Brute Force Login Prevention
From OpenEMR Project Wiki
Overview
- Prior to OpenEMR 7.0.1(1), the global configuration setting Security->"Maximum Failed Login Attempts" could be set to shut down logins from users that exceeded the set number of failed logins. This prevented brute force login, however, was difficult to administer (for example, required manual fixes directly in mysql database for an administrator to reset a user's account so they could login again).
- For OpenEMR 7.0.1(1) and subsequent versions, this was upgraded to:
- Allow easy reset of the number of failed logins by the administrator in OpenEMR's user interface.
- Introduce a time out where the number of failed logins is reset.
- Introduce the mechanism for both users and ip addresses.
- Users with the Security->"Maximum Failed Login Attempts For User" and Security->"Time (seconds) to Reset Maximum Failed Login Attempts For User" settings.
- IP Addresses with the Security->"Maximum Failed Login Attempts From IP Address" and Security->"Time (seconds) to Reset Maximum Failed Login Attempts From IP Address" settings.
- These features by turn on be default with following settings:
- Security->"Maximum Failed Login Attempts For User" is 20