Feature #97496
open
Return 401 on failed login
0%
Description
Return 401 HTTP code on failed login to the BE and felogin so an intrusion prevention software like fail2ban can be configured to detect brute force attacks.
Updated by Torben Hansen almost 2 years ago
I see no real benefit of changing the HTTP return code for failed logins and would like to refer to the same discussion in the Wordpress community - see: https://core.trac.wordpress.org/ticket/25446
TYPO3 has a rate limiter component since v11, which is able to block IP addresses for a certain time after a configurable amount of failed login attempts (backend/frontend logins).
TYPO3 sends different HTTP response codes on successful logins (303 for successful backend login and 303 for successful frontend login if redirect is enabled). This information can be used to configure an IPS system to monitor/block brute force login attempts.
Also, TYPO3 offers the following:
- Frontend login -> PSR-14 event
LoginErrorOccurredEventto add custom functionality (e.g. create a custom logfile) - Backend login ->
postLoginFailureProcessinghook to add custom functionality (e.g. create a custom logfile) - Custom authentication log through logging framework -> https://docs.typo3.org/m/typo3/reference-coreapi/main/en-us/Security/GuidelinesAdministrators/FurtherActions.html#events-in-typo3-log-files
So in general it should already be possible to configure an IPS system to detect failed logins in TYPO3 (but not by HTTP response status).
Updated by Frank Nägler almost 2 years ago
@Torben: What is the problem with a correct status code?
From my point of view, the HTTP status code is wrong and should be 401. The reason or use case is described.
Referring to events or hooks is not very helpful, why should I implement any custom code with events if the correct HTTP status would solve the issue?