove the banned IPs, and my IP is not static in this case so I cannot whitelist it.

[Anders]

this happen to me also one customer could not login as it never unban him. is it any solution on this bug yet?

[WHMCS Nate]

Hello,

 

Have you set the timezone in the configuration.php? You need to sync the timezone of the database server with the timezone you set in that option. If that option is not being honored this would be a bug, but the setting is a php base function, not something in our specifically.

 

The rest of this post really is a feature request which needs to go through the requests system:

 

https://requests.whmcs.com/

 

Have a great day,

 

Nate C

[othellotech]

it's absurd

 

You could just set decent passwords and learn to type ...

[arumdev]

You could just set decent passwords and learn to type ...

 

cheeky!

 

I do have decent passwords, but yes sometimes I type too fast and make an error, but sometimes, I go to the login page and the browser takes me straight to the /dologin link which sends an invalid token or something, resulting in a failed attempt even though I didn't put a password, and sometimes it even bans me straight off when that happens. But the whole point is the ban system should allow more than 3 attempts, and should honour timezones.

[WHMCS Nate]

I am going to close this thread. If you would like some further investigations on the timezone issues (which I have been unable to reproduce) please open a support ticket and our Tech Analysts can take a look.

 

A more customizable ban system is something that belongs in the Feature Request system so we can make sure we get all the options needed in a single refactor.

 

Have a great day,

 

Nate C