When failed login attempts passes the "Maximum number of login failures before
blocking a host" threshold, it does seem to block the host and I get a log
message saying the IP address has been banned, but it does not go in the
BLOCKED IP ADDRESSES list under admin/config/people/ip-blocking. So I see no
way to remove it to lift the ban.

Also, when the IP address gets banned, I get this error in the log,

Notice: Undefined property: stdClass::$aid in login_user_block_ip() (line 361 of /data/usr/home/vince/www/drupal_sites/share/modules/login_security/login_security.module).

Comments

Jance’s picture

The reason it's not showing up in the blocked IP host is because the module is logging them into the wrong DB table. It's placing them in access, but I believe it should be in blocked_ips

shrop’s picture

@Jance, Thanks and you were right on the table naming. I did some research and the "access" table was used in D6. "blocked_ips" is the D7 table, but it does have a different structure. I updated the module code to use the right table, save the correct field, and adjusted the watchdog message to make more sense in D7.

Please test it out in the 7.x-1.x branch and let me know if this fixes it for you.

shrop’s picture

Version: 7.x-1.2 » 7.x-1.x-dev
Assigned: Unassigned » shrop
Issue summary: View changes
Status: Active » Needs review
Jance’s picture

Yep, that seems to work for me.

There is another issue that I noticed though. In login_security_set_login_timestamp you have a check to see if a user is in the database, if not it returns.

if (empty($account)) {
    return;
  }

I would like to suggest adding a _login_security_add_event($form_state['values']['name'], ip_address()); call before the return to make sure users who try to log in with a nonexistant username are logged as well, as bruit force bots will from time to time try to guess usernames, so this would catch those as well.

shrop’s picture

@Jance, thanks much for testing that.

I will leave this open a bit and then get it in a release soon.

I think your suggestion is just fine. Since it is a different request, do you mind copying that into a new issue?

Jance’s picture

Sure thing.

mparker17’s picture

This bug is causing my site to bombard my inbox with notification e-mails until I manually block the IP address through the UI.

@shrop is there anything I can do to help you fix this bug and get that fix released? Would you like me to write a patch?

shrop’s picture

@mparker17: The fix is in 7.x-1.x already. Since @Jance reviewed it and approved the fix, I will mark this issue as reviewed and roll a new stable release today. Thanks for the heads up on your issue related to this.

shrop’s picture

Status: Needs review » Reviewed & tested by the community
shrop’s picture

Status: Reviewed & tested by the community » Closed (fixed)

This has been released with 7.x-1.9

  • shrop committed e8e5b3e on 7.x-1.x, 8.x-1.x
    Issue #1991404 by shrop: Updated IP blocking to use the correct D7 table...