How does Kirby 2.2 bruteforce protection work?

jenstornell · November 28, 2015, 4:16pm

lukasbestle · November 28, 2015, 5:31pm

The protection is implemented in the Login class. If a specific visitor (meaning a specific IP address) tries to login more than 10 times within the log expiry time (one hour) without success, he/she is blocked. The logs also expire on successful login by that visitor.

bastianallgeier · December 2, 2015, 3:33pm

There are two additional layers of protection:

Cross site request forgery protection via a token stored in the session and submitted with the form. You cannot directly post the login form from another server. You have to write a script, which fills in the form and submits it.
Random response delays after wrong credentials have been entered. This is an additional recommendation by OWASP. By adding a random delay up to three seconds when you enter the wrong login details, a script that runs a bruteforce attack will take significantly longer to find the right combination of username and password. For the user the delay doesn’t really matter that much, but the attacker will hate it.

Topic		Replies	Views
Kirby 3.2.3 is here! Releases 🚀	2	697	August 8, 2019
Is Kirby secure? Solved ✅	37	11223	November 11, 2015
What is site/accounts/.logins? Solved ✅	3	667	March 3, 2016
Password Protect Advice Solved ✅	12	2239	April 19, 2019
Password protection Solved ✅	5	1101	April 20, 2018

How does Kirby 2.2 bruteforce protection work?

Related topics