Add brute force protection to TYPO3 backend
TYPO3 misses a brute force protection for the backend login. Login attempts for remote attackers should be temporarily disabled, if a configurable amount of login failures is reached.
Updated by Marcus Krause almost 8 years ago
thank you for your patch. Following, I refer to your patchset 2.
I consider it a good idea to take care about brute-forcing. Having a maximal number by IP for login attempts is good. Please make it configurable via install tool as planned (your note in your code). But please do not enable it by default! e.g. "maxAuthAttempts=-1"
Introducing a separate table is good; naming is not. It should be called sth. like sys_auth_attempts and should contain also the TYPO3 context (BE,FE). So we could also use it for Frontent Users, too.
The newly created class IpUtility suggests to contain generic IP related code. Your code is about blacklisting authentication requests by IP. IMHO naming should cover this by being more specific.
Additionally, all methods are static and by that, hard to test (unit tests). Furthermore, the methods retrieve the IP address on their own. However, the IP addresses should be at least method parameters.
Failed login attempts caused by blacklisting should not throw an exception. Please make sure, that such attempts are properly logged!
Updated by Philipp Gampe almost 8 years ago
I think the code should be introduced as a service class and not as a utility.
Please also mind that some people use IPv6 addresses, thus the code should cover that too. IPv6 addresses need to be blacklisted by the whole /64 prefix as the /64 suffix is for users only.
Updated by Martin Muskulus almost 8 years ago
The IPv6 prefix length can vary from provider to provider.
Depending on what RFC providers implement they assign /48, /56, /64 or even /128 for sites/users. So you can't be sure what prefix length to block until you request IP databases for the corresponding net.
Keep in mind that such a blocking mechanism does not help against bot nets at all.