Brute force attack prevention

[car031]

1)
Being able to stop or at least slow down brute force attach, by only allow i.e 5 login tryes from an IP address,
when you have tried 3-5 or any number of times whitout success the account should be disabled for instance 30 min.

You can do this by extending the account table in the DB to include:

Last-unsuccesful-login : long date time
Period-of-unsuccesful-tries: Integer
Last-login-IP: String
Max-Login-tries: byte
Login-wait-time-in-min: integer

Then when you unsucessful try to login from Last-login-IP, Max-Login-tries times the account will be disabled Login-wait-time-in-min minutes.
if you login successful, it clears the entries..

The only downside to this is if you do a reverse proxy to you LogicalDoc? you have the same IP, but that should
just be stated in the documentation..

2)
Be able to stop loggin on as admin unless he comes from the servers ip OR 127.0.0.1

3)
The username should not be restricted by any charaters or the following charaters should be the only not allowed:
[ ] : ; | = + ? < > * "
This is the same as Microsoft is using.

4)
Allow all imported users(from LDAP) beeing disabled insted og enabled.

5)
Segregate the users in domains.
If you allow a fictive domain i.e MyCompnay?, when you login you could sell the as a hoster, then you only
need to create a domain for the company which you are hosting the application for.

ex.
Login name: Gert
Password: Jensen
Domain: MS-Team

[car031]

Wew could take inspiration from Trac, and count also the ties with same username, not just same IP