View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0003891 | Composr | core | public | 2019-10-01 21:14 | 2021-03-15 02:48 |
| Reporter | Chris Graham | Assigned To | |||
| Severity | Feature-request | ||||
| Status | non-assigned | Resolution | open | ||
| Product Version | |||||
| Fixed in Version | |||||
| Summary | 0003891: Brute-force login attempt protection | ||||
| Description | Add options to protect against brute-force login attempts. 1) Maximum login frequency by IP address 2) Maximum login frequency (global) The format would be... [<num>/<seconds>[,]]* e.g. 3/10,7/60,20/3600,30/86400 This means "Max 3 attempts within last 10 seconds, Max 7 attempts within last 60 seconds, Max 20 attempts within last hour, Max 30 attempts within last day". The numbers on the default global setting would be much bigger. They are designed for DDOS protection (many users attempting login from the same IP address). When a request is blocked it would be given a "429 Too Many Requests" header and an appropriate error message. It would all work by keeping an elective-value recording all the IP addresses and timestamps for logins within the maximum number of seconds referenced in the option value (86400 in this example), in PHP-serialize format. Blocked logins (blocked by this code) would not be included, in the recordings, to prevent the data exploding (a possible attack vector). The check code would need to clean out old data. | ||||
| Tags | Type: Security | ||||
| Time estimation (hours) | 4 | ||||
| Sponsorship open | |||||
|
|
Just noting that this feature is sometimes called "account lockout". |
|
|
I kind of think this is a lot less necessary if the user just implements standard rate limiting, which Composr supports (_config.php setup). Sure this feature request can protect against DDOSs, but I think if a site is getting DDOSed then they should be able to afford some proper investment in network/system-level security rules (e.g. fail2ban). That said, I still like this request. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2019-10-01 21:14 | Chris Graham | New Issue | |
| 2019-10-01 21:14 | Chris Graham | Tag Attached: Type: Security | |
| 2020-01-27 20:02 | Chris Graham | Note Added: 0006311 | |
| 2021-03-15 02:48 | Chris Graham | Note Added: 0006999 |
