Open JuKu opened 6 years ago
My proposal:
Whenever a user tries to log in:
This proposal theoretically allows a maximum of 432 wrong login tries per IP per day (and only 144 per IP per day without answering captchas), and immensely slows subnets trying with lots of IPs to bruteforce an account, while still managing to keep the login trouble-free and don't store large amounts of data for a longer period of time.
Whether a brute force protection similar to this can be implemented for sessions (without the airbrake part) depends on issue #136 (where we need to decide whether to use php sessions or cookie sessions)
Add Brute Force Protection like Fail2Ban.
https://github.com/nextcloud/server/pull/479