On Thursday, November 16, 2023 at 9:32:58 AM UTC-8 Ramos wrote:
Hello friends, i guess this is a similar issue between web2py and py4web so im posting to both groups. Sorry if im abusing ... We had a cibersecurity audit in our web2py app and they found this issue QUOTE During the application audit process, it was possible to identify that the the company portal does not implement the restriction of blocking accounts due to invalid login attempts This allows an attacker to use brute force attacks to attempt a valid credential indefinitely *Recommendation* We recommend implementing account lockout policies for invalid login attempts, as well as captcha and multi factor authentication ( mechanisms, as well as session timeouts to log out a user who has been inactive on the system for some time UNQUOTE I already activated the mfa in my app but it only works if the password is correct. An attacker trying to guess the password could have a forever loop trying to login and it can stress the sever CPU. Any comments on this ? Regards António The appadmin login supports lockout, but I'm not finding a mention of it in the manual. A file is created (in the web2py root, IIRC, alongside httpserver.pid and parameters_8000.py). This file can be removed by the appropriate local user. If memory serves, you get 3 tries in xx seconds. /dps -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/371daf75-dcb9-4e57-84f6-0cf8df0c9553n%40googlegroups.com.
