rhukster
commented
5 years ago Good point, need to look at this.
Closed Rotzbua closed 5 years ago
rhukster
commented
5 years ago Good point, need to look at this.
Topic: security Plugin-version: 2.8.3 PHP: independent Impact: medium
Observation
Rate limiting is used for login attempts. The login is blocked after a configured number of attempts is done. To avoid a lock down on user, a single login attempt per new ip is allowed even if the user is locked.
With ipv6 also the ip only is used. As customer you get from your internet provider a complete subnet /64. This means you can create 2^64 ipv6 addresses and use them once to try a password. So with ipv6 rate limiting does not work as suggested.
Solution
Block ipv6 subnets instead of ipv6 address.