Uploaded image for project: 'atlassian-seraph'
  1. atlassian-seraph
  2. SER-87

Implement user lockout mechanism to stop bruteforce login attacks

XMLWordPrintable

    • Icon: New Feature New Feature
    • Resolution: Unresolved
    • Icon: Medium Medium
    • None
    • None
    • None
    • true

      It is possible to build a client which sends username+password combinations as many time as you like.

      .. and if you have username, it is much easier to get in.

      To stop this the following can be implemented:

      1) Lock user after sequential X incorrect logins

      • X can be set by administrator
      • if admin's own username is locked, it should be possible to unlock from console

      2) Set IP to blacklist (unable to try login) after sequential Y incorrect logins

      • Y can be set by administrator
      • IP can be removed from Blacklist by admin and it also should be possible to do from console

      3) can be also done by using "bullet time" after sequential Z incorrect logins

      • when hacker has been tried Z times to login then login period will take time 10 times longer
      • when hacker has been tried 2*Z times to login then login period will take time 2*10 times longer
      • .. until Y is reached and IP is set to blacklist

              Unassigned Unassigned
              anton@atlassian.com AntonA
              Votes:
              7 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                10 years ago