Security and privacy

Number of login attempts to be allowed

 
 
Picture of Annette Powell
Number of login attempts to be allowed
 

Hello

 I have Moodle setup and running, the company I work for did a security scan on it and it picked up several security problems. One problem they noted was that Moodle did not lock out accounts when they tried to login with an incorrect password. They stated that the fix for this was to decide upon the  number of login attempts to be allowed (usually from 3 to 5) and make sure that the account would be locked once the permitted number of attempts is exceeded. To suspend account activity only temporily and enable it after a specific period of time has passed. 

Is there a way to do this and if so how? I am not a programmer at all and know very little about php.

 

Thanks

 

 
Average of ratings: -
Tim at Lone Pine Koala Sanctuary
Re: Number of login attempts to be allowed
Group DevelopersGroup Documentation writersGroup Particularly helpful Moodlers

Locking out accounts like this is a security problem itself. I gives attackers a very simple denial-of-service attack - just make lots of failed logins for every username, until everyone is locked out.

The approack Moodle takes is to log failed login-attempts. I think there is even an option to email the admin when there are too many.

 
Average of ratings: -
Picture of Annette Powell
Re: Number of login attempts to be allowed
 

Hi Tim,

I understand what your saying there and I do have it turned on to notify me of more than 10 attempts and yes I can set a rule up at that point on the firewall to restrict that IP address. However, my company was basing their findings on a brute force attack and they would like it to be configured to set the time out limit to 5 attempts and then lock the account and then unlock the account after 10 or 15 minutes. Is there a way to do that and if so what is the code and where does it go?

 

Thank you.

 
Average of ratings: -
Picture of Petr Skoda (Totara LMS)
Re: Number of login attempts to be allowed
Group DevelopersGroup Documentation writersGroup Particularly helpful Moodlers
Hello,
this is a known problem, you can track progress in MDL-21342.

Petr
 
Average of ratings: -
Picture of J Arn
Re: Number of login attempts to be allowed
 

I am currently having the opposit problem need to change from like 3 -6 or 7 and prefferable no lockout. can that currently be done?

 
Average of ratings: -