@robocoder opened this Issue on November 23rd 2011 Contributor

As part of Piwik's multi-layered security approach, there are a number of areas which could detect possible attack and mitigate (e.g., block).


  • n failed login attempts (e.g., brute force)
  • n failed lost password requests
  • n failed password reset attempts
  • password reset with invalid (e.g., expired) reset token (e.g., replay)
  • n feedback requests within m minutes
  • n API requests with invalid parameter
  • API request with invalid token
  • direct access to .php file
  • request for non-existent file
  • directory list attempt

Could optionally be extended to tracking requests with caveat that this would have some impact on performance.

Note: some of the above involves integration with the web server (e.g., Apache); I have no idea how doable some of this is with other servers (e.g., IIS, lighttpd, nginx, cherokee, jetty, tomcat, ...).

@mattab commented on February 17th 2012 Member

See also: #2888

@mattab commented on October 5th 2012 Member

I included the "do-able" checks (ie. username/email enumeration, brute force on login/reset password, and failed token in API requests) as part of the "Lockdown IP adress" ticket at: #2888

Closing this as the remaining items could possibly be done on a webserver level

See #2888

This Issue was closed on October 5th 2012
Powered by GitHub Issue Mirror