Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.hey
i thought, it would be useful to have a Maximum number of login failures before soft blocking a user.
same thing as normal user login block, except, "This protection is efective during the time indicated at tracking time opion."
example:
Maximum number of login failures before detecting an ongoing attack: 10
Maximum number of login failures before soft blocking a user: 5
Maximum number of login failures before blocking a user: 10
Maximum number of login failures before soft blocking a host: 25
Maximum number of login failures before blocking a host: 50
| Comment | File | Size | Author |
|---|---|---|---|
| #4 | login_security-1033418-4-user-soft-blocking.patch | 5.78 KB | knyshuk.vova |
Comments
Comment #1
doublejosh CreditAttribution: doublejosh commentedAgreed. In fact this is the one thing I wanted from the module.
Comment #2
ben.bunk CreditAttribution: ben.bunk commentedHas anyone started work on this? I'd like to sync up before I begin implementing it if there's already work done.
Comment #3
deekayen CreditAttribution: deekayen commentedBumping version.
Comment #4
knyshuk.vova CreditAttribution: knyshuk.vova at Internetdevels, Drupal Ukraine Community commentedI think would be great to allow the administrator to choose how to block the user. Will it be blocking completely or blocking with automatic unlocking after a certain time.
The patch attached.
Added checkbox "Enable soft user blocking"
If this checked than the user will not be able to submit the log in form again if specified number of login failures reached.
This protection is effective during the time indicated at track time option. When the track time is passed, the expired records with unsuccessful login attempts will be removed based on their creation time and the user will be able to reuse their login attempts. The user will not be blocked completely. The user still can use reset password form to recover their password and login with one-time login link.
Comment #5
knyshuk.vova CreditAttribution: knyshuk.vova at Internetdevels, Drupal Ukraine Community commentedImportant
To use soft user blocking you need to configure Drupal's flood system.
Drupal don't allow login if the failed attempts limit (flood limit) for this user has been reached. The flood system by default allow 5 failed attempts every 6 hours and cleansed expired attempts after cron execution. The flood limit should be increased to avoid conflicts between similar functionality. For example it may be increased to 500. Otherwise, the user will be blocked by default flood system.
Comment #6
knyshuk.vova CreditAttribution: knyshuk.vova at Internetdevels, Drupal Ukraine Community commented