Brute Force Login Prevention
From OpenEMR Project Wiki
Overview
- Prior to OpenEMR 7.0.1(1), the global configuration setting Security->"Maximum Failed Login Attempts" could be set to shut down logins from users that exceeded the set number of failed logins. This prevented brute force login, however, was difficult to administer (for example, required manual fixes directly in mysql database for an administrator to reset a user's account so they could login again).
- For OpenEMR 7.0.1(1) and subsequent versions, this was upgraded to:
- Allow easy reset of the number of failed logins by the administrator in OpenEMR's user interface.
- Introduce a time out where the number of failed logins is reset.
- Introduce the mechanism for both users and ip addresses.
- Users with the Security->"Maximum Failed Login Attempts For User" and Security->"Time (seconds) to Reset Maximum Failed Login Attempts For User" settings.
- IP Addresses with the Security->"Maximum Failed Login Attempts From IP Address" and Security->"Time (seconds) to Reset Maximum Failed Login Attempts From IP Address" settings.
- These features are turned on by default with following settings:
- Security->"Maximum Failed Login Attempts For User" is 20
- Security->"Time (seconds) to Reset Maximum Failed Login Attempts For User" is 3600
- Security->"Maximum Failed Login Attempts From IP Address" is 100
- Security->"Time (seconds) to Reset Maximum Failed Login Attempts From IP Address" is 3600
- The User interface to view blocking status and reset the counters is at Admin->Users
- The IP Address interface to view blocking status and reset the counters is at Reports->Services->IP Tracker