Block the users account as well as the IP address

[Spudley]

Hi.

Is it possible to block the actual user account as well as the IP address.

The threat scenario here is a hacker using a botnet to try to break into a specific user's account. In this scenario blocking the IP address won't help much (it will limit the number of attempts from each machine on the botnet, but there would still be a lot of unblocked attempts). But blocking the user account after a certain number of failed logins would be much more effective.

Many thanks.

Simon C.

[codeling]

On the security side such blocking might have a benefit, yes. But on the other hand it also has the potential to lock out legitimate users, so I'm not sure whether completely blocking any login attempt for a user is the best possible thing to do.

The main target typically is the admin user - and that username should actually not exist anyway (as bfstop also warns about). Typically, the attacker shouldn't even know the actual usernames on a server. And if he does, it would I guess be better to change the username instead.

Just thinking out loud here, but maybe bfstop could send out notification to the administrator and/or the affected user and tell him that there's currently attacks ongoing on his user account, and that for increased security, he should change his login name?

[Spudley]

Agreed it does have the potential to block legitimate users. However I've been specifically asked to implement the feature by the site owners, so they'll have to take responsibility for unblocking any users who get locked out. Personally I agree it's overkill, but this system is running within the kind of organisation where security does tend to be quite heavily implemented, so it's not really a surprise that they want this.

Thanks for considering it. :)

[codeling]

It could be an interesting extension, at least optionally. Unfortunately I really have very limited time at the moment. If you end up implementing this, and want to make it available to a wider audience, I'd be more than glad to incorporate it (of course with proper attribution).