Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Prevent Brute Force attacks on Customer Login Page
 
fgrace
Jr. Member
 
Total Posts:  3
Joined:  2009-03-23
 

Hi

My website (Magento ver. 1.4.1.0) has recently had a full scale security audit.
The results were good with only 1 issue remaining to be addressed:

1. The following login page doesn’t have any protection against password-guessing attacks (brute force attacks).
https://www.mywebsite.com/index.php/customer/account/login/

The security assessment tested 10 invalid credential attempts and no account lockout was detected.

Example
Request
POST /index.php/customer/account/loginPost HTTP/1.1
Content-Length: 57
Content-Type: application/x-www-form-urlencoded
Host: www.mywebsite.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Accept: */*

I would be really grateful for some help in fixing these issues

regards
FG smile

 
Magento Community Magento Community
Magento Community
Magento Community
 
thebod
Moderator
 
Avatar
Total Posts:  81
Joined:  2010-08-11
 

Magento doesn’t provide out-of-the-box anti-bruteforce methods.

You could look for a module that adds support.

And please notice: JS validation can’t block logins, simply because JS is executed on the user-side and an attacker can easily modify/block/whatever the script!

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top