Implement Brute Force Protection for BE and FE login
It should be possible to implement such a protection using hooks in unser authentication
This is not critical, but nice to have as we provide quite some services t3org accounts.
From https://forge.typo3.org/issues/55944
Hi Christian,
thanks for looking into this.
First off: The main goal of my request is to protect user accounts because a compromised account can cause a lot of issues, especially for "valuable" accounts with lots of permissions bound to it.
Brute force protection consists of three parts:
Monitoring Detection of "irregular" patterns Notifications or other actions based on these patterns Christian Zenker wrote:
Brute Forcing an account: An attacker tries to get access to a specific account. Easy to detect by number of failed logins for a specific username. A specific username, may it exist or not.
Brute Forcing any account (single IP): An attacker tries to get access to any account. Easy to detect by number of failed logins by IP. Brute Forcing any account (multiple IPs): Multiple attackers try to get access to any account. Detection hard to impossible. From my understanding, these two do not differ too much and do not necessarily be distinguished when creating a pattern. Regarding the main goal I mentioned above they are also not so relevant, if we assume that users have reasonable passwords. They are of course relevant if we also want to protect accounts with (very) weak passwords (which could be implemented on top)
Regarding the possibility to detect these scenarios: If we would implement monitoring of failed login attempts and build metrics from this data I think it would still be possible to detect deviance from "normal" patterns and at least could notify admins.
But I agree that this would involve quite some work.
Counter Measures Blocking username. Problem: A malicious attacker could easily block access to a user account. Blocking IPs. Problem: Proxies aka. company networks Captchas. Problem: Heavy logic and deep integration in extension if you want them optional for only some users/IPs. Regularily changing passwords. Problem: user acceptance. Authentication delay aka "Wait 3 seconds before showing a result". Problem: does not work for parallelized attacks. Possible DOS on webserver. Should admin accounts also be affected? Should there be a whitelist of IPs? Should there be a way to "unblock" users/ips? Who takes care of this? It's really hard to do this right (I would even say it is impossible). So what do you expect from a solution? How much user convenience are we willing to sacrifice?
Yes, it involves work. Is it possible to make it 100% secure? No. This is not possible at all, for nothing. Can we implement a solution that mitigates most of the attack vectors and does not involve 10 people constantly watching failed login patterns 24/7? I absolutely think so.
If we focus on protecting single accounts I would suggest following countermeasures:
Log and count failed logins of (valid/existing) user accounts (mandatory) Reset the counter after a certain period of time and after a successful login. (mandatory) Present a captcha after 5 failed logins (optional but makes sense) Block access to the account after 10 failed logins and at the same time inform the account owner by mail about that with a link to re-activate the account (mandatory) Is this perfect? Probably not. But it is much better than nothing and users are only bothered when really something strange is going on.
Also, are you aware of any TYPO3 extensions that could be used? Other frameworks/infrastructure that might help?
Unfortunately not. A quick search revealed https://github.com/codeconsortium/CCDNUserSecurityBundle which might be interesting, but I have not looked at it.
Hi Helmut.
I'd like to ask for some of your ideas on details.
Attack Scenarios Brute Forcing an account: An attacker tries to get access to a specific account. Easy to detect by number of failed logins for a specific username. Brute Forcing any account (single IP): An attacker tries to get access to any account. Easy to detect by number of failed logins by IP. Brute Forcing any account (multiple IPs): Multiple attackers try to get access to any account. Detection hard to impossible. Anything else?
Counter Measures Blocking username. Problem: A malicious attacker could easily block access to a user account. Blocking IPs. Problem: Proxies aka. company networks Captchas. Problem: Heavy logic and deep integration in extension if you want them optional for only some users/IPs. Regularily changing passwords. Problem: user acceptance. Authentication delay aka "Wait 3 seconds before showing a result". Problem: does not work for parallelized attacks. Possible DOS on webserver. Anything else?
Other problems Should admin accounts also be affected? Should there be a whitelist of IPs? Should there be a way to "unblock" users/ips? Who takes care of this? Anything else?
Sum up It's really hard to do this right (I would even say it is impossible). So what do you expect from a solution? How much user convenience are we willing to sacrifice?
Also, are you aware of any TYPO3 extensions that could be used? Other frameworks/infrastructure that might help?
Further reading/ideas https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Brute_Force_Login https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks