AS1024/Kanboard-Prod
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add bruteforce protection

Browse Source
This commit is contained in:
Frederic Guillot
2015-08-01 12:14:22 -04:00
parent db69d5c429
commit db88a00d48
20 changed files with 405 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs/api-json-rpc.markdown
View File

@@ -27,6 +27,7 @@ Security
- Always use HTTPS with a valid certificate
- If you make a mobile application, it's your job to store securely the user credentials on the device
- After 3 authentication failure on the user api, the end-user have to unlock his account by using the login form
- Two factor authentication is not yet available through the API
Protocol

26
docs/bruteforce-protection.markdown Normal file
View File

@@ -0,0 +1,26 @@
Bruteforce Protection
=====================
The brute force protection of Kanboard works at the user account level:
- After 3 authentication failure for the same username, the login form show a captcha image to prevent automated bot tentatives.
- After 6 authentication failure, the user account is locked down for a period of 15 minutes.
This feature works only for authentication methods that use the login form.
However, **after 3 authentication failure through the user API**, the account have to be unlocked by using the login form.
Kanboard doesn't block any IP addresses since bots can use several anonymous proxies. However, you can use external tools like [fail2ban](http://www.fail2ban.org) to avoid massive scans.
Default settings can be changed with these configuration variables:
```php
// Enable captcha after 3 authentication failure
define('BRUTEFORCE_CAPTCHA', 3);
// Lock the account after 6 authentication failure
define('BRUTEFORCE_LOCKDOWN', 6);
// Lock account duration in minute
define('BRUTEFORCE_LOCKDOWN_DURATION', 15);
```

14
docs/config.markdown
View File

@@ -196,6 +196,20 @@ define('ENABLE_HSTS', true);
define('ENABLE_XFRAME', true);
```
Bruteforce protection
---------------------
```php
// Enable captcha after 3 authentication failure
define('BRUTEFORCE_CAPTCHA', 3);
// Lock the account after 6 authentication failure
define('BRUTEFORCE_LOCKDOWN', 6);
// Lock account duration in minute
define('BRUTEFORCE_LOCKDOWN_DURATION', 15);
```
Various settings
----------------

1
docs/index.markdown
View File

@@ -81,6 +81,7 @@ Using Kanboard
- [Advanced Search Syntax](search.markdown)
- [Command line interface](cli.markdown)
- [Syntax guide](syntax-guide.markdown)
- [Bruteforce protection](bruteforce-protection.markdown)
- [Frequently asked questions](faq.markdown)
Technical details