View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0003891||Composr||core||public||2019-10-01 21:14||2019-10-02 18:29|
|Reporter||Chris Graham||Assigned To|
|Fixed in Version|
|Summary||0003891: Brute-force login attempt protection|
|Description||Add options to protect against brute-force login attempts.|
1) Maximum login frequency by IP address
2) Maximum login frequency (global)
The format would be...
This means "Max 3 attempts within last 10 seconds, Max 7 attempts within last 60 seconds, Max 20 attempts within last hour, Max 30 attempts within last day".
The numbers on the default global setting would be much bigger. They are designed for DDOS protection (many users attempting login from the same IP address).
When a request is blocked it would be given a "429 Too Many Requests" header and an appropriate error message.
It would all work by keeping an elective-value recording all the IP addresses and timestamps for logins within the maximum number of seconds referenced in the option value (86400 in this example), in PHP-serialize format.
Blocked logins (blocked by this code) would not be included, in the recordings, to prevent the data exploding (a possible attack vector).
The check code would need to clean out old data.
|Time estimation (hours)||4|