Download the PHP package neamil/protect_fe_login without Composer
On this page you can find all versions of the php package neamil/protect_fe_login. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download neamil/protect_fe_login
More information about neamil/protect_fe_login
Files in neamil/protect_fe_login
Package protect_fe_login
Short Description this typo3 extension provides brute force protection for frontend login with device cookies as described in OWASP https://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies
License MIT
Informations about the package protect_fe_login
Protect FE Logins
this typo3 extension protects fe_login against brute force attacks as described in OWASP https://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies
Current State - Beta! dont use in production yet.
Installation
This TYPO3 extension is available via packagist:
Alternatively, you can install the extension from TER:
After that, proceed with Getting Started
Getting Started
- install via TER or composer
-
configure needed extension settings
- Timeout = time in seconds how long the lock-out for untrusted users / device cookies
- MaxAttempts = how many attempts for untrusted user or attempts with a single device cookie can be made until the untrusted users for the username, or the device cookie gets locked out
- DeviceCookieName = the name of the device cookie which is set for the client, choose something unique e.g containing the website name
- DeviceCookieExpireInDays = count of days until the device cookie expires
- Secret = secret cryptographic key used for hash_hmac. Use a key with at least 512 bit entropy, generate it with the key/password generator of your choice. Dont use it anywhere else and keep it safe!
FAQ
don't we already have extensions which protect from brute force attacks?
there are several extensions e.g. login_limit, secure_login or felogin_bruteforce_protection. Those provide a simple time/ip ban for login attempts, with downsides for a lot of use cases:
simple time lockout after n attempts
- DoS for user account
time logout for ip after n attempts (that's what most of the named extensions do)
- not suitable versus large distribution attacks (bot networks etc.)
- not friendly for users behind NAT
- DoS still possible in many cases
inspiration and notes taken from this german talk MRMCD2019 https://media.ccc.de/v/2019-220-ber-bruteforce-protection-und-warum-das-gar-nicht-so-leicht-ist
All versions of protect_fe_login with dependencies
typo3/cms-core Version ^9.5 || ^10.4
ext-pdo Version *
php Version ^7.2