Optional ability to block user account after many failed login attempts #493
Comments
|
Not sure about trusting IPs, but blocking and mailing the user is a good idea. |
|
What about browser authentication with ssl-certs (like startssl does)? Not sure if there is an easy setup method (generation, download & install from web-interface) but such machines could have a higher trust level than other clients. |
|
I think we shouldn't over engineer that feature. Just set a reasonable Automated dictionary attacks are mitti gated by this, but it won't affect a Am 02.08.2016 17:08 schrieb "tflidd" notifications@github.com:
|
|
How about providing a configuration for fail2ban in the documentation? |
|
Here I have a configuration of fail2ban (working!): cd /etc/fail2ban Include a new section in the configuration as follow: `[nextcloud] filter = nextcloud After that create a new filter cd filter.d Write as follow: `[INCLUDES] before = common.conf [Definition] _deamon = nextcloud failregex={"reqId":".","remoteAddr":".","app":"core","message":"Login failed: '.' (Remote IP: '')","level":2,"time":"."} ignoreregex =` DONE |
|
What about a checkbox in the Admin Area? |
|
Would be great to have the filter from #493 (comment) somewhere documented. What would be the correct place for it? |
After many failed login attempts it may be useful to block user accounts completely. This should probably be used in combination to #492 so IPs that logged-in successfully in the past can also continue to login in the future.
Also we should send out a mail with a link that allows a user to login and bypass the limitation by trusting their IP by doing so.
The text was updated successfully, but these errors were encountered: