Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-12380

Implement user lockout mechanism to stop bruteforce login attacks


    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Hacker can try as many time he wants to login JIRA.

      You can build client, which sends username+password combinations as many time as you like.

      .. and if you have username, it is much easier to get in.

      Implementation ideas:
      1) Lock user after sequential X incorrect logins

      • X can be set by administrator
      • if admin's own username is locked, it should be possible to unlock from console
        2) Set IP to blacklist (unable to try login) after sequential Y incorrect logins
      • Y can be set by administrator
      • IP can be removed from Blacklist by admin and it also should be possible to do from console

      2) can be also done by using "bullet time" after sequential Z incorrect logins

      • when hacker has been tried Z times to login then login period will take time 10 times longer
      • when hacker has been tried 2*Z times to login then login period will take time 2*10 times longer
      • .. until Y is reached and IP is set to blacklist

            bbaker ɹǝʞɐq pɐɹq
            7cbccd93ce2e JP Patrikainen
            9 Vote for this issue
            8 Start watching this issue