[TYPO3-english] Preventing brute-force attacks in FE login form
Oliver Salzburg
oliver.salzburg at googlemail.com
Tue Jan 24 14:45:33 CET 2012
On 2012-01-24 11:52, Tonix (Antonio Nati) wrote:
> If would be nice to have incremental blocks.
>
> If a user makes x wrong attempts within a given interval, it should be
> suspended for y minutes.
> If an IP makes xx wrong attempts on one or more accounts, that IP should
> be suspended for yy minutes.
>
> But how to accomplish this with the automatic login of typo3 working on
> all pages?
>
> Tonino
>
> Il 24/01/2012 11:46, Markus Klein ha scritto:
>> Or even better, add this features to the sysext felogin.
>>
>> Kind regards
>> Markus
>>
>>
>>> -----Original Message-----
>>> From: typo3-english-bounces at lists.typo3.org
>>> [mailto:typo3-english-bounces at lists.typo3.org] On Behalf Of Mauro
>>> Lorenzutti
>>> Sent: Tuesday, January 24, 2012 8:56 AM
>>> To: typo3-english at lists.typo3.org
>>> Subject: Re: [TYPO3-english] Preventing brute-force attacks in FE
>>> login form
>>>
>>> Hi Claudio,
>>>
>>> Il 23/01/2012 16:41, Claudio Strizzolo ha scritto:
>>>> Hi all,
>>>> I am currently using Typo3 4.5.
>>>>
>>>> Does someone have any hints about preventing brute-force attacks using
>>>> Typo3 FE login form (felogin system extension)?
>>>>
>>>> For instance: if a user supplies a wrong password several times in a
>>>> certain time interval (let's say: 10 times in 2 minutes), don't let
>>>> him/her trying again using the same username in the next 15 minutes.
>>>> Basically I'd like to avoid brute-force attacks by automated tools.
>>> we had the same problem in the past and we modified the newloginbox
>>> to disable the user after he provides a wrong password for 3
>>> times. I think you have to modify the fe_login by your own, maybe you
>>> can use some hooks and create a different extension (it would
>>> be great if you can release such new extension ;-))
>>>
>>> Not an answer to your question, I know: just my experience...
>>>
>>> Regards,
>>> --
>>> Mauro Lorenzutti
If your setup allows it, you could utilize fail2ban for this.
There are several examples of this online. One would be this:
http://www.illutzmination.de/typo3-fail2ban.html?&L=1
Cheers
Oliver
More information about the TYPO3-english
mailing list