I don't normally get myself wound up to the state that I just want to punch someone, but I must admit tonight I got to that stage and all because of one things, the Protector module and the stupidity of it.

I must admit this, with all the modules that are out there, I have to say I hate this one the most and I would personally take to see that we don't need it in future versions of Xoops.

Don't get me wrong, the idea is wonderful and I am grateful to GiJoe foe all the work that he has done for Xoops, the XOOPS community etc, but that still does take away how much I hate this module. I know I am going to get flamed for this, and personally I am not bothered.

So, why do I hate this module so much? Because it has the IQ of about 4 and doesn't understand the difference between a real attack and some old duffer entering their password wrong and getting it wrong for three times. While most of you may laugh, this does happen from time to time and we have all done it.

Now for example tonight, I wanted to download a theme from Xoopsland.com and they forced me to register (The less said about this the better) and I duly tried. But everytime I tried to register I would get to the end part just for the Captacha not to show up. So, I it the refresh buttom a few times in the hope of getting the image to show up, instead I was met with this:

Quote:

Now it is bad enough that I get this message, but what is even worse is that I now have to wait 4 days before I can even visit the site again, what is even worse is that I have now no way of contacting the webmaster and asking them to remove my IP address from this damn module.

So why as a user am I not told that the site is protected by this module, why am I not told I only have around 3 tries before I am banned and why is it that after I am banned I am given no email address to contact the owner?

This has happened to me twice tonight with two different XOOPS sites and when this normally happens to me I tend not to bother trying to get into contact and just never bother visiting the offending website. So, how many more people does this module block from your website? How many people have you actually lost because the security restrictions within this module are far to tight.

I know for a fact that with another website I worked on, we had schools and colleges all blocked and with no way of contacting us. It was only because they were contracted to the website services and they had other means of contact did we know.

So, I urge all XOOPS webmasters who use this module to make sure that this modules restriction are set to a reasonable amount, let your users know how many login attempts they have and please give them a means of contact in case they do get blocks.

No gain, without drain!
It is possible to tighten the module to tidy, which may lead to discomfort for some users.
But in general the module is doing a great job and still indispensible.
How much discomfort will be there for all the users, if the site gets hacked or flooded with SPAM?
A little 'collateral damage' or some 'deads on friendly fire' seems acceptable, altough every one is one too many.

IP banning is like the dead penalty, but it is one of the most effective ways to stop further attacking. If you would have a setting, like the dos setting to exclude modules from it, but then to allow a module under all cicumstances, you could eg allow always the contact us module. So users could always give feedback on their problem. But I'm afraid that would make the Protector module total useless on both the security (Full XOOPS with one module loaded exposed) and SPAM (abuse of the form).
No matter how you turn it, hackers and spammers degrade the interactive internet and it will always be a delicate and fine balance between the two evils: user friendliness with no barriers and useless, or usefull and user unfriendly due to the security measures. As example take a guestbook, one where everyone can post by filling a field and push a button or one where you have to fill in a captcha or need to login.

But I agree, XOOPS should have some of the protection mechanisms of itself and not have to rely on a module.
But for the time being, I can only recommend to use the module. Check regulary its logs and correlate it with the Apache logs and adapt the settings in case of problems.