Hello everybody, I have uploaded a new release of the userauth module: version 2.0-stable8.
This version incorporates a mechanism against bruteforce attacks on the login, as raised by Christophe in [1]. The protection is enabled by default, with the intention to get the "full" security out of the box. I have chosen the parameters such that it will allow at most 100 failed logins on one client IP (or one username; checked in parallel) within 30 days. After encountering that limit every login on that IP or username is blocked, until the failed login attempts have aged sufficiently. Below is the full list of configuration vars. Let me know if you encounter problems. ThomasP (Note for upgrading from stable7: only userauth2.php has been changed, and a new file userauth2/userauth2-bruteforce.php has been added.) ---- SDV($UA2EnableBruteForceProtect, true); SDV($FailedLoginsLogDir, "cookbook/userauth2/failed_login_attempts"); SDV($FailedLoginsLimitUser, 100); SDV($FailedLoginsTimeframeUser, 30*86400); // in secs; default: 30 days SDV($FailedLoginsLimitIp, 100); SDV($FailedLoginsTimeframeIp, 30*86400); (The implementation follows more or less what I had drawn up in the followup discussion to [1].) ---- [1] http://article.gmane.org/gmane.comp.web.wiki.pmwiki.user/45550 _______________________________________________ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users