0005775: Review behaviour of brute force logins with IP address

ID	Project	Category	View Status	Date Submitted	Last Update

0005775	Composr	core_cns	public	2024-05-22 16:41	2024-07-22 20:56

Reporter	Patrick Schmalstig	Assigned To
Severity	Feature-request
Status	non-assigned	Resolution	open
Product Version
Fixed in Version

Summary	0005775: Review behaviour of brute force logins with IP address
Description	The current behaviour with failed logins is that brute force compares to exact IP address. Is this secure enough? Perhaps we should compare to the first three(six) parts instead so it is more tolerant of botnets trying to target a specific user account. Or, do away with IP checking completely.
Additional Information	The current set-up allows an army of botnets on different IP addresses (especially IPv6) to mass-attempt logging in to a user's account. While still very difficult to do if the user has a good password and brute force security is strong (likely to run out of IPs from brute force banning before a success happens), I think we can do better than comparing full IP address on every attempt.
Tags	Roadmap: Over the horizon, Type: Security

Time estimation (hours)
Sponsorship open

admin 2024-05-22 16:41 administrator ~0008782	Automated message: This issue was created using the Report Issue Wizard on the Composr homesite.

Chris Graham 2024-07-22 20:56 administrator ~0008870	Comparing the first three octets won't help much, especially not with botnets. Making it too broad risks locking users out of their own accounts. Just comparing one IP address is still useful because it is still very possible a lone individual may try and get in just on their own machine.

Date Modified	Username	Field
2024-05-22 16:41	Patrick Schmalstig	Tag Attached: Roadmap: Over the horizon
2024-07-22 20:52	Chris Graham	Tag Attached: Type: Security
2024-07-22 20:56	Chris Graham	Note Added: 0008870