I think we're already limiting admin to 5 failed logins per IP address per hour: https://code.google.com/p/web2py/source/browse/applications/admin/models/access.py#62
Anthony On Saturday, June 1, 2013 5:28:03 PM UTC-4, BlueShadow wrote: > > How the ssh tunnel is probably the best and only real secure option. If > anyone can point me towards a tutorial for this would be awesome. > Thinking about another solution: how about adding a username. This would > make bruteforce even harder. As far as my novice knowlege goes server like > apache and nginx... record all requests. Writing a script catching all > requests to appadmin login shouldn t be to hard to write. Now one could use > a cronjob to check that list every 5 min for example. If the login page is > called more than 5 times: block access to appadmin for 20 min. > Those are just my thoughts i havent tested any of this. And Im not sure if > it would work. > Am 01.06.2013 22:56 schrieb "BlueShadow" <[email protected]<javascript:> > >: > >> Hi, >> Overall web2py is pretty save as far as I know. >> https://scanmyserver.com/shows for my web2py app 6 "low priority" risks. As >> far as I'm concerned >> they are very low priority but since I startet to record all errors (code >> 400 404 500) in an database table I get a little concerned since my very >> small site gets on some days 20 attacks. They are pretty premitive as far >> as I can tell. Trying to call admin page or /wp-login ... trying to add >> code after the url... >> So my concern is not the site itself but the appadmin. It is only >> protected by a password and as far as I can tell there is no brute force >> protection like a timeout after 3 or five misspelled passwords. >> I don't know if I'm just paranoid but I can't record if there are attemps >> to access appadmin and there is no timeout for the password. >> I would welcome your thoughts on this issue. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "web2py-users" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/web2py/1hnFerQ0FJo/unsubscribe?hl=en. >> To unsubscribe from this group and all its topics, send an email to >> [email protected] <javascript:>. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
