oops. Had forgotten about that. Thanks Anthony. Looking at the code again. That stores login attempts in a file, not in DB: deny_file = os.path.join(request.folder, 'private', 'hosts.deny')
On Saturday, 1 June 2013 16:38:57 UTC-5, Anthony wrote: > > I think we're already limiting admin to 5 failed logins per IP address per > hour: > https://code.google.com/p/web2py/source/browse/applications/admin/models/access.py#62 > > Anthony > > On Saturday, June 1, 2013 5:28:03 PM UTC-4, BlueShadow wrote: >> >> How the ssh tunnel is probably the best and only real secure option. If >> anyone can point me towards a tutorial for this would be awesome. >> Thinking about another solution: how about adding a username. This would >> make bruteforce even harder. As far as my novice knowlege goes server like >> apache and nginx... record all requests. Writing a script catching all >> requests to appadmin login shouldn t be to hard to write. Now one could use >> a cronjob to check that list every 5 min for example. If the login page is >> called more than 5 times: block access to appadmin for 20 min. >> Those are just my thoughts i havent tested any of this. And Im not sure >> if it would work. >> Am 01.06.2013 22:56 schrieb "BlueShadow" <[email protected]>: >> >>> Hi, >>> Overall web2py is pretty save as far as I know. >>> https://scanmyserver.com/ shows for my web2py app 6 "low priority" >>> risks. As far as I'm concerned they are very low priority but since I >>> startet to record all errors (code 400 404 500) in an database table I get >>> a little concerned since my very small site gets on some days 20 attacks. >>> They are pretty premitive as far as I can tell. Trying to call admin page >>> or /wp-login ... trying to add code after the url... >>> So my concern is not the site itself but the appadmin. It is only >>> protected by a password and as far as I can tell there is no brute force >>> protection like a timeout after 3 or five misspelled passwords. >>> I don't know if I'm just paranoid but I can't record if there are >>> attemps to access appadmin and there is no timeout for the password. >>> I would welcome your thoughts on this issue. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "web2py-users" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/web2py/1hnFerQ0FJo/unsubscribe?hl=en. >>> To unsubscribe from this group and all its topics, send an email to >>> [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> >>> >> -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
