On September 24, 2025 5:52:20 AM PDT, Nick Couchman <[email protected]> wrote: >On Mon, Sep 22, 2025 at 7:22 PM Ares Li <[email protected]> wrote: > >> Hello community, >> >> I know in 1.6.0 the failed login attempts will ban the IP by default, but >> this would not make sense in the scenario that users are under VPN. I am >> wondering if we (will) support banning username instead of a public facing >> IP. >> >> >Hello, Ares, >Your point is well-taken that it would probably be useful to have a >feature, either in the JDBC module or in the Ban module, to lock out >accounts based on failed login attempts, as is common for authentication >systems. I actually thought we already had that functionality in the JDBC >account, but apparently I was mistaken, so I think a feature request and >work to implement that would be in order. >
If considering username instead of IP, I would be concerned that a malicious user could trivially leverage that behavior to deny a specific, known user access to Guacamole. There'd need to be some reliable, out-of-band mechanism for the real user to come back, verify themselves, and regain access to their account. We could consider _both_ username and IP, optionally flagging repeated failed attempts to authenticate as problematic only if also against the same account. That might avoid both cases, but would be arguably weaker than banning purely IPs. - Mike --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
