[TYPO3-core] Brute force protection for TYPO3 backend

Aske Ertmann aske at moc.net
Mon Sep 23 09:09:32 CEST 2013


Hi

We've had a customer with the same problem last week, fortunately they only tried with the username "admin" so it's not really a well orchestrated attack.

It would be nice with something like this in the core, but as I remember there has efforts for this in the past which resulted in not getting implemented due to not being able to reach a solution that fits all. But maybe we could find a solution that would work for most, but be disabled by default. It's not very far from the build in notice after unsuccessful login attempts.

However we searched a little and found a extension that does exactly this: http://typo3.org/extensions/repository/view/aba_bruteforceblocker
Haven't tried it out, but updated recently so it might solve your problem.

Also our recommendation to the customer was to add server side IP restriction of the backend, which if possible is a better solution.

Cheers
Aske

On 22/09/2013, at 14.18, Marcus Krause wrote:

> Hi Torben,
> 
> 
> Am 22.09.2013, 07:27 Uhr, schrieb Torben Hansen <hansen at skyfillers.com>:
> 
>> Hi all,
>> 
>> brute force attacks to TYPO3 backends increased the last weeks, so I created a patch which internally blacklists the remote IP address for a given time, if there are too many authentication failures from a remote host.
>> 
>> http://forge.typo3.org/issues/52170
>> 
>> The attached patch is not completely finished, but I would like to hear some feedback from the core developers, if this approach is something that could make it to the core of the next LTS.
> 
> thank you for working on this topic. I'd like to have something like this in the Core. So please go on.
> However I have oulined a few issues on the current patchset which IMHO should be taken care of.
> 
> 
> Thanks again for your contribution,
> cheers Marcus.
> 
> 
> PS: Greetings from PHPunconference and Stefano, who is sitting next to me right now. ;-)
> 
> -- 
> Marcus Krause
> TYPO3 Security Team
> 
> TYPO3 .... inspiring people to share!
> Get involved: typo3.org
> _______________________________________________
> Before posting to this list, please have a look to the posting rules
> on the following websites:
> 
> http://typo3.org/teams/core/core-mailinglist-rules/
> http://typo3.org/development/bug-fixing/diff-and-patch/
> _______________________________________________
> TYPO3-team-core mailing list
> TYPO3-team-core at lists.typo3.org
> http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-team-core

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20130923/1feadb81/attachment.htm>


More information about the TYPO3-team-core mailing list