Number of login attempts to be allowed

Number of login attempts to be allowed

by Annette Powell -
Number of replies: 4

Hello

 I have Moodle setup and running, the company I work for did a security scan on it and it picked up several security problems. One problem they noted was that Moodle did not lock out accounts when they tried to login with an incorrect password. They stated that the fix for this was to decide upon the  number of login attempts to be allowed (usually from 3 to 5) and make sure that the account would be locked once the permitted number of attempts is exceeded. To suspend account activity only temporily and enable it after a specific period of time has passed. 

Is there a way to do this and if so how? I am not a programmer at all and know very little about php.

 

Thanks

 

Average of ratings: -
In reply to Annette Powell

Re: Number of login attempts to be allowed

by Tim Hunt -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

Locking out accounts like this is a security problem itself. I gives attackers a very simple denial-of-service attack - just make lots of failed logins for every username, until everyone is locked out.

The approack Moodle takes is to log failed login-attempts. I think there is even an option to email the admin when there are too many.

Average of ratings: -
In reply to Tim Hunt

Re: Number of login attempts to be allowed

by Annette Powell -

Hi Tim,

I understand what your saying there and I do have it turned on to notify me of more than 10 attempts and yes I can set a rule up at that point on the firewall to restrict that IP address. However, my company was basing their findings on a brute force attack and they would like it to be configured to set the time out limit to 5 attempts and then lock the account and then unlock the account after 10 or 15 minutes. Is there a way to do that and if so what is the code and where does it go?

 

Thank you.

Average of ratings: -
In reply to Annette Powell

Re: Number of login attempts to be allowed

by Petr Skoda -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers
Hello,
this is a known problem, you can track progress in MDL-21342.

Petr
Average of ratings: -
In reply to Petr Skoda

Re: Number of login attempts to be allowed

by J Arn -

I am currently having the opposit problem need to change from like 3 -6 or 7 and prefferable no lockout. can that currently be done?

Average of ratings: -