Opened 2 years ago

Last modified 3 weeks ago

#2888 new New feature

Lock down accounts by IP after N failed attemps at logging

Reported by: matt Owned by:
Priority: normal Milestone: 2.x - The Great Piwik 2.x Backlog
Component: Security Keywords:
Cc: Sensitive: no


Our security policy aims to make security a principal design behind Piwik. One aspect that bugs me currently is that good old brute force attacks could be vector of penetration in Piwik (if eg. attacker knows the login).

We should provide a core mechanism that would lock out, for 30min for example, a user after N failed attemps. Settings could be changed by the Super User and feature would be enabled by default, lock 30 min out after 5 failed attempts.

Implementation proposal:

  • Record, using Piwik_SetOption, count of lockdown for each IP that fails to enter valid login / pwd combination
  • After N failures, lock IP down and refuse authentication (even if the combination is actually valid!).
  • Document as FAQ, linked from UI, the sql to delete all locked out IPs in case the SU was actually locked out and can't wait.

Change History (12)

comment:1 Changed 2 years ago by SteveG (sgiehl)

I would suggest to handle that the way like windows and many other software does. After 3 failed attemnds, lock the account and let the user wait a few minutes until he can retry. With every following failure raise the time to wait. I would do that global and not for each IP as it is too easy to change/switch the IP. Maybe we could implement an option to unlock the account with an token send by mail or something like that.

comment:2 Changed 2 years ago by vipsoft (robocoder)

If there's a lockdown, it should be by ip or /24.

The piwik_option table is not an appropriate place for this, imho, given the other scenarios I listed in #2794. We keep track of the type of attack, ip, number of attempts, and timestamp of last attempt.

There should be some flexibility in the implementation to accomodate different responses to an attack. Can this implemented as a plugin?

comment:3 Changed 20 months ago by matt (mattab)

  • Milestone changed from 1.x - Piwik 1.x to 1.9 Piwik 1.9
  • Priority changed from normal to major

comment:4 Changed 20 months ago by matt (mattab)

  • Component changed from Core to Security

comment:5 Changed 19 months ago by matt (mattab)

The counter increase for a given IP should take place for any request which authenticates:

  • failed login attempts (e.g., brute force)
  • failed lost password requests / username/email check
  • password reset with invalid (e.g., expired) reset token (e.g., replay)

For these, we should automatically blacklist the IP for X seconds, after N failed attempts within M seconds.

For an extended security (possible for a Version 2 of this feature since it complicates it)

  • API request with invalid token

Here maybe we shouldn't blacklist as there could be an error in a code calling the API which would blacklist possibly other functions calling API with a proper token. For a user calling the API with a wrong token, we should simply alert at first, and/or have an opt-in black list limit ?

comment:6 Changed 18 months ago by mainboarder

I would like an extra subdirectory for administration (like ./admin)
So the login could be restricted to ip ranges or a single ip via .htaccess or protected with basic auth
But I think it would be a huge change in the code :/

Maybe a fail2ban lockdown could be as usefull as the .htaccess feature.

Last edited 18 months ago by mainboarder (previous) (diff)

comment:7 Changed 14 months ago by matt (mattab)

  • Milestone changed from 1.12.x - Piwik 1.12.x to 2.x - Piwik 2.x

comment:8 Changed 6 months ago by matt (mattab)

  • We should also use this mechanism to protect against brute forcing the SMS authorization mechanism (since code is 5 chars, could be brute forced to send unwanted texts)

comment:9 follow-up: Changed 3 months ago by ham12343

I would also like this feature to be implemented and suggest also having an "immediately lock out IP when trying invalid/non-existent usernames" feature.

Also, email reports of when login attempts happen would be useful so you have a feel for how often you were being targeted.

I find both these features useful when using Wordfence for my WordPress sites.

Last edited 3 months ago by ham12343 (previous) (diff)

comment:10 Changed 3 months ago by vipsoft (robocoder)

I suggest adding new event hooks and a plugin that leverages the PHPIDS or Expose libraries.

comment:11 in reply to: ↑ 9 Changed 3 months ago by mainboarder

Replying to ham12343:

I would also like this feature to be implemented and suggest also having an "immediately lock out IP when trying invalid/non-existent usernames" feature.

I think lockdown if a wrong username is used is useless or even a risk:

  • what if you have a typo? like "hsm1243" instead of "ham12343"
  • attackers could try to find out a correct username. it is found if the lockdown doesn`t happen immediately. (as long as there is a feedback like "your logins are now ignored")

comment:12 Changed 3 weeks ago by matt (mattab)

  • Priority changed from major to normal
Note: See TracTickets for help on using tickets.