Intruder Lockout

Idea ID 2789435

Intruder Lockout

Seems there is no way to lock out "incorrect password attempts", what makes a brute force break in possible.
It should be possible to lockout such attempts through a disable user for "some minutes" or permanently, including an internal alert for such situations
6 Comments
Absent Member.
Absent Member.
Noted Axel
Super Contributor.
Super Contributor.
Also when account have a intruder lockout in eDir, this isn't visible in the Filr login page, and also it's not mentioned that account is locked. So this is a good feature. And more secure it think.
Absent Member.
Absent Member.
Also after 5 unsuccesful atempts you get the captcha image displayed.
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor
I got request from Customer who'd like to buy a big amount of Filr's licenses. They are in trouble because of brute-force/acceidental fails during authentication: because they have lower than 6 failed attempts limit in AD's settings, such attacks/failed logind leads to account lock on the AD side. This is a very serious problem for they and they need solution for this case. CAPTCHA isn't a real solution: - limit for CAPTCHA is 6 failed attempts and cannnot be changed as this setting is hardcoded and cannot be changed by using Filr Administrator Console - CAPTCHA, as far as I know, is an external service anf in the case f there is no connection with Internet, cannot be used. Probable I'm wrong here but if I'm right - this is a serious thing against CAPTCHA. Anyway we're dependent on third-party because of that and this is not a really good thing in my understanding There are other ways to solve this like NAM or Microsoft ADFS - but it leads to additional extra costs which makes Filr more expensive for Customer and, as a result, interest to Filr may be impacted. Solution, in my understanding, will be realized as something like Filr Intruder Lockout Policy/Policies like we have in other of our products. Filr Admnistrator will be able to manage Failed Attempts Lmit and make it lower that similar setting for eDir/AD, in this case only Filr Account will be locked but not eDir/AD/LDAP account itself. This is exactly what Customer wants to have in Filr, please think about it. I'm not a developer so can't evaluate additional costs for such Feature, but, as we hve this functionality in our products like iManager which uses Tomcat as well as Filr as a platform, I hope these costs will not be very high and Feature may be realized fast enough. This isn't a real Stopper for this deal as far as I know, but one of the hardest moment we have at the moment. If Feature will be realized soon enough, our life will be much more easier.
Absent Member.
Absent Member.
Is there any update on this ? Will this issue be addressed in future releases ?
Micro Focus Expert
Micro Focus Expert
Status changed to: Delivered

There is now an option for Captcha to be displayed if there is a brute force attack

This is a setting that can be placed in the ssf-ext.properties to reduce the number of attempts before it is displayed. 

  number.of.attempts.to.show.captcha=5

 

 

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.