Page 1 of 1

Is makehuman community site object of attac?

PostPosted: Fri Jan 03, 2020 3:02 pm
by grinsegold
This is how makehuman promted after i filled in username and correct password and pressed enter (without my name. That i wrote afterwards). Should i be concerned? That's not the first time i see that.
Bildschirmfoto zu 2020-01-03 15-56-46.png

Re: Is makehuman community site object of attac?

PostPosted: Fri Jan 03, 2020 4:23 pm
by joepal
No, this is phpbb playing up. I am not certain why it does this now and then, but I suspect it is because it is behind a reverse proxy and thus perceives all login attempts as coming from the same IP adress.

I've never been able to see anything looking a DoS or brute force attack when looking at the logs anyway.

Re: Is makehuman community site object of attac?

PostPosted: Fri Jan 03, 2020 5:12 pm
by loki1950
Happens to me at least once a week grinsegold just mildly annoying at this point though I have complained to joel a few times :o

Enjoy the Choice :)

Re: Is makehuman community site object of attac?

PostPosted: Fri Jan 03, 2020 11:25 pm
by Elvaerwyn
I have this issue constantly :S

Re: Is makehuman community site object of attac?

PostPosted: Sun Jan 05, 2020 9:02 pm
by grinsegold
Thanks. I can sleep better now :)

Re: Is makehuman community site object of attac?

PostPosted: Sat Aug 01, 2020 11:51 pm
by nomorecookies
indeed, this happens every single time i try to login. also, the password field says it is not secure when creating an account

Re: Is makehuman community site object of attac?

PostPosted: Sun Aug 02, 2020 12:55 am
by loki1950
The not secure is because we do not use https.

Enjoy the Choice :)

Re: Is makehuman community site object of attac?

PostPosted: Sun Aug 02, 2020 10:12 pm
by RobBaer
hmm... @Joel isn't it fairly straight forward to enable https:// authentication without disabling http:// or is this something about our current hosting service? It's been a while, but I am pretty certain this is possible on Windows IIS, not sure about apache and other servers.

Re: Is makehuman community site object of attac?

PostPosted: Mon Aug 03, 2020 12:12 pm
by joepal
The problem isn't enabling https per se. The problem is that we get a routing loop vs the (very old version of) mediawiki backend if enabling https on the outward facing web server while still having http on the inside of the forwarding proxy. When I last looked at it, I was not able to make that particular version of mediawiki behave in an acceptable manner.

In essence, the actual problem is that we have a stone age old and largely unmaintainable mix of different web services that have been modified on a source code level and which therefore cannot be easily upgraded to a modern version.

I have started looking into replacing the entire infrastructure with something coherent, but this requires a lot of work.

Re: Is makehuman community site object of attac?

PostPosted: Fri Aug 07, 2020 5:18 am
by MTKnife
joepal wrote:No, this is phpbb playing up. I am not certain why it does this now and then, but I suspect it is because it is behind a reverse proxy and thus perceives all login attempts as coming from the same IP adress.

I've never been able to see anything looking a DoS or brute force attack when looking at the logs anyway.


The reverse proxy should be able to pass the actual IP through easily enough, though the site has to be coded to read that variable. Unfortunately, I've only done this in Python with NGINX and Flask, and it sounds like you're dealing with something much more complicated.


Scott