Opened 10 years ago

Closed 5 years ago

#187 closed new feature (fixed)

Brute force attack prevention

Reported by: car031 Owned by:
Priority: major Milestone: 7.6.2
Component: Core Version: 6.3.4
Keywords: Cc:

Description

1)
Being able to stop or at least slow down brute force attach, by only allow i.e 5 login tryes from an IP address,
when you have tried 3-5 or any number of times whitout success the account should be disabled for instance 30 min.

You can do this by extending the account table in the DB to include:

Last-unsuccesful-login : long date time
Period-of-unsuccesful-tries: Integer
Last-login-IP: String
Max-Login-tries: byte
Login-wait-time-in-min: integer

Then when you unsucessful try to login from Last-login-IP, Max-Login-tries times the account will be disabled Login-wait-time-in-min minutes.
if you login successful, it clears the entries..


The only downside to this is if you do a reverse proxy to you LogicalDoc? you have the same IP, but that should
just be stated in the documentation..

2)
Be able to stop loggin on as admin unless he comes from the servers ip OR 127.0.0.1

3)
The username should not be restricted by any charaters or the following charaters should be the only not allowed:
[ ] : ; | = + ? < > * "
This is the same as Microsoft is using.

4)
Allow all imported users(from LDAP) beeing disabled insted og enabled.


5)
Segregate the users in domains.
If you allow a fictive domain i.e MyCompnay?, when you login you could sell the as a hoster, then you only
need to create a domain for the company which you are hosting the application for.

ex.
Login name: Gert
Password: Jensen
Domain: MS-Team

Change History (3)

comment:1 Changed 10 years ago by car031

  • Type changed from Improvement to Wish

comment:2 Changed 5 years ago by car031

Wew could take inspiration from Trac, and count also the ties with same username, not just same IP

comment:3 Changed 5 years ago by car031

  • Milestone set to 7.6.2
  • Priority changed from minor to major
  • Resolution set to fixed
  • Status changed from new to closed
  • Type changed from wish to new feature
Note: See TracTickets for help on using tickets.