But was thinking something simple in the beginning like this could do: Of course we have thousands of options for this feature and can go crazy. One could otherwise just crawl for several Piwik instances, try most common usernames with some most common passwords and I'm sure it's possible to get access to some installations Won't be trivial to implement I reckon but I'm sure for such things there are good solutions available on the internet This needs to be implemented wisely since one could "shut down" a Piwik under circumstances by doing wrong login requests on purpose etc. Eg in the beginning wait 1 second, next try wait 3 seconds, next try wait 6 seconds. On bad credential wait X seconds before showing login screen (minimize web brute force).Īfter say 5 wrong login attempts for same user, I would make login slower (also on API level but won't be trivial) each time. Some kind of blacklist management will be need.Īfter eg 50 attempts within 12 hours I would lock down IP (we'd need config for this if all users come from same IP or reuse trust_cookies setting which is used in Intranets and depending on this disable it etc). It is not too difficult to brute force installations otherwise. I think this is quite an important issue for security of Piwik.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |