Seems there is no way to lock out "incorrect password attempts", what makes a brute force break in possible.
It should be possible to lockout such attempts through a disable user for "some minutes" or permanently, including an internal alert for such situations
by: Axel S. | over a year ago | Other
Comments
Noted Axel
Also when account have a intruder lockout in eDir, this isn't visible in the Filr login page, and also it's not mentioned that account is locked. So this is a good feature. And more secure it think.
Also after 5 unsuccesful atempts you get the captcha image displayed.
I got request from Customer who'd like to buy a big amount of Filr's licenses. They are in trouble because of brute-force/acceidental fails during authentication: because they have lower than 6 failed attempts limit in AD's settings, such attacks/failed logind leads to account lock on the AD side. This is a very serious problem for they and they need solution for this case.
CAPTCHA isn't a real solution:
- limit for CAPTCHA is 6 failed attempts and cannnot be changed as this setting is hardcoded and cannot be changed by using Filr Administrator Console
- CAPTCHA, as far as I know, is an external service anf in the case f there is no connection with Internet, cannot be used. Probable I'm wrong here but if I'm right - this is a serious thing against CAPTCHA. Anyway we're dependent on third-party because of that and this is not a really good thing in my understanding
There are other ways to solve this like NAM or Microsoft ADFS - but it leads to additional extra costs which makes Filr more expensive for Customer and, as a result, interest to Filr may be impacted.
Solution, in my understanding, will be realized as something like Filr Intruder Lockout Policy/Policies like we have in other of our products. Filr Admnistrator will be able to manage Failed Attempts Lmit and make it lower that similar setting for eDir/AD, in this case only Filr Account will be locked but not eDir/AD/LDAP account itself. This is exactly what Customer wants to have in Filr, please think about it.
I'm not a developer so can't evaluate additional costs for such Feature, but, as we hve this functionality in our products like iManager which uses Tomcat as well as Filr as a platform, I hope these costs will not be very high and Feature may be realized fast enough.
This isn't a real Stopper for this deal as far as I know, but one of the hardest moment we have at the moment. If Feature will be realized soon enough, our life will be much more easier.
Is there any update on this ? Will this issue be addressed in future releases ?