Implement user lockout mechanism to stop bruteforce login attacks

XMLWordPrintable

    • Type: New Feature
    • Resolution: Unresolved
    • Priority: Medium
    • None
    • Affects Version/s: None
    • None

      It is possible to build a client which sends username+password combinations as many time as you like.

      .. and if you have username, it is much easier to get in.

      To stop this the following can be implemented:

      1) Lock user after sequential X incorrect logins

      • X can be set by administrator
      • if admin's own username is locked, it should be possible to unlock from console

      2) Set IP to blacklist (unable to try login) after sequential Y incorrect logins

      • Y can be set by administrator
      • IP can be removed from Blacklist by admin and it also should be possible to do from console

      3) can be also done by using "bullet time" after sequential Z incorrect logins

      • when hacker has been tried Z times to login then login period will take time 10 times longer
      • when hacker has been tried 2*Z times to login then login period will take time 2*10 times longer
      • .. until Y is reached and IP is set to blacklist

            Assignee:
            Unassigned
            Reporter:
            AntonA
            Votes:
            7 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: