Fail to Ban or something to stop bruteforce attacks on Frontend logins

xperseguers / t3ext-ig_ldap_sso_auth

TYPO3 Extension ig_ldap_sso_auth. This extension provides LDAP and SSO support for TYPO3.

https://extensions.typo3.org/extension/ig_ldap_sso_auth

27 stars 62 forks source link

Fail to Ban or something to stop bruteforce attacks on Frontend logins #113

Open Schwuuuuup opened 3 years ago

Schwuuuuup commented 3 years ago

Hi,

as far as I know, there is no limit on login attempts on the frontend.

In our case, the userbase for frontend and backend are the same with a huge overlap betweend BE and FE Users, so both authenticate against the same LDAP.

I was asked what would happen, if anyone would bruteforce the login, and unfortunately, it seems there is nothing. Is there a way to to so or could it be added to ig_ldap_sso_auth?

Best Regards TOM

xperseguers commented 3 years ago

I feel like this is something outside of the scope of this extension as it makes sense regardless of the authentication (local, LDAP, ...) and as such it should better be implemented as another layer, maybe inspired by this old extension: https://extensions.typo3.org/extension/sysfire_failban/

Schwuuuuup commented 3 years ago

Maybe this is out of the scope of this extension but sysfire_failban ist really an old extension.. In my opinion it should be part of the core...