Project

General

Profile

Actions

Bug #21658

closed

Secure the BE login - Auto disable the be user after a certain amount of login failure.

Added by Nikolas Hagelstein almost 15 years ago. Updated almost 10 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2009-11-24
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.3
PHP Version:
4.3
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

Currently the TYPO3 backend login is not capable of any kind of brute force protection.

Suggestion:
Introduce an optional way to disable a certain backend user after a configurable amount of login failures.
Furthermore notifivy the admin whether a user has been locked out.

(issue imported from #M12720)


Related issues 3 (0 open3 closed)

Related to TYPO3 Core - Feature #21661: Secure the BE login - Blacklist ipsClosed2009-11-24

Actions
Related to TYPO3 Core - Feature #75987: Implement request throttling/ rate limiting functionality and APIClosed2016-04-29

Actions
Has duplicate TYPO3 Core - Feature #19987: Security: Backend user should be disabled after x failed log in (and the appropriate option is set in the install tool)Closed2009-02-09

Actions
Actions #1

Updated by Christian Clemens about 11 years ago

  • Target version deleted (0)

A agree with Nikolas, as there seem to be many, many brute force attacks to TYPO3 backends in the last weeks. It would be great to have an option in installtool like this:

- Block an ip address after x login attempts in y seconds for z minutes/hours
- Or, if attackers change the ip address after every x attempts (I'm no security expert - is this possible?): block complete backend for z minutes/hours, if there are more than z attempts (not regarding the ip address) in the last y seconds.

I think such an option is very important and should be a core feature. Why?

- There is already a possibility to get informed about login attempts.
- If an attack starts, admin gets many, many mails in a short time. If the admin could not check mails for some hours, this will be hundrets or thousands of e-mails.
- If this happens: I think the sending server (means: my server!) could be blacklisted, because it suddenly sends so much mails in such a short time?
- And: if the admin could not check mails for some hours, the attacker has many tries and could be successfull.

I read, this can be solved with mod_security (http://www.derhansen.de/2013/09/blocking-brute-force-attacks-to-typo3.html or http://www.illutzmination.de/typo3-mod_security.html) or with fail2ban, but if I understood correctly, you need root access to the server for this?

So what about admins who are working with Managed VServers or Webhosting packages?

A founde 2 extensions, to solve this problem:
- http://typo3.org/extensions/repository/view/aba_bruteforceblocker
- http://typo3.org/extensions/repository/view/sysfire_failban

But I would prefer to add the needed features directly to the core and not to delegate such security issues to extension authors. My experience is, that many extensions authors stop development of their extensions after some years, so an admin has to replace the solution in many installations every few years.

Actions #2

Updated by Wouter Wolters almost 10 years ago

  • Description updated (diff)
  • Status changed from New to Closed
  • TYPO3 Version set to 4.3
  • Is Regression set to No

Duplicate of #19987
Please continue there.

Actions

Also available in: Atom PDF