admin@admin.test account locked out, changing password with cake doesn't work

[pettai]

Work environment

Questions	Answers
Type of issue	Bug ?
OS version (server)	ubuntu18.04
OS version (client)	various
PHP version	7.2 (ubuntu)
MISP version / git hash	2.4.95 (from git on the 26/9, (installed as per INSTALL/INSTALL.ubuntu1804.txt)
Browser	If applicable

Expected behavior

At first it worked as expected, I could login and manage to change password for admin@admin.test.

Actual behavior

The the session timed out, and I try to login with admin@admin.test I get this message on the first login attempt:

"You have reached the maximum number of login attempts. Please wait seconds and try again.
Error: The requested address '/users/login' was not found on this server."

Note1: I've never seen "invalid username/password" message before the message above.
Note2: There isn't a value printed out for the seconds

Steps to reproduce the behavior

I've tried to reset the admin@admin.test password too via:
sudo /var/www/MISP/app/Console/cake Password admin@admin.test Password1234
as explained by #1160 and other Issues,
but that doesn't help....

Logs

The only thing that's written in /var/www/MISP/app/tmp/logs/error.log:

2018-09-26 15:34:43 Error: [ForbiddenException] You have reached the maximum number of login attempts. Please wait  seconds and try again.
Request URL: /users/login
Stack Trace:
#0 [internal function]: UsersController->login()
#1 /var/www/MISP/app/Lib/cakephp/lib/Cake/Controller/Controller.php(491): ReflectionMethod->invokeArgs(Object(UsersController), Array)
#2 /var/www/MISP/app/Lib/cakephp/lib/Cake/Routing/Dispatcher.php(193): Controller->invokeAction(Object(CakeRequest))
#3 /var/www/MISP/app/Lib/cakephp/lib/Cake/Routing/Dispatcher.php(167): Dispatcher->_invoke(Object(UsersController), Object(CakeRequest))
#4 /var/www/MISP/app/webroot/index.php(92): Dispatcher->dispatch(Object(CakeRequest), Object(CakeResponse))
#5 {main}
^C

But that doesn't help much... :(

[iglocska]

You have tripped over the bruteforce protection (tried too many times). Either wait 5 minutes or do this:

mysql -u misp -p misp

delete from bruteforces;

[pettai]

Hi, no it's not a brutefore problem, it's something with the login that's not working correctly, as noted by Note1+2. I just tried to login again, and checked the bruteforces table:

MariaDB [misp]> SELECT * FROM bruteforces;
Empty set (0.00 sec)

Yet, it just says admin@admin.test is locked out due to invalid login attempts.

[pettai]

I could either debug the problem but I would need to get better logging to be able to see what's going wrong here, or,
if there's a way to re-initiate the MISP instance I could try that and see if this problem persists or reappears again...

This a fresh install so there is nothing in the instance that's of importance

[pettai]

Ok, found the underlying problem!
it appears that config.php was updated with a just a subset of all needed variables that's need for MISP to work properly. However, there isn't any error message(s) about a syntactical correct, but defunct config.php (missing needed values).

[amilabell]

I seem to have the same problem, do you happen to know what triggered the config update with the missing values? I am still very new to MISP and can't figure out why my working config was overwritten