如何禁用“洪水尝试IP阻止”功能?

9

当用户多次尝试登录时,Drupal会阻止用于访问站点的IP。

如何禁用此功能?

7  users 
夏期剧场
source

Answers:

12

您可以做的是在settings.php文件中添加以下代码。

$conf['user_failed_login_ip_limit'] = PHP_INT_MAX;

这样,IP将不会被阻止。

user_login_authenticate_validate()包含以下代码。

  if (!empty($form_state['values']['name']) && !empty($password)) {
    // Do not allow any login from the current user's IP if the limit has been
    // reached. Default is 50 failed attempts allowed in one hour. This is
    // independent of the per-user limit to catch attempts from one IP to log
    // in to many different user accounts.  We have a reasonably high limit
    // since there may be only one apparent IP for all users at an institution.
    if (!flood_is_allowed('failed_login_attempt_ip', variable_get('user_failed_login_ip_limit', 50), variable_get('user_failed_login_ip_window', 3600))) {
      $form_state['flood_control_triggered'] = 'ip';
      return;
    }
    $account = db_query("SELECT * FROM {users} WHERE name = :name AND status = 1", array(':name' => $form_state['values']['name']))->fetchObject();
    if ($account) {
      if (variable_get('user_failed_login_identifier_uid_only', FALSE)) {
        // Register flood events based on the uid only, so they apply for any
        // IP address. This is the most secure option.
        $identifier = $account->uid;
      }
      else {
        // The default identifier is a combination of uid and IP address. This
        // is less secure but more resistant to denial-of-service attacks that
        // could lock out all users with public user names.
        $identifier = $account->uid . '-' . ip_address();
      }
      $form_state['flood_control_user_identifier'] = $identifier;

      // Don't allow login if the limit for this user has been reached.
      // Default is to allow 5 failed attempts every 6 hours.
      if (!flood_is_allowed('failed_login_attempt_user', variable_get('user_failed_login_user_limit', 5), variable_get('user_failed_login_user_window', 21600), $identifier)) {
        $form_state['flood_control_triggered'] = 'user';
        return;
      }
    }
    // We are not limited by flood control, so try to authenticate.
    // Set $form_state['uid'] as a flag for user_login_final_validate().
    $form_state['uid'] = user_authenticate($form_state['values']['name'], $password);
  }

限制实际上有两个:一个用于Drupal始终具有IP的情况,一个用于当Drupal也具有用户ID的情况。后者是针对用户输入现有帐户的用户名的情况;在这种情况下,Drupal将注册用户ID和IP。
如果要避免这种情况,则还需要将此行添加到setting.php文件中。

$conf['user_failed_login_user_limit'] = PHP_INT_MAX;
$conf['user_failed_login_user_window'] = 5;
kiamlaluno
source
嗨Kiamlaluno,所以这意味着我只需要在settings.php?中添加这两行?是PHP_INT_MAX无限的极限吗?我还可以将无限限制(PHP_INT_MAX)设置为user_failed_login_user_window吗?因为它被设置在5那里。
夏期剧场2012年
PHP_INT_MAX是PHP可以分配给整数的最大值。我将另一个值设置为5,因为这是限制有效的秒数。如果将user_failed_login_user_limit设置为10,并将user_failed_login_user_window设置为5,则表示在5秒内允许10次登录尝试。只需更改settings.php文件,就不会再阻止IP /用户。
kiamlaluno
对不起,我的理解力不错,但我还没那么清楚。我搜索发现[PHP_INT_MAX]为20亿。那么,这是否意味着我们现在允许在5秒之间进行多达20亿次尝试?是否已经准备好同时使用IP和用户名?
夏期剧场2012年
我最后要担心的是完全禁用IP和/或USERNAME尝试阻止。[不再设置任何限制]这两条线是否已经解决了?
夏期剧场2012年
对于64位计算机,PHP_INT_MAX为9223372036854775807;对于32位计算机,其值为2147483647。这是5秒内的尝试次数。如果尝试次数少于该次数,则不会阻止IP /用户。
kiamlaluno
0

Drupal 8中,您可以在配置文件中更改洪水设置user.flood.yml

uid_only: false
ip_limit: 50
ip_window: 3600
user_limit: 5
user_window: 21600
_core:
  default_config_hash: UYfMzeP1S8jKaaaavxf7nQNe8DsNS-3bc2WSNNXBQWs

这意味着每个IP和每个用户都有一个限制:

  • 每3600秒(1小时),每个IP地址允许50次尝试
  • 每21600秒(6小时),每个用户帐户允许5次尝试(非常少)

您可能会更改并导入设置(我将其设置为每5分钟100次尝试):

uid_only: false
ip_limit: 100
ip_window: 300
user_limit: 100
user_window: 300
_core:
  default_config_hash: UYfMzeP1S8jKaaaavxf7nQNe8DsNS-3bc2WSNNXBQWs
弗洛里安·穆勒(FlorianMüller)
source
在settings.php或类似文件中,有什么办法可以代替修改core / modules / user / config / install / user.flood.yml吗?
dhruveonmars
@dhruveonmars,您可以覆盖settings.php中的每个设置。就像$config['user.flood']['user_limit'] = 100;
FlorianMüller
辉煌!非常感谢!!
dhruveonmars
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.