These are serious concerns. The safest option is to block admin+appdamin simply by not providing a password. Another open option is to configure the web server to only accept admin connections from localhost and require an ssh tunnel otherwise.
The problem with adding timeout after 3 misspelled passwords is that it does not solve the problem and creates more. In order to know that repeated failures come from the same client we need to store the IP of attempted logins. This opens the door to DoS attacks. We could add a 5 sec delay to all failed logins but attempts are not sequential and may be carried by different threads. We double add a 5 sec delay to all failed logins and force the server to serialize all login attempts. This may also open the door to DoS. There is no solution which is obviously better than others. What would you suggest? Massimo On Saturday, 1 June 2013 15:55:53 UTC-5, BlueShadow wrote: > > Hi, > Overall web2py is pretty save as far as I know. > https://scanmyserver.com/shows for my web2py app 6 "low priority" risks. As > far as I'm concerned > they are very low priority but since I startet to record all errors (code > 400 404 500) in an database table I get a little concerned since my very > small site gets on some days 20 attacks. They are pretty premitive as far > as I can tell. Trying to call admin page or /wp-login ... trying to add > code after the url... > So my concern is not the site itself but the appadmin. It is only > protected by a password and as far as I can tell there is no brute force > protection like a timeout after 3 or five misspelled passwords. > I don't know if I'm just paranoid but I can't record if there are attemps > to access appadmin and there is no timeout for the password. > I would welcome your thoughts on this issue. > > -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
