What | Removed | Added |
---|---|---|
CC | nicolas.evrard@b2ck.com |
Hello everyone, I am glad to have a 3rd party look over this issue that was met with so much hostility. I am not here to start again a feud with Axel or Luis (in fact I suggested to Axel to start a discussion here about this issue). Yet I have some criticism regarding Luis' solution. The original patch removed the exponential wait process we had (against brute force attack), it was its main issue. I am glad to see that Luis is ready to drop this part of the patch. Let me explain why we're keeping the records in the database and we want to keep it this way. First of all, you could have multiple trytond instances running on different computers sharing only the database, so storing the number of failed login in the database is a natural solution. We also have to keep in mind that trytond can run in multiple environment: Linux, BSD and there might be even few people using Windows ; of course this doesn't concern openSUSE but it concerns us. The proposed solution will have to work for those platforms ��� I don't about the status of systemd on openbsd, but I am afraid it does not work at all ;). A solution to mitigate the growth of the LoginAttempt table might be to keep track of the IP making the attempt and keeping at most X attempts from the same IP. In fact after some research it seems that it is the solution that drupal chose: https://api.drupal.org/api/drupal/modules!user!user.module/function/user_login_authenticate_validate/7.x About the "failed_login_timeout" parameter, I think it is not a good idea as it removes the whole brute force protection mechanism that we have. Moreover you skip the wait after max_attempt has been made (by default 5) thus people will wait (with the default settings) a maximum of 32 seconds after their fifth wrong login attempt. This seems reasonable given the fact that people gave a wrong password already 5 times.