search

iredmail / iRedAdmin

iRedMail Admin Panel (Open Source Edition)
https://www.iredmail.org/admin_panel.html
GNU General Public License v2.0
77 stars 28 forks source link

Captcha after third login try #16

Closed interduo closed 3 years ago

interduo commented 3 years ago

https://packagist.org/packages/dsoares/rcguard

Could You add captcha after third login try (to roundcube client and admin panel) in default install?

iredmail commented 3 years ago

Since iRedAdmin(-Pro) logs succeeded/failed logins to syslog, how about ban the client with Fail2ban?

interduo commented 3 years ago

Fail2ban is not good because many ISP share IP's for many users. You could block access for other users.

iredmail commented 3 years ago

How about TOTP as 2-factor authentication instead of captcha?

interduo commented 3 years ago

This should be an option next to captcha. It's little different case. Captcha plugin is very easy to install and no need to teach users and firstly no need to install any app on Your phone.

iredmail commented 3 years ago

What i thought is, captcha doesn't actually prevent hacking by guessing login username+password although it slows down the process, but 2FA does.

Since rcguard is not official plugin, we prefer not to enable it by default, because it may have compatibility issue after upgraded Roundcube package, but iRedMail team can not help fix it as soon as possible.

Of course you're free to install it yourself. :)

iredmail commented 3 years ago

btw, rcguard "requires reCAPTCHA API keys to work properly", iRedMail installer can not get the api key for each installation, so it's impossible for iRedMail installer to enable it for sysadmin.

interduo commented 3 years ago

ok - I see Your point now. Installer could ask for API key - If You put key enable rcguard.

Since rcguard is not official plugin, we prefer not to enable it by default, because it may have compatibility issue after upgraded Roundcube package, but iRedMail team can not help fix it as soon as possible.

This plugin is in https://plugins.roundcube.net/#/packages/dsoares/rcguard - so it is not so official but approved.

iredmail commented 3 years ago

ok - I see Your point now. Installer could ask for API key - If You put key enable rcguard.

No.

This plugin is in https://plugins.roundcube.net/#/packages/dsoares/rcguard - so it is not so official but approved.

I disagree. It's just a place to let third-party plugin developers to upload and share their plugins, it doesn't mean Roundcube team "approve" (or audit, or certificate) any of them.

Let's stop here please.