Sorry, login is denied from your I.P.

[jchance]

I am unfortunatly sometimes forced to connect to the internet from behind a proxy server and during these times I cannot log into the support console. When I try I get:

"Sorry, login is denied from your I.P."

Any thoughts on how to get around this?

[Sarah]

If you get this error, you will need to contact us at sales@jaguarpc.com with your ip address. You can go to http://www.whatismyip.com to retrieve your ip address. We can than unblock your ip address and also assist you with getting your login details if they are incorrect.

[jchance]

I know I can do that, but that only works until 3 other people on my same proxy enter a bad password (which apparently happens frequently).

Just seems like blocking people out by IP address is in general not a very "friendly" way to prevent password brute force attacks.

[the_ancient]

I know I can do that, but that only works until 3 other people on my same proxy enter a bad password (which apparently happens frequently).

Just seems like blocking people out by IP address is in general not a very "friendly" way to prevent password brute force attacks.

Blocking anything by IP is not veru friendly, In this day in age where IP Numbers are in VERY high demand, very few people have static IP address'

so blocking person A today will mean they have blocked B-Z also if they use the same ISP with the same IP pool....


Most compainies have gone away from IP Blocking in favor of Account Blocking. if the password is entered incorrection X times that account is Locked down and no changes can be made until the system admin unlocks it.

[Ron]

Talk about old-fashioned! 20 years ago they used to lock out accounts after 3 tries, and you'd need to call the corporate ID department and have your account reset. Some security; you called from an outside phone and the conversation would go like this:
"I need an account reset please"
"Account ID"
"0-0-0-destruct-0"
"You're all set"
I suppose that after 2 or three resets they might question you.

How about an allowable IP or IP range?
Or set of IPs and Ranges?
Or geographic requirements?

How about a 5 second pause between attempts plus a progressive length, self-terminating lockout scheme?

How about dual verification schemes? How about physical device challenge schemes with a RADIUS server?

But blocking by IP range? It has it's applications, like if you're a webhost and are being spammed to death from .ru or from .kr or .tw or...

[the_ancient]

Talk about old-fashioned! 20 years ago they used to lock out accounts after 3 tries, and you'd need to call the corporate ID department and have your account reset. Some security; you called from an outside phone and the conversation would go like this:
"I need an account reset please"
"Account ID"
"0-0-0-destruct-0"
"You're all set"
I suppose that after 2 or three resets they might question you.

It is very effective if the company takes security seriously, what you typed means that no matter what security measures are employed they will fail because the people over seeing them dont take it seriously....

Many compaines still use this method, Infact I just went through it with State Farm because I forgot my password to their site,

How about an allowable IP or IP range?
Or set of IPs and Ranges?
Or geographic requirements?

How would this work? I travel alot, so I would only be allow to access my account from my Network. I should I do for the 42 weeks out of the year that I am away from home?

How about a 5 second pause between attempts plus a progressive length, self-terminating lockout scheme?

Good Idea

How about dual verification schemes? How about physical device challenge schemes with a RADIUS server?

Good idea

But blocking by IP range? It has it's applications, like if you're a webhost and are being spammed to death from .ru or from .kr or .tw or...

Only if you dont want any Business from that area

[JPC-Greg]

Logins attempts were set at 5, thats a pretty generous amount of attempts. Ive just shut the ip deny system off for right now.

[Ron]

Well, what I should have typeD, and I somehow left it out of that post is that while it is a good method (only allowing say, 3 sets of 3 attempts) the unfortunate truth is it annoys the heck out of your employees, inconveniences them, creates a larger than necessary need for support staff and it can lead to a DoS attack very easily, where someone (either purposefully or not) can permanently lock out real employees. It's not a good system. Nor is the self-timed lockout, for the same reason.

*I* think the best system (convenience/security mix) for travellers is the requirement for a physical device that given an entered challenge code AND YOUR PIN, gives the employee back a response code to be entered to the RADIUS device.

We weren't really focused on a particular application in this discussion, I didn't think. JAG is talking about loggin in his customers worldwide, you're talking about employees traveling, I was talking about stationary employees and traveling employees and website spammers... So it's not necessarily about getting business from that area!

The security scheme has to fit the application of course. Fingerprint scanners aren't much use at a leper colony.

Fun discussion.

An extra credit nod for the first to provide the context for my hypothetical account ID above.

[JPC-Greg]

An extra credit nod for the first to provide the context for my hypothetical account ID above.

RSA SecurId (card/token)

[Ron]

<nope, not what I was hinting at....>

But that's a great system!

I'm being too obtuse... I was referring to:

"I need an account reset please"
"Account ID"
"0-0-0-destruct-0"

[jchance]

Ive just shut the ip deny system off for right now.

Hummm... I still get "Sorry, login is denied from your I.P."

[JPC-Greg]

eh really? pm me your ip

[Danielvilliers]

I don't have a static ip, tested it with http://www.whatismyip.com/
From my ordeal below I think that I saw login denied by ip. As you can read below the message i put in the ressellers Forum without any answer. What should I do to get urgently access to my account again.


I can’t get access to my account
I have been trying to get access to my partnerplus account for the last 24 hours without success. I have been a jaguarpc client for at least 3 years and had no problem. Had many small account and have upgraded to a reseller account around June this year. Yesterday I tried to get access to my account and can’t get it. I tried every login and password, search all my mails etc... but nothing works. Tried the lost password but it always tells me that there is no active member with such a mail (Just received a billing mail through it). Used it many time before and it worked. I found the contact page and sent a request asking for some help, the page tells me that I will receive a confirmation that I had to reply to, nothing came to my mail, tried again to a gmail account again nothing 5 hours ago. Then I found an old (3 month) ticket (outlook express inbox) and replied to it hopping for an answer from support, until now (2 hrs) nothing. Now the last hope I have is this forum, I am completely lost because I have an urgent site to setup. It is as if I have disappeared, my websites are still here, I can ftp to it but any admistrative task are unreachable. My last billing (1 week ago) did not go through, but I still have more than enough fund on my card… I really need some help.

[Sarah]

I think I've read that ticket earlier today and responsed? Are you still blocked out of the members area? E-mail to sales@jaguarpc.com your ip address and we can get it removed and help you get your login details.

[Galen]

0-0-0-destruct-0

Hahaha, I recognized it right away. Don't remember which Star Trek movie it came from, but it was the final authorization for Kirk to activate the self-destruct. Do I get my extra points now

On topic, I have been known to block IPs from my site, but only after tracing them back to see who the IP belongs to (what ISP). For example, if the IP belongs to the "McColo Corporation" I block it on sight. Never seen anything but spambots and script kiddies come from McColo accounts and they ignore abuse complaints. So, yeah, in some cases it's a good idea to block IPs.

As for proxies, I know many companies and personal sites who block ALL proxies hands-down. The simplest solution is don't go through a proxy. I don't personally block proxies and don't support them being blocked (cuz proxies are a GOOD thing, generally), but it's just a fact that sometimes idiots abuse proxies and some companies would rather not run the risk of allowing proxified connections.

I would think that a timed lockout of the account or IP would be a reasonable system. Remove the IP or account from the blocklist after, say, an hour. Brute force attacks would be pretty pointless if you can only try 5 times an hour