<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.E-MailFormatvorlage17
{mso-style-type:personal-reply;
font-family:"Verdana","sans-serif";
color:windowtext;
font-weight:normal;
font-style:normal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=DE link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><a name="_MailEndCompose"><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>Hi,<o:p></o:p></span></a></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>Just my 2 cents. This should IMHO go in an own extension which could be loaded manually. Most customers secure the server with by server instructure and do not need any Core implementation. And an extensions is more flexible and could be better updated than the Core can be.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p> </o:p></span></p><div><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";mso-fareast-language:EN-US'>Best regards,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";mso-fareast-language:EN-US'>Nicole<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";mso-fareast-language:EN-US'>--<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";mso-fareast-language:EN-US'>Nicole Cordes<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";mso-fareast-language:EN-US'>TYPO3 CMS Active Contributor<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";mso-fareast-language:EN-US'>TYPO3 .... inspiring people to share!<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";mso-fareast-language:EN-US'>Get involved: typo3.org<o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Von:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> typo3-team-core-bounces@lists.typo3.org [mailto:typo3-team-core-bounces@lists.typo3.org] <b>Im Auftrag von </b>Aske Ertmann<br><b>Gesendet:</b> Montag, 23. September 2013 09:10<br><b>An:</b> TYPO3 core team<br><b>Betreff:</b> Re: [TYPO3-core] Brute force protection for TYPO3 backend<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Hi<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>We've had a customer with the same problem last week, fortunately they only tried with the username "admin" so it's not really a well orchestrated attack.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>It would be nice with something like this in the core, but as I remember there has efforts for this in the past which resulted in not getting implemented due to not being able to reach a solution that fits all. But maybe we could find a solution that would work for most, but be disabled by default. It's not very far from the build in notice after unsuccessful login attempts.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>However we searched a little and found a extension that does exactly this: <a href="http://typo3.org/extensions/repository/view/aba_bruteforceblocker">http://typo3.org/extensions/repository/view/aba_bruteforceblocker</a><o:p></o:p></p></div><div><p class=MsoNormal>Haven't tried it out, but updated recently so it might solve your problem.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Also our recommendation to the customer was to add server side IP restriction of the backend, which if possible is a better solution.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Cheers<o:p></o:p></p></div><div><p class=MsoNormal>Aske<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On 22/09/2013, at 14.18, Marcus Krause wrote:<o:p></o:p></p></div><p class=MsoNormal><br><br><o:p></o:p></p><div><p class=MsoNormal>Hi Torben,<br><br><br>Am 22.09.2013, 07:27 Uhr, schrieb Torben Hansen <<a href="mailto:hansen@skyfillers.com">hansen@skyfillers.com</a>>:<br><br><br><o:p></o:p></p><p class=MsoNormal>Hi all,<o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><o:p> </o:p></p></blockquote><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal>brute force attacks to TYPO3 backends increased the last weeks, so I created a patch which internally blacklists the remote IP address for a given time, if there are too many authentication failures from a remote host.<o:p></o:p></p></blockquote><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><o:p> </o:p></p></blockquote><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><a href="http://forge.typo3.org/issues/52170">http://forge.typo3.org/issues/52170</a><o:p></o:p></p></blockquote><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><o:p> </o:p></p></blockquote><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal>The attached patch is not completely finished, but I would like to hear some feedback from the core developers, if this approach is something that could make it to the core of the next LTS.<o:p></o:p></p></blockquote><p class=MsoNormal><br>thank you for working on this topic. I'd like to have something like this in the Core. So please go on.<br>However I have oulined a few issues on the current patchset which IMHO should be taken care of.<br><br><br>Thanks again for your contribution,<br>cheers Marcus.<br><br><br>PS: Greetings from PHPunconference and Stefano, who is sitting next to me right now. ;-)<br><br>-- <br>Marcus Krause<br>TYPO3 Security Team<br><br>TYPO3 .... inspiring people to share!<br>Get involved: <a href="http://typo3.org">typo3.org</a><br>_______________________________________________<br>Before posting to this list, please have a look to the posting rules<br>on the following websites:<br><br><a href="http://typo3.org/teams/core/core-mailinglist-rules/">http://typo3.org/teams/core/core-mailinglist-rules/</a><br><a href="http://typo3.org/development/bug-fixing/diff-and-patch/">http://typo3.org/development/bug-fixing/diff-and-patch/</a><br>_______________________________________________<br>TYPO3-team-core mailing list<br><a href="mailto:TYPO3-team-core@lists.typo3.org">TYPO3-team-core@lists.typo3.org</a><br><a href="http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-team-core">http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-team-core</a><o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>