Idea ID: 2789435

Intruder Lockout

Status : Delivered
over 4 years ago
Seems there is no way to lock out "incorrect password attempts", what makes a brute force break in possible.
It should be possible to lockout such attempts through a disable user for "some minutes" or permanently, including an internal alert for such situations

Tags:

Labels:

Other
  • There is now an option for Captcha to be displayed if there is a brute force attack

    This is a setting that can be placed in the ssf-ext.properties to reduce the number of attempts before it is displayed. 

      number.of.attempts.to.show.captcha=5

     

     

  • Is there any update on this ? Will this issue be addressed in future releases ?
  • I got request from Customer who'd like to buy a big amount of Filr's licenses. They are in trouble because of brute-force/acceidental fails during authentication: because they have lower than 6 failed attempts limit in AD's settings, such attacks/failed logind leads to account lock on the AD side. This is a very serious problem for they and they need solution for this case. CAPTCHA isn't a real solution: - limit for CAPTCHA is 6 failed attempts and cannnot be changed as this setting is hardcoded and cannot be changed by using Filr Administrator Console - CAPTCHA, as far as I know, is an external service anf in the case f there is no connection with Internet, cannot be used. Probable I'm wrong here but if I'm right - this is a serious thing against CAPTCHA. Anyway we're dependent on third-party because of that and this is not a really good thing in my understanding There are other ways to solve this like NAM or Microsoft ADFS - but it leads to additional extra costs which makes Filr more expensive for Customer and, as a result, interest to Filr may be impacted. Solution, in my understanding, will be realized as something like Filr Intruder Lockout Policy/Policies like we have in other of our products. Filr Admnistrator will be able to manage Failed Attempts Lmit and make it lower that similar setting for eDir/AD, in this case only Filr Account will be locked but not eDir/AD/LDAP account itself. This is exactly what Customer wants to have in Filr, please think about it. I'm not a developer so can't evaluate additional costs for such Feature, but, as we hve this functionality in our products like iManager which uses Tomcat as well as Filr as a platform, I hope these costs will not be very high and Feature may be realized fast enough. This isn't a real Stopper for this deal as far as I know, but one of the hardest moment we have at the moment. If Feature will be realized soon enough, our life will be much more easier.
  • Also after 5 unsuccesful atempts you get the captcha image displayed.
  • Also when account have a intruder lockout in eDir, this isn't visible in the Filr login page, and also it's not mentioned that account is locked. So this is a good feature. And more secure it think.