Modify

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#7437 closed enhancement (fixed)

[patch] Lock user after configurable number of failed login attempts

Reported by: Aliaksandr Salenka, sem7777@… Owned by: hasienda
Priority: high Component: AccountManagerPlugin
Severity: major Keywords: login retry limit
Cc: pacopablo, otaku42, rjollos Trac Release: 0.11

Description

Is it possible to add locking users after 3 failed login attemps? It should be userfull.

Attachments (2)

fx_7437.patch (11.0 KB) - added by hasienda 4 years ago.
preview on suggested enhancement, yet somewhat incomplete
fx_7437.2.patch (41.9 KB) - added by hasienda 4 years ago.
improved version

Download all attachments as: .zip

Change History (11)

comment:1 Changed 4 years ago by anonymous

  • Type changed from enhancement to task

comment:2 Changed 4 years ago by hasienda

  • Cc pacopablo added
  • Keywords login retry limit added
  • Priority changed from normal to high
  • Severity changed from normal to major
  • Summary changed from lock user after failed login attemps to Lock user after configurable number of failed login attempts
  • Type changed from task to enhancement

#7711 was marked as a duplicate of this one.

Limiting number of password retries is an important feature at least in cooperate applications. I suggest this should be more urgent to implement.

comment:3 Changed 4 years ago by hasienda

  • Owner changed from mgood to hasienda

Certainly this should be done.

And I guess it must be done independently of the AuthStore used, since there is no way to mark "max_login_attempts reached" and set an administrative lock within most, if not all of them.

Patch welcome.

Changed 4 years ago by hasienda

preview on suggested enhancement, yet somewhat incomplete

comment:4 Changed 4 years ago by hasienda

  • Cc otaku42 rjollos added
  • Status changed from new to assigned
  • Summary changed from Lock user after configurable number of failed login attempts to [patch] Lock user after configurable number of failed login attempts

Attached patch shows roughly what I'll come up with in absence of better code.

implemented:

  • optionally limit login attempts to login_attempt_max_count (new option, default: 0 - means no limit for hassle-free upgrade)
  • logging of failed login attempts to session_attribute db table
    • add entries for previously authenticated users only (polluting table with lots of random user names could even cause dangerous db growth)
    • remote IP address and corresponding attempt time included
    • keeps latest (login_attempt_max_count + 1) entries
  • show active user account lock in authentication failure error message
  • optional lock timeout after user_lock_timeout seconds (new option, default: 0 - means unlimited locking time)
    • hint on configured timeout displayed in authentication failure error message as well

planned:

  • remove current «graceful» lock behaviour: lock is purely cosmetic now as AccountManagerPlugin continues password checking and releases lock on next successful attempt
  • visualize locked user accounts at account admin page ('users')
  • provide easy lock audit functionality at user admin page, i.e. by listing recorded attempts in a pop-up window

Comments, improvements and other suggestions are appreciated to help with the final cut.

Changed 4 years ago by hasienda

improved version

comment:5 Changed 4 years ago by hasienda

changes to previous version:

  • lock behavior fixed
  • user_lock_timeout renamed to user_lock_time
  • exponential lock time extension added, calculation is t_lock = user_lock_time * user_lock_time_progression exponent
  • user_lock_max_time provides upper limit on lock time growth (defaults to 1 day)

ToDo

  • features for admin page as mentioned before
  • some more value checking to prevent useless and potentially dangerous custom configurations
  • write documentation to wiki including commented example configurations to demonstrate effects of different combinations of new options

comment:6 Changed 4 years ago by hasienda

update on development status:

core functionality is no longer extending AccountManager module directly but bundled in a new AccountGuard class instead

  • user account audit information will be presented at another admin page 'details', that can't be clicked directly but requires a proper argument ('http://../details?user=<username>')
  • currently locked accounts visible at admin page 'users', click-able icons leading to details page for corresponding user
  • details page holds account status information and last failed login attempts log
  • login page clearly reports account lock release time on login rejection


comment:7 Changed 4 years ago by hasienda

(In [9546]) AccountManagerPlugin: Introduce login attempt tracking and administative user account locking, refs #7437.

Number of previously logged failed login attempts as well as lock condition
and lock behaviour are evaluated and displayed to the user.
Optional exponential lock time prolongation can be used to further reduce
effectivity of attempted brute-force attacks on user passwords.

comment:8 Changed 4 years ago by hasienda

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [9548]) AccountManagerPlugin: Add admin functions for user account locking, closes #7437.

We show information related to new account locking, but be prepared
for an even richer account details view here, i.e. including information
regarding password reset and account/email verification status.

comment:9 Changed 4 years ago by hasienda

(In [9555]) AccountManagerPlugin: Fix user_locked() method, refs #7437.

Just noticed, that it returned false positive «locked permanently»,
if account locking had been turned off by (default) configuration.

Add Comment

Modify Ticket

Action
as closed .
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from hasienda. Next status will be 'closed'.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.