Disable account after x login retries

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
3zero2
New user
New user
Posts: 8
Joined: 2006-01-05 16:31

Disable account after x login retries

Post by 3zero2 » 2006-01-05 16:35

Hi all,

I am using HMail server with Roundcube and using brute force attack it is possible to make lots of attacks per minute, therefore it would be really useful to limit the number of retries.

Is it possible to have an account disabled after an amount of unsuccessful login retries? Also, the account could be disabled temporarily for a number of minutes.

Thanks for your time.

Regards,
Joshua Bugeja

cmurphy54
Senior user
Senior user
Posts: 550
Joined: 2004-09-25 22:11
Location: Atlanta, GA
Contact:

Post by cmurphy54 » 2006-01-05 16:47

This not currently possible with hMailServer, although it sounds like a very useful feature, so I'd add it to the feature requests.

You could hack something together using a separate program that monitors the log file and then locks the account after x # of failed attempts (using an OnClientConnect event) if you are really worried about it, but it would be nicer if this were directly integrated into hMailServer.

3zero2
New user
New user
Posts: 8
Joined: 2006-01-05 16:31

Post by 3zero2 » 2006-01-05 16:53

thanks for your reply cmurphy.

i can either do as you described or else somehow limit the number of connections apache accepts (since this is web based). since i'm not a master in either apache or hmail both are going to require some effort.

will keep you all updated with my progress.

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2006-01-05 16:57

(If it's a web paged system I think it would make more sense to put the logics to prevent attacks in the web layer, but I agree that it's a good idéa for a feature. )

There's already a feature request for it here:
http://www.hmailserver.com/forum/viewtopic.php?t=2542

3zero2
New user
New user
Posts: 8
Joined: 2006-01-05 16:31

Post by 3zero2 » 2006-01-08 00:59

sort of solved the problem in roundcube (and PHPWebAdmin) by introducing a ten second delay if login fails. should not bother a legitimate user too much; and it should make brute force attackers give up.

Post Reply