A more usual solution to this issue is to insert a delay after the third
and subsequent failures.  You, of course, need a policy for removing the 
delay (successful login or N minutes following the last attempt).

On Fri, 13 Jan 2006, Florent Guillaume wrote:

> Håkan Johansson wrote:
> > I want to be able to block a user from logging in if he fails to give 
> > the right login/password three times in a row. 
> You're aware that this allows anyone to trivially DoS your users, right?
> If you take the precaution of matching with the IP, it still will harm 
> people logging in through corporate or ISP proxies. Which, admittedly, 
> may not be a problem in an intranet setting.
> Florent
> > The problem is that I  don't know how to do this.
> > 
> > First, I need to know if an attempt failed. This, I have no idea how to do.
> > 
> > Second, I need to block the user without deleting him. One problem here 
> > is that the user can write different login names for the different login 
> > attempts. We have been thinking about blocking the offender's IP for 30 
> > minutes or so and leave it at that. It seems to me that 
> > SiteAccess.AccessRule could be used for that, but I haven't looked much 
> > into it yet. The documentation is extremely light.
> > 
> > 
> > I have a very clean Zope 2.8.4 installation on a SuSE linux machine.
> > Logins are handled in the standard Zope way, nothing special added.
> > The Zope is running as a stand alone server, i.e. no Apache at all.
> > 
> > 
> > Another thing: How do I get Zope to log failed authentication attempts? 
> > Neither event.log or Z2.log shows anything. As Z2.log is the access log, 
> > I would have guessed that such things should be logged there. If not, 
> > where and how?


Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to