A more usual solution to this issue is to insert a delay after the third and subsequent failures. You, of course, need a policy for removing the delay (successful login or N minutes following the last attempt).
On Fri, 13 Jan 2006, Florent Guillaume wrote: > Håkan Johansson wrote: > > I want to be able to block a user from logging in if he fails to give > > the right login/password three times in a row. > > You're aware that this allows anyone to trivially DoS your users, right? > If you take the precaution of matching with the IP, it still will harm > people logging in through corporate or ISP proxies. Which, admittedly, > may not be a problem in an intranet setting. > > Florent > > > The problem is that I don't know how to do this. > > > > First, I need to know if an attempt failed. This, I have no idea how to do. > > > > Second, I need to block the user without deleting him. One problem here > > is that the user can write different login names for the different login > > attempts. We have been thinking about blocking the offender's IP for 30 > > minutes or so and leave it at that. It seems to me that > > SiteAccess.AccessRule could be used for that, but I haven't looked much > > into it yet. The documentation is extremely light. > > > > > > I have a very clean Zope 2.8.4 installation on a SuSE linux machine. > > Logins are handled in the standard Zope way, nothing special added. > > The Zope is running as a stand alone server, i.e. no Apache at all. > > > > > > Another thing: How do I get Zope to log failed authentication attempts? > > Neither event.log or Z2.log shows anything. As Z2.log is the access log, > > I would have guessed that such things should be logged there. If not, > > where and how? > > > > -- _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )