Not logged in. · Lost password · Register
Forum: General Help and Support General Stuff RSS
Account lockout on multiple password failure?
Avatar
glebaron #1
Member since Feb 2009 · 1 post
Group memberships: Members
Show profile · Link to this post
Subject: Account lockout on multiple password failure?
Is there any way to lockout an account based on too many failed password attempts?
This post was edited on 2009-02-25, 17:17 by glebaron.
Avatar
andi (Administrator) #2
User title: splitbrain
Member since May 2006 · 3422 posts · Location: Berlin Germany
Group memberships: Administrators, Members
Show profile · Link to this post
No and that's a really bad idea. How would you like it if I could lock you from *your* account by simply entering a bad password?
Read this if you don't get any useful answers.
Lies dies wenn du keine hilfreichen Antworten bekommst.
Avatar
stuartn #3
Member since Jun 2018 · 1 post · Location: Reading, England
Group memberships: Members
Show profile · Link to this post
There is a use-case for this.

In our case, we're setting up an Internet-based Wiki for internal company use.
Currently, if a username becomes known, and is targeted by a brute-force attack, the administrator isn't going to know about it.

If on the other hand, the account gets locked out, then the administrator will:
a) get to know about it, when the user can't get in
b) be able to unlock the account (assuming they still have access)
c) if they lose access too, will be able to reset it on the server by some file-hack.

The attacker will see that it's not worth pursuing this attack, and will stop trying.
Avatar
cziehr #4
Member since Jan 2011 · 570 posts · Location: 10119 Berlin
Group memberships: Members
Show profile · Link to this post
Maybe it is possible to use fail2ban with dokuwiki for this usecase, but this would require an additional plugin to be written.

https://en.wikipedia.org/wiki/Fail2ban
Avatar
schplurtz (Moderator) #5
Member since Nov 2009 · 427 posts · Location: France, Finistère
Group memberships: Global Moderators, Members
Show profile · Link to this post
Hi,

but this would require an additional plugin to be written.
Done ;-). The same question arose back in 2015 in the French forum. Wild-Dagger wanted to use fail2ban. At that time I wrote a Q&D plugin that would log the remote IP and the tried user name when the login attempt was not successful.

Find the "latest version" here : https://forum.dokuwiki.org/post/61534 .

Only. manual install:
Just unzip it in lib/plugins . There must be a directory lib/plugin/logbadlogin when you're done.
In dokuwiki, go to admin then config-parameters. Find logbadlogin and adjust the logfile name.

You then have to set fail2ban up so it uses this log file and temporarily bans whatever vilains are trying brute force attacks on your wiki.
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Go to forum
Imprint
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Current time: 2019-05-25, 19:33:57 (UTC +02:00)