Logged in Admins should never have their IP considered for brute force blacklisting

nextcloud / bruteforcesettings

🕵 Allow admins to configure the brute force settings

https://apps.nextcloud.com/apps/bruteforcesettings

GNU Affero General Public License v3.0

49 stars 13 forks source link

Logged in Admins should never have their IP considered for brute force blacklisting #688

Open Oclair opened 1 week ago

Oclair commented 1 week ago

If a user is logged in already as an Admin it's already too late. Why is the logic not yet fully vetted yet the system is deployed into stable deployment?

Seriously I needed to add an App for a message like this?

Oclair commented 1 week ago

Is the IP of a logged in Admin always whitelisted?

There is no logic in the code to prevent logged in Administrators at that particular IP from being throttled is there?

For example an Admin has two accounts logged in from a single ip on different browsers and desktop clients, one of those logins is an admin account.

isdnfan commented 1 week ago

topic was posted at https://help.nextcloud.com/t/brute-force-system-throttles-the-ips-of-logged-in-admins/210442 too and as discussed there brute-force protection doesn't apply to users but to IPs and it's completely wrong to exclude admins from security measures like brute-force protection.