We should at least optionally notify a user when there is a failed login attempt. I'd have it enabled by default in core but we could also have it as a plugin on the marketplace or by default disabled.
We'd send an email to the owner of the account letting the user know someone tried to log in using his login name. Maybe we'd also add IP address etc? I'm sure there are many examples for this on the internet.
We could also only send it after the second or third failed attempt.
It is a bit related to brute force attack but not really: https://github.com/piwik/piwik/issues/2888
maybe one should think of sending this mail not always but only after e.g. 3rd failed login attempted?
on the other hand one could extend this to send a mail when some logs in from an other country than the last time (or similar)?
putting the IP in the email would be great - maybe one could reuse geoIP feature
We'd send an email to the owner of the account letting the user know someone tried to log in using his login name.
I think superadmin/admin should be made aware too... There's something "fishy" after more than 5 attempts...
Good point re other country. I'll create a separate issue for this. They might be developed both in one step at some point but better to have them separated.
If text messages are configured in a Piwik (eg for scheduled reports) one should ideally also be able to receive it as a text message on your phone to be able to react quickly in case it wasn't you who tried to log in...
I think https://github.com/piwik/piwik/issues/2888 is more valuable first (althrough of course also more complicated to implement)
Just FYI: When an attacker brute forces tokens, no user can be notified as there is only the token and no username. As an attacker, I would not bother about trying to log in through username/password but instead through the API which also avoids needing the nonce etc.
Maybe a simple solution for https://github.com/matomo-org/matomo/issues/2888 is more useful for now?
FYI: Now that we will have #2888 I will move it out of this milestone. It wouldn't be that valuable when a user can still try to log in through token_auth and basically nobody would get notified. Also it could result in heaps of mails.
the login attempt happened , just after my :
user.device_verification_requested | user.login | user.device_verification_success!
Is there a way that the attacker , tracked my
cause the attack happened at the same day , just after I did , the