Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2018-07-31 11:03:02

jayrope
Plugin Author
From: Berlin
Registered: 2006-07-06
Posts: 635
Website

Security of /textpattern/ login page

Have a question to you devs:
How is /textpattern/ login dealing with brute force login attempts?
Is there something like an increasing countdown time running already, when someone’s login fails?
Or is it recommended to use sthg. like reCaptcha (ignoring the Google tracking)?
Thanx for any insights!


a hole turned upside down is a dome, though only when there’s gravity.

Offline

#2 2018-07-31 13:05:57

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 8,458
Website

Re: Security of /textpattern/ login page

Just a fixed, three-second timeout between failed login attempts to slow down brute-force attacks. Besides that and never revealing whether an account exists or not, nothing more fancy.

You could maybe run a timing attack on it because we’re not using cryptographically secure string comparisons (it’s on my list to do one day) but you’d have to be desperate to get in.

IMO, you’re more likely to gain better security by insisting that all users have ridiculously good passphrases than to enforce tricks at the code level.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#3 2018-08-01 13:51:48

gaekwad
Member
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 2,379

Re: Security of /textpattern/ login page

You could also use htpasswd stuff to add a straightforward two-layer login process, especially if you’re the sole user of a system. Also look into fail2ban if your web server supports it, very handy.

Offline

#4 2018-08-01 19:55:02

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 8,458
Website

Re: Security of /textpattern/ login page

I second fail2ban: it’s great. One word of warning though to prevent potential head scratching in its default configuration. If you do what I do and use SFTP to transfer files and accidentally mistype your password a couple of times (because I don’t store the password in the FTP client: always type it every time and don’t have 1password set up) then fail2ban automatically inserts a rule in ufw that bans your IP for however long you’ve set the ‘someone is hacking me’ timeout.

This also bans you for SSHing into your box for that time period, which can be frustrating in the middle of an update or something. On DigitalOcean, thankfully, you have the option of logging in via the browser into a Console with your main DO password, thus allowing you to temporarily shut off fail2ban and/or issue some ufw commands to drop the injected fail2ban rules so you can SSH again.

Alternatively, use a VPN and switch server to fool it while your ban is in place on the original IP! Happy days.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

Board footer

Powered by FluxBB