Bug #21658
closedSecure the BE login - Auto disable the be user after a certain amount of login failure.
0%
Description
Currently the TYPO3 backend login is not capable of any kind of brute force protection.
Suggestion:
Introduce an optional way to disable a certain backend user after a configurable amount of login failures.
Furthermore notifivy the admin whether a user has been locked out.
(issue imported from #M12720)
Updated by Christian Clemens about 11 years ago
- Target version deleted (
0)
A agree with Nikolas, as there seem to be many, many brute force attacks to TYPO3 backends in the last weeks. It would be great to have an option in installtool like this:
- Block an ip address after x login attempts in y seconds for z minutes/hours
- Or, if attackers change the ip address after every x attempts (I'm no security expert - is this possible?): block complete backend for z minutes/hours, if there are more than z attempts (not regarding the ip address) in the last y seconds.
I think such an option is very important and should be a core feature. Why?
- There is already a possibility to get informed about login attempts.
- If an attack starts, admin gets many, many mails in a short time. If the admin could not check mails for some hours, this will be hundrets or thousands of e-mails.
- If this happens: I think the sending server (means: my server!) could be blacklisted, because it suddenly sends so much mails in such a short time?
- And: if the admin could not check mails for some hours, the attacker has many tries and could be successfull.
I read, this can be solved with mod_security (http://www.derhansen.de/2013/09/blocking-brute-force-attacks-to-typo3.html or http://www.illutzmination.de/typo3-mod_security.html) or with fail2ban, but if I understood correctly, you need root access to the server for this?
So what about admins who are working with Managed VServers or Webhosting packages?
A founde 2 extensions, to solve this problem:
- http://typo3.org/extensions/repository/view/aba_bruteforceblocker
- http://typo3.org/extensions/repository/view/sysfire_failban
But I would prefer to add the needed features directly to the core and not to delegate such security issues to extension authors. My experience is, that many extensions authors stop development of their extensions after some years, so an admin has to replace the solution in many installations every few years.
Updated by Wouter Wolters almost 10 years ago
- Description updated (diff)
- Status changed from New to Closed
- TYPO3 Version set to 4.3
- Is Regression set to No
Duplicate of #19987
Please continue there.