We should signal the server about failed login attempts with a HTTP header,
either with Status or otherwise. Currently we have no real way of tracking
failed logins; there isn't even a dedicated URL to check for requests.
This would allow people to track failed login attempts and prevent brute force
attacks. Tools such as Fail2Ban can be set to track Apache's error logs.
The headers we could send are a custom one (X-Textpattern-AuthAttempt:
LoginFailure), or status 401 or 403. Each would allow proper logging and
greatly enhance login security.
Original issue reported on code.google.com by jukka.m.svahn on 10 Mar 2014 at 11:19
Original issue reported on code.google.com by
jukka.m.svahn
on 10 Mar 2014 at 11:19