View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
09882 | Bug reports | Security | public | 2015-09-14 16:23 | 2015-10-02 08:57 |
Reporter | gantier | Assigned To | sammousa | ||
Priority | high | Severity | partial_block | ||
Status | closed | Resolution | not fixable | ||
Product Version | 2.06+ | ||||
Summary | 09882: Brute force attack prevention based on IP adress (enable easy DoS attacks) | ||||
Description | Brute force attack prevention seems to work (only?) with IP adress, which is a problem for quite big organizations (business office, associations, universities, colleges...). | ||||
Tags | No tags attached. | ||||
Bug heat | 256 | ||||
Complete LimeSurvey version number (& build) | Version 2.06+ Build 150911 | ||||
I will donate to the project if issue is resolved | No | ||||
Browser | |||||
Database type & version | MySQL 5.5.44 | ||||
Server OS (if known) | Ubuntu LTS Server 14.04 | ||||
Webserver software & version (if known) | Apache 2.4 | ||||
PHP Version | 5.5.9 | ||||
If he launches a script every 11 minutes he will not bring LS down.. There is no feasible way to prevent DDOS attacks at the application end. |
|
"If he launches a script every 11 minutes he will not bring LS down.." --> Of course :) It could be at least a good idea to be able to disable this security measure (or specify IP adress/mask to enable/disable it). |
|
Can we differentiate between bruteforce attacks and DDoS. A login protection for false logins and a way to disable sending new generated passwords would be a good thing. To create a new user without sending the password in plain email would be good too. |
|
Not looking at IP will make for easier DOS attacks. Closing this, for LS3 feel free to implement your own AuthenticationPlugin that adds whatever "protection" you feel is needed. |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2015-09-14 16:23 | gantier | New Issue | |
2015-09-15 09:34 | sammousa | Note Added: 33097 | |
2015-09-15 09:34 | sammousa | Assigned To | => sammousa |
2015-09-15 09:34 | sammousa | Status | new => feedback |
2015-09-15 13:01 | gantier | Note Added: 33098 | |
2015-09-15 13:01 | gantier | Status | feedback => assigned |
2015-09-15 13:01 | gantier | Note Edited: 33098 | |
2015-09-17 17:51 | jelo | Note Added: 33118 | |
2015-10-02 08:56 | sammousa | Note Added: 33285 | |
2015-10-02 08:57 | sammousa | Status | assigned => closed |
2015-10-02 08:57 | sammousa | Resolution | open => not fixable |