Bug #7693
closed
Brute force protection does not kill states, so additional login attemps may be possible in some cases
100%
Description
The way that browsers and ssh clients work, it may be possible to exceed brute force protection limits enforced by sshlockout_pf.
sshlockout_pf adds the client IP address to a lockout table, but it does not kill states from the client IP address. In the case of ssh clients, this usually means they can fail an additional time or two, which is not that worrisome. In the case of web browsers, however, they can keep trying as long as the browser continues to reuse the open connection to the server.
It seems like the best approach here is to have sshlockout_pf kill client states when adding an address to a lockout table. In addition to that, the login form should check if the client address is in a lockout table and refuse to accept a login attempt in that case.
I'll handle the GUI part, Renato is looking into sshlockout_pf.
Updated by