Access is locked. Please try again in a few minutes

Access is locked. Please try again in a few minutes

As of Magneto 1.9.3 magento have finally added brute force protection to the downloader folder. As you may be aware even if you have changed your default admin path ie to anything other that /admin Magento connection is still accessible at yourdomain.com/downloader.  The fix for this is to rename your downloader folder or move it out of the root folder so that it is not accessable.  However, in order to use Connect you need to rename and it had a tendancy to be forgotten.  This means that the whole of the internet can have as many guesses at your usernames and passwords as they like.

As well as renaming the downloader folder when ever we find it we also run Fail2ban which monitors access to this fodler and will block IP addresses that fail to log in multiple times.  However, Magento have now added a similar feature into the core of magento.  There is a new file in var/ called brute-force.ini which monitors login attampt to Connect

brute-force-bad-attempts-count = 6
brute-force-diff-time-to-attempt = 360
brute-force-attempts-count = 3

Of course the downside is that you may find yourself locked out.

If you see

Access is locked. Please try again in a few minutes

reset the above 

brute-force-bad-attempts-count = 0

and you should be able to log in.  

We still recommend you remove or rename the downloader folder for more complete secuirty.

© 2016 Dx3webs Ltd. All Rights Reserved. | Company No. 08221801 | VAT No GB142 6020 55 | Terms & Conditions | Privacy Policy