Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block the users account as well as the IP address #123

Open
Spudley opened this issue Apr 8, 2016 · 3 comments
Open

Block the users account as well as the IP address #123

Spudley opened this issue Apr 8, 2016 · 3 comments
Assignees
@codeling
Labels
enhancement

Comments

@Spudley
Copy link

Spudley commented Apr 8, 2016

Hi.

Is it possible to block the actual user account as well as the IP address.

The threat scenario here is a hacker using a botnet to try to break into a specific user's account. In this scenario blocking the IP address won't help much (it will limit the number of attempts from each machine on the botnet, but there would still be a lot of unblocked attempts). But blocking the user account after a certain number of failed logins would be much more effective.

Many thanks.

Simon C.
@codeling
Copy link
Owner

codeling commented Apr 10, 2016
edited
Loading

On the security side such blocking might have a benefit, yes.
But on the other hand it also has the potential to lock out legitimate users, so I'm not sure whether completely blocking any login attempt for a user is the best possible thing to do.

The main target typically is the admin user - and that username should actually not exist anyway (as bfstop also warns about).
Typically, the attacker shouldn't even know the actual usernames on a server. And if he does, it would I guess be better to change the username instead.

Just thinking out loud here, but maybe bfstop could send out notification to the administrator and/or the affected user and tell him that there's currently attacks ongoing on his user account, and that for increased security, he should change his login name?

@codeling codeling self-assigned this Apr 10, 2016
@Spudley
Copy link
Author

Spudley commented Apr 10, 2016

Agreed it does have the potential to block legitimate users. However I've been specifically asked to implement the feature by the site owners, so they'll have to take responsibility for unblocking any users who get locked out. Personally I agree it's overkill, but this system is running within the kind of organisation where security does tend to be quite heavily implemented, so it's not really a surprise that they want this.

Thanks for considering it. :)

@codeling
Copy link
Owner

It could be an interesting extension, at least optionally.
Unfortunately I really have very limited time at the moment.
If you end up implementing this, and want to make it available to a wider audience, I'd be more than glad to incorporate it (of course with proper attribution).

@codeling codeling added this to the BFStop 1.5.0 milestone Dec 19, 2016
@codeling codeling changed the title Block the user;'s account as well as the IP address Block the users account as well as the IP address Jan 24, 2017
@codeling codeling modified the milestones: BFStop 1.6.0, BFStop 1.5.0 Mar 8, 2017
@codeling codeling mentioned this issue Aug 22, 2017
Open
@codeling codeling removed this from the BFStop 2.0 milestone Feb 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@codeling codeling

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Spudley @codeling