Having this file is awesome I will write a few lines of code to add this to my security report. just one question: I tested a failed login myself because my file was fortunatly empty. The file format looks like this: ip 1 1370164406 I asume the one is number of attemps and the long number is a timestamp.
On Sun, Jun 2, 2013 at 5:16 AM, LightDot <light...@gmail.com> wrote: > Fail2ban is a popular python program that monitors log files for failed > login attempts and blocks "visitors", no need to write a new one from > scratch. Assuming you use a linux server, it should be available as a > package. It's quite versatile. > > Regards, > Ales > > > On Saturday, June 1, 2013 11:28:03 PM UTC+2, BlueShadow wrote: > >> How the ssh tunnel is probably the best and only real secure option. If >> anyone can point me towards a tutorial for this would be awesome. >> Thinking about another solution: how about adding a username. This would >> make bruteforce even harder. As far as my novice knowlege goes server like >> apache and nginx... record all requests. Writing a script catching all >> requests to appadmin login shouldn t be to hard to write. Now one could use >> a cronjob to check that list every 5 min for example. If the login page is >> called more than 5 times: block access to appadmin for 20 min. >> Those are just my thoughts i havent tested any of this. And Im not sure >> if it would work. >> Am 01.06.2013 22:56 schrieb "BlueShadow" <kevin....@gmail.com>: >> >>> Hi, >>> Overall web2py is pretty save as far as I know. >>> https://scanmyserver.com/ shows for my web2py app 6 "low priority" >>> risks. As far as I'm concerned they are very low priority but since I >>> startet to record all errors (code 400 404 500) in an database table I get >>> a little concerned since my very small site gets on some days 20 attacks. >>> They are pretty premitive as far as I can tell. Trying to call admin page >>> or /wp-login ... trying to add code after the url... >>> So my concern is not the site itself but the appadmin. It is only >>> protected by a password and as far as I can tell there is no brute force >>> protection like a timeout after 3 or five misspelled passwords. >>> I don't know if I'm just paranoid but I can't record if there are >>> attemps to access appadmin and there is no timeout for the password. >>> I would welcome your thoughts on this issue. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "web2py-users" group. >>> To unsubscribe from this topic, visit https://groups.google.com/d/** >>> topic/web2py/1hnFerQ0FJo/**unsubscribe?hl=en<https://groups.google.com/d/topic/web2py/1hnFerQ0FJo/unsubscribe?hl=en> >>> . >>> To unsubscribe from this group and all its topics, send an email to >>> web2py+un...@**googlegroups.com. >>> >>> For more options, visit >>> https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out> >>> . >>> >>> >>> >> -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "web2py-users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/web2py/1hnFerQ0FJo/unsubscribe?hl=en. > To unsubscribe from this group and all its topics, send an email to > web2py+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.