[TYPO3-core] Brute force protection for TYPO3 backend
Nicole Cordes
typo3 at cordes.co
Mon Sep 23 16:20:09 CEST 2013
Hi,
Just my 2 cents. This should IMHO go in an own extension which could be
loaded manually. Most customers secure the server with by server instructure
and do not need any Core implementation. And an extensions is more flexible
and could be better updated than the Core can be.
Best regards,
Nicole
--
Nicole Cordes
TYPO3 CMS Active Contributor
TYPO3 .... inspiring people to share!
Get involved: typo3.org
Von: typo3-team-core-bounces at lists.typo3.org
[mailto:typo3-team-core-bounces at lists.typo3.org] Im Auftrag von Aske Ertmann
Gesendet: Montag, 23. September 2013 09:10
An: TYPO3 core team
Betreff: Re: [TYPO3-core] Brute force protection for TYPO3 backend
Hi
We've had a customer with the same problem last week, fortunately they only
tried with the username "admin" so it's not really a well orchestrated
attack.
It would be nice with something like this in the core, but as I remember
there has efforts for this in the past which resulted in not getting
implemented due to not being able to reach a solution that fits all. But
maybe we could find a solution that would work for most, but be disabled by
default. It's not very far from the build in notice after unsuccessful login
attempts.
However we searched a little and found a extension that does exactly this:
http://typo3.org/extensions/repository/view/aba_bruteforceblocker
Haven't tried it out, but updated recently so it might solve your problem.
Also our recommendation to the customer was to add server side IP
restriction of the backend, which if possible is a better solution.
Cheers
Aske
On 22/09/2013, at 14.18, Marcus Krause wrote:
Hi Torben,
Am 22.09.2013, 07:27 Uhr, schrieb Torben Hansen <hansen at skyfillers.com>:
Hi all,
brute force attacks to TYPO3 backends increased the last weeks, so I created
a patch which internally blacklists the remote IP address for a given time,
if there are too many authentication failures from a remote host.
http://forge.typo3.org/issues/52170
The attached patch is not completely finished, but I would like to hear some
feedback from the core developers, if this approach is something that could
make it to the core of the next LTS.
thank you for working on this topic. I'd like to have something like this in
the Core. So please go on.
However I have oulined a few issues on the current patchset which IMHO
should be taken care of.
Thanks again for your contribution,
cheers Marcus.
PS: Greetings from PHPunconference and Stefano, who is sitting next to me
right now. ;-)
--
Marcus Krause
TYPO3 Security Team
TYPO3 .... inspiring people to share!
Get involved: typo3.org
_______________________________________________
Before posting to this list, please have a look to the posting rules
on the following websites:
http://typo3.org/teams/core/core-mailinglist-rules/
http://typo3.org/development/bug-fixing/diff-and-patch/
_______________________________________________
TYPO3-team-core mailing list
TYPO3-team-core at lists.typo3.org
http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-team-core
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20130923/7e9a4954/attachment.htm>
More information about the TYPO3-team-core
mailing list