By bitshift on

I have recently been getting a new website built on D7 ready and reviewing steps to make my site more secure, final steps etc, before publishing it to my host. One thing I have been trying to read more about is the change in D7 that will block brute force login attempts. Can someone direct me to more info about this? Can I configure the number of attempts before someone is locked out?

The only place in the docs I seen this was here

A "Flood Control" module was mentioned here, but the docs also mention this protection was added as part of D7 core. So if this is part of the core, where do I go to configure this?

Am I correct in my impression that the Flood Control module is just putting an interface on the core functions that handle this protection feature?

Categories: Drupal 7.x

Comments

roper.’s picture

roper. commented

Looks like that code is in user_login_authenticate_validate(). Be sure to read the code comments. There seems to be two separate flood types: one per IP, and one per user.

The number of attempts and the time windows are stored as variables, so you can override them. Not sure if there's a UI for it directly; if not, you can just do:

// Set per-IP failed login attempt limit and window.
variable_set('user_failed_login_ip_limit', 10); // Changed from 50 attempts to 10.
variable_set('user_failed_login_ip_window', 1800); // Changed from 3600 (one hour) to 1800 (half-hour).

// Set per-user failed login attempt limit and window.
variable_set('user_failed_login_user_limit', 3) // Changed from 5 attempts to 3.
variable_set('user_failed_login_user_window', 10800); // Changed from 21600 (6 hours) to 10800 (3 hours).

Just run that code once (modify as needed) either on a PHP page, or through devel's PHP form.

Hope that helps. :-)

edit: Also, here's the thread where this functionality got implemented for D7: #485974: Improved security: rate limit login attempts.