Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-12380

Implement user lockout mechanism to stop bruteforce login attacks

    XMLWordPrintable

Details

    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      Hacker can try as many time he wants to login JIRA.

      You can build client, which sends username+password combinations as many time as you like.

      .. and if you have username, it is much easier to get in.


      Implementation ideas:
      1) Lock user after sequential X incorrect logins

      • X can be set by administrator
      • if admin's own username is locked, it should be possible to unlock from console
        2) Set IP to blacklist (unable to try login) after sequential Y incorrect logins
      • Y can be set by administrator
      • IP can be removed from Blacklist by admin and it also should be possible to do from console

      2) can be also done by using "bullet time" after sequential Z incorrect logins

      • when hacker has been tried Z times to login then login period will take time 10 times longer
      • when hacker has been tried 2*Z times to login then login period will take time 2*10 times longer
      • .. until Y is reached and IP is set to blacklist

      Attachments

        Issue Links

          Activity

            People

              bbaker ɹǝʞɐq pɐɹq
              7cbccd93ce2e JP Patrikainen
              Votes:
              9 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: