#3891 - Brute-force login attempt protection
-
By Chris Graham
- Added
- 2 views
| Identifier | #3891 |
|---|---|
| Issue type | Feature request or suggestion |
| Title | Brute-force login attempt protection |
| Status | Open |
| Tags |
Type: Security (custom) |
| Handling member | Deleted |
| Addon | core |
| Description | Add options to protect against brute-force login attempts.
1) Maximum login frequency by IP address 2) Maximum login frequency (global) The format would be... [<num>/<seconds>[,]]* e.g. 3/10,7/60,20/3600,30/86400 This means "Max 3 attempts within last 10 seconds, Max 7 attempts within last 60 seconds, Max 20 attempts within last hour, Max 30 attempts within last day". The numbers on the default global setting would be much bigger. They are designed for DDOS protection (many users attempting login from the same IP address). When a request is blocked it would be given a "429 Too Many Requests" header and an appropriate error message. It would all work by keeping an elective-value recording all the IP addresses and timestamps for logins within the maximum number of seconds referenced in the option value (86400 in this example), in PHP-serialize format. Blocked logins (blocked by this code) would not be included, in the recordings, to prevent the data exploding (a possible attack vector). The check code would need to clean out old data. |
| Steps to reproduce | |
| Funded? | No |
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".
Comments
Sure this feature request can protect against DDOSs, but I think if a site is getting DDOSed then they should be able to afford some proper investment in network/system-level security rules (e.g. fail2ban).
That said, I still like this request.