Send an email / text when there is a fail login attempt #9140
Comments
tsteur
added
the
c: Security
|
Nice idea! Maybe a good idea as a first step before #2888 |
|
sound's great! |
|
on the other hand one could extend this to send a mail when some logs in from an other country than the last time (or similar)? |
|
putting the IP in the email would be great - maybe one could reuse geoIP feature |
I think superadmin/admin should be made aware too... There's something "fishy" after more than 5 attempts... |
tsteur
added
the
c: New plugin
|
Good point re other country. I'll create a separate issue for this. They might be developed both in one step at some point but better to have them separated. |
|
If text messages are configured in a Piwik (eg for scheduled reports) one should ideally also be able to receive it as a text message on your phone to be able to react quickly in case it wasn't you who tried to log in... |
tsteur
changed the title
|
I think #2888 is more valuable first (althrough of course also more complicated to implement) |
|
Just FYI: When an attacker brute forces tokens, no user can be notified as there is only the token and no username. As an attacker, I would not bother about trying to log in through username/password but instead through the API which also avoids needing the nonce etc. Maybe a simple solution for #2888 is more useful for now? |
|
Just seeing #2888 is scheduled for 3.7.0 as well :) |
|
FYI: Now that we will have #2888 I will move it out of this milestone. It wouldn't be that valuable when a user can still try to log in through token_auth and basically nobody would get notified. Also it could result in heaps of mails. |
hey guys , is there a way to report an ip address that tried to access , my account ?the login attempt happened , just after my :
Is there a way that the attacker , tracked my cause the attack happened at the same day , just after I did , the Is there a Way to Resolve this ? .... & thanks |
We should at least optionally notify a user when there is a failed login attempt. I'd have it enabled by default in core but we could also have it as a plugin on the marketplace or by default disabled.
We'd send an email to the owner of the account letting the user know someone tried to log in using his login name. Maybe we'd also add IP address etc? I'm sure there are many examples for this on the internet.
We could also only send it after the second or third failed attempt.
It is a bit related to brute force attack but not really: #2888
The text was updated successfully, but these errors were encountered: