Uploaded image for project: 'Blesta Core'
  1. Blesta Core
  2. CORE-908

Log invalid username login attempts

        Details

        • Type: Improvement
        • Status: Open
        • Priority: Major
        • Resolution: Unresolved
        • Affects Version/s: 3.0.0
        • Fix Version/s: Long Term
        • Component/s: None
        • Labels:
          None

          Description

          Currently the system only logs login attempts with a valid username. Instead, the system should log all login attempts whether the username exists or not.

          The system currently limits login attempts to 10 per hour per IP, however this only applies to existing usernames. Attempts to log in with usernames that do not exist are not bound by this restriction, thus an attacker could potentially gain information about which username is valid by receiving the appropriate (blocked) error message after attempting a username 10 times.

          To correct the issue, the log_users table should be updated to record the username of the user attempted, and set user_id to '0' to indicate not match on user ID. Then Users::login() must be updated to log the attempt if validation values with the appropriate data. Next, Users::validateLoginAttempts must be updated to leftJoin from log_users with users as opposed to inner join.

            Issue Links

            blocks

            Improvement - An improvement or enhancement to an existing feature or task. CORE-977 Add event: On user authentication

            • Major - Major loss of function.
            • Open

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  cody Cody Phillips (Inactive)
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated: