Change search restriction time to 10 seconds

[Aractus]

This is really annoying. The forum is set to one search per 30 seconds per user. This is to prevent server overload, however that value is way too high and leads to the common experience of having to wait 20 seconds or so before you can do your search. Please change the time in the MyBB settings to 10 seconds. This will still prevent excessive search requests while improving the experience for all forum members.

As you can see above, to take that screenshot I did two searches as quickly as I could in one tab. So with 10 second limit you would barely ever experience the wait page under normal conditions. I'd even suggest we could go as low as 5 seconds, but I'd be happy with any value up to 10 seconds. 8 seconds might be a good value. @Mathilda you can check the server logs before and after the change to ensure that this doesn't lead to an unacceptable increase in server load. However I might point out you can actually disable search for users that are not logged in if server load is a concern. The setting is called Search Flood Time, you find it under config>settings>search system.

Thanks!

[SYZ]

Seriously?  Surely an extra 20 seconds of your life isn't the end of the world as you know it?

I'm more than happy to wait 30 seconds  between searches.  And if this
really "annoys" you, then I suggest you take a chill pill mate!      

[Gawdzilla Sama]

30 seconds? Not long if you're rowing a boat from San Francisco to Hawaii. A bit longer if you're on fire.

[Minimalist]

I'm with Danny on this one.  It's annoying.

[Gawdzilla Sama]

Insert dittoness here.

[skyking]

It would be different if they were getting flooded, we don't know what's happening on the back side.

[Thumpalumpacus]

I want a plug-in that reads my mind and delivers my desiderata before I even realize I want it. <snaps fingers>

[Dom]

This is @Mathilda s decision, but my guess would be a negative. We withstood a ddos attack thanks to her excellent server management, and we want to be able to do the same when the next one comes. The server load is exactly the way we need it to stay safe.

[Dānu]

This is @Mathilda s decision, but my guess would be a negative. We withstood a ddos attack thanks to her excellent server management, and we want to be able to do the same when the next one comes. The server load is exactly the way we need it to stay safe.

[Bucky Ball]

This is @Mathilda s decision, but my guess would be a negative. We withstood a ddos attack thanks to her excellent server management, and we want to be able to do the same when the next one comes. The server load is exactly the way we need it to stay safe.

The first thing that came to mind ... it could make dos attacks much easier.
Maybe that not at all how they work, but it could be a consideration.

[Thumpalumpacus]

Maybe construct appropriate search terms in the first place?

Just a thought.

[Minimalist]

Oddly, for the first time in what seems like weeks I am running into that "can't connect to server error."

[brewerb]

[Aractus]

Maybe construct appropriate search terms in the first place?

Just a thought.

That's not the issue. The issue is that if you use any of the search functions as your bookmark like View Today's Posts or View New Posts, then that counts as a search as far as the server is concerned and you can't do a search for 30 seconds.

This is @Mathilda s decision, but my guess would be a negative. We withstood a ddos attack thanks to her excellent server management, and we want to be able to do the same when the next one comes. The server load is exactly the way we need it to stay safe.

It shouldn't make any substantial difference to a DDOS attack (which by nature is distributed), and the best option to prevent DDOS attacks from taking the server offline is to get hosting in a DDOS protected network.

[jerry mcmasters]

I've used "search" a few times but rarely...is this something that people need often?

[Thumpalumpacus]

Maybe construct appropriate search terms in the first place?

Just a thought.

That's not the issue. The issue is that if you use any of the search functions as your bookmark like View Today's Posts or View New Posts, then that counts as a search as far as the server is concerned and you can't do a search for 30 seconds.

You have my sympathies. I can't comprehend how you get on with such a difficulty.

Maybe you should bookmark "today's posts" instead? I do that. If gives me a non-result, and then I (gasp!) have to move the mouse and click on "today's posts" again. I can't really tell you how I survive such an indignity.

Maybe you should bookmark your notifications so that you'll see immediately when people reply? Not sure that can work, and don't care enough to beta test it for you.

Or maybe you should grow perhaps twenty-seconds' more patience.

[Aractus]

Or maybe we can just change the default value for "Search Flood Time" which hasn't changed in almost 20 years, to something more appropriate?

This is @Mathilda s decision, but my guess would be a negative. We withstood a ddos attack thanks to her excellent server management, and we want to be able to do the same when the next one comes. The server load is exactly the way we need it to stay safe.

Also as I did mention in my previous post you can just disable search for guests entirely removing any possibility that search can be exploited by DDOS.

[Thumpalumpacus]

Or maybe we can just change the default value for "Search Flood Time" which hasn't changed in almost 20 years, to something more appropriate?

You should probably make a study of patience. You'll benefit in many different ways.

[Aractus]

I'm not going to engage with your petty insults.

The default value, 30 seconds, hasn't changed since 2002. When I'm sure you remember that it took a lot longer than 30 seconds to download and load an average forum page.

I'm not asking because _I_ find it a minor inconvenience, but because it will improve the experience for everyone. If DDOS is a concern you can just disable guest search as I've previously mentioned, I'd be happy with that as it's the member experience I care about more than the guest/lurker experience.

[SYZ]

...I'm not asking because I find it a minor inconvenience, but because it will improve the experience for everyone.

Please don't tell me what's allegedly an "improvement" for me.  You have no idea
what's good or bad for me—although this is in line with your usual sanctimony.      

[Aractus]

Please don't tell me what's allegedly an "improvement" for me.  You have no idea
what's good or bad for me—although this is in line with your usual sanctimony.      

Sure for people that never use search it makes no difference, but when I say "everyone" I mean members who use it regularly. Everyone else like yourself it's a potential improvement to your experience.

I honestly have no idea why you'd be against this BTW? All I'm asking is to lower a default value dreamt up in 2002 that has never changed to something more appropriate. There is literally no downside. I'm not asking to set it to 0 (which is the value for admins I might add so @Mathilda never experiences it for herself unless logged out), just to lower it to a more sensible value. A value chosen in 2002 is not necessarily sensible today!!

[Dom]

Please don't tell me what's allegedly an "improvement" for me.  You have no idea
what's good or bad for me—although this is in line with your usual sanctimony.      

Sure for people that never use search it makes no difference, but when I say "everyone" I mean members who use it regularly. Everyone else like yourself it's a potential improvement to your experience.

I honestly have no idea why you'd be against this BTW? All I'm asking is to lower a default value dreamt up in 2002 that has never changed to something more appropriate. There is literally no downside. I'm not asking to set it to 0 (which is the value for admins I might add so @Mathilda never experiences it for herself unless logged out), just to lower it to a more sensible value. A value chosen in 2002 is not necessarily sensible today!!

There is no point in invoking Mathilda more than once in a thread. She has read it and agreed to my post above. That means she has made a note of it, and maybe next time Aliza tinkers with the software and Mathilda tinkers with the server they will give it some thought. It's not really important. Sorry to be using up some seconds of your life in the meantime.

[Thumpalumpacus]

I'm not going to engage with your petty insults.

The default value, 30 seconds, hasn't changed since 2002. When I'm sure you remember that it took a lot longer than 30 seconds to download and load an average forum page.

I'm not asking because _I_ find it a minor inconvenience, but because it will improve the experience for everyone. If DDOS is a concern you can just disable guest search as I've previously mentioned, I'd be happy with that as it's the member experience I care about more than the guest/lurker experience.

They're not insults, they're suggestions.

It should be noted that last year's attack was mounted by an angry member,"Vosur". Disabling guest searches would not have prevented them.

[TheGentlemanBastard]

...I'm not asking because I find it a minor inconvenience, but because it will improve the experience for everyone.

Please don't tell me what's allegedly an "improvement" for me.  You have no idea
what's good or bad for me—although this is in line with your usual sanctimony.      

What's this? You dare to disagree with our forum's "Expert on Everything" (self appointed)? Very brave of you. Very brave indeed.

[Aractus]

They're not insults, they're suggestions.

It should be noted that last year's attack was mounted by an angry member,"Vosur". Disabling guest searches would not have prevented them.

If it was a DDOS on the search function, then yes disabling guest searches would have prevented such an attack vector. You seem to be under the impression he did his attack while logged in - that wouldn't be a DDOS attack, and even if he did log in simultaneously from 10,000 locations (which isn't what he did) the search flood time would apply to all instances of his. A DDOS attack is a denial of service attack that is simply designed to take a server offline.

Vosur wasn't attacking the search function in the first place, or the forum itself, so not a single setting in MyBB would have made any difference. Vosur's attack wasn't a DDOS attack, it was an authentication attack which was followed by a distributed authentication attack (also called a distributed brute-force attack). Vosur was attacking the SSH (109.123.86.253:22) trying to crack the root password. SSH login attacks are incredibly common, even when your server isn't under a targeted attack it will be attacked by botnets regularly, so a good chunk of the attacks on the server would have had nothing to do with him, and would have come from random servers around the web, which is why any server admin needs a very strong password for all of their server management entry points (SSH, control panel, SFTP, etc). The distributed authentication attack itself may not have been Vosur, although it seems likely. Vosur only had control over his own server. The distributed attack came from someone who controls a botnet - Vosur may have had a "friend" do it, or it may have been coincidence.

Here's what typically greets you when you SSH into a server: