Blocking users after failed login attempts

10

#1

Hello,

This is not really about any particular error I am getting. It is something I am trying to accomplish, and I am beginning to think that I may be making this more complicated than necessary.

We are using ownCloud 10 Community Edition, and would like to do the following: After a user fails their login a set number of times, their account should be locked until an administrator unlocks it.

I know that the Security app in the Market does something like that, but it blocks the user by IP address, which is not great for us: We have remote desktop servers that are shared by dozens of people, and they would get upset if every time someone fat-fingers their password a couple of times, everybody gets locked out.

My current plan runs along those lines: Use fail2ban, but instead of banning the IP address the request came from, pipe the set of log messages that caused the ban through a script that parses out the user name and uses occ to just disable that user.

Is that the way I'll have to go, or is there some other, easier & more standardized way to go about this?

Thanks,
--Juergen


#2

Please have a look at the security app - https://marketplace.owncloud.com/apps/security


#3

Hi there, I think you can use fail2ban and adjust it your way.


#4

We have already a Pull Request to change blocking policy to ip+uid combination. Next version of the security app will have this enhancement soon.