[Zope] Re: Handling login failures
Dennis Allison
allison at shasta.stanford.edu
Thu Jan 12 18:32:00 EST 2006
A more usual solution to this issue is to insert a delay after the third
and subsequent failures. You, of course, need a policy for removing the
delay (successful login or N minutes following the last attempt).
On Fri, 13 Jan 2006, Florent Guillaume wrote:
> Håkan Johansson wrote:
> > I want to be able to block a user from logging in if he fails to give
> > the right login/password three times in a row.
>
> You're aware that this allows anyone to trivially DoS your users, right?
> If you take the precaution of matching with the IP, it still will harm
> people logging in through corporate or ISP proxies. Which, admittedly,
> may not be a problem in an intranet setting.
>
> Florent
>
> > The problem is that I don't know how to do this.
> >
> > First, I need to know if an attempt failed. This, I have no idea how to do.
> >
> > Second, I need to block the user without deleting him. One problem here
> > is that the user can write different login names for the different login
> > attempts. We have been thinking about blocking the offender's IP for 30
> > minutes or so and leave it at that. It seems to me that
> > SiteAccess.AccessRule could be used for that, but I haven't looked much
> > into it yet. The documentation is extremely light.
> >
> >
> > I have a very clean Zope 2.8.4 installation on a SuSE linux machine.
> > Logins are handled in the standard Zope way, nothing special added.
> > The Zope is running as a stand alone server, i.e. no Apache at all.
> >
> >
> > Another thing: How do I get Zope to log failed authentication attempts?
> > Neither event.log or Z2.log shows anything. As Z2.log is the access log,
> > I would have guessed that such things should be logged there. If not,
> > where and how?
>
>
>
>
--
More information about the Zope
mailing list