I have Mailgun set up successfully, but it only intermittently works as new users trying to sign up often receive the error message, “Too many different sign-in attempts, try again in X hours”.
Is there any way to disable whatever is blocking the attempts to subscribe?
For what it’s worth, I’m self-hosting Ghost v5.62.0 via Docker.
That message comes here in the code:
It’s using a module called express-brute, which has options documented here:
The docs show it can be configured with some other options like freeRetries which currently defaults to 2-- a pretty low number.
Someone could contribute a pull request to propose adding a section to config.production.json where values to customize this behavior could be stored.
Right now, it doesn’t appear possible to customize behavior without forking Ghost.
A very simple solution, though, might be to just raise the default value from from “2 free retries” to 3 or 5. It would typically take a lot more tries than that before a brute-force attack to succeed.
This should already be supported:
{
"spam": {
"member_login": { ... }
}
}
@vikaspotluri123 I now that it is supposed but there’s a flaw in the documentation.
The configuration for how to configure spamming links to an old version of the config file:
That version doesn’t contain the member_login key, so that part appears to not be configurable.
I’m not sure how to submit a pull request against the documentation, but the issue could be resolved by linking to the same section on the main branch instead:
cc @RyanF to get the docs updated!
Thanks for flagging. The docs have been updated!
I like the “Too many different sign-in attempts” feature. However, when setting up my blog, I was adding about 14 members to my “invite-only” blog. So I would add them, then open an incognito browser, then click “sign in” and submit each email address. This way, those new members simply receive a login email–one click and they are in.
This “too many…” feature blocked me. Here’s what I did. I simply used the mysql cmdline to directly connect to my blog’s database:
mysql -u root -p
Then entered my mysql password
Then selected my ghost database as the current db
connect [your db name];
Then I took a look at the brute table:
select * from brute;
I noticed the count column. I didn’t know which row represented my network connection, so I simply updated all to 1:
update brute set count = 1;
I figure this is safe enough. None of the counts were over 9, and worst case is a bad actor gets a few more attempts before the block threshold triggers.
This allowed me to finish all my new member invites.