Secure Local Admin Account #2092
Comments
|
FYI, Tautulli has rate-limiting implemented on the login form. |
|
I concur and support this, especially #2. |
JonnyWong16
added
topic:server
priority:someday
and removed
status:awaiting-triage
labels
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem?
Im trying to secure my Tautulli but allow public access for guests and newsletters. Currently brute force of the admin account could occur.
What is your feature request?
There are two items that could really help with securing the server:
Allow the admin user to be disabled when plex auth is enabled, so that the plex admin/owner user is the only admin in the system (of course this could be undone in the config ini if access was needed again)
Store the IP address of the person connecting to Tautulli in the tautulli.log file, this will mean we can use tools like fail2ban to ban an IP thats brute forcing passwords, this would need to take into account X-Forward-For if anyone has Tautulli behind a reverse proxy (I do this as i only have 1 public IP and can split to different servers by dns name), currently the log line is DEBUG :: CP Server Thread-6 : Tautulli WebAuth :: Invalid user login attempt from 'admin'. (also maybe make the failures non DEBUG but actual INFO or WARN)
Are there any workarounds?
As a work around im editing the login.html and removing the content inside the Tautulli Login (username/password/sign in button)
Additional Context
No response
The text was updated successfully, but these errors were encountered: