Flarum Account Security

WisHa

Hello, I opened a forum from flarum but is there an extension that I can prevent users from brute-force other users' accounts, or is it needed or not?

GreXXL

WisHa if you are talking about free Flarum you should post in the according thread https://discuss.flarum.org/d/7585-free-flarum-hosting-on-an-expert-platform-by-freeflarum-com

WisHa

GreXXL No I'm not talking about free flarum. I am talking about that I opened my forum but I am worrying about that, is it possible to steal other users' account with bruteforcing or is there any protect for it like cooldown?

clarkwinkelmann

No Flarum does not include any API throttling for login/registration out of the box.

For general API throttling you might be able to configure that at the webserver level. For general HTTP throttling you might use tools like fail2ban.

We have an extension API to register custom throttling https://docs.flarum.org/extend/api-throttling.html This can be used by extension to register custom rules. By default the only throttling defined with that system is the time between discussions/posts. This could absolutely be used to implement an incrementing wait time between failed login attempts.

Kulga

Configuration at the webserver level will be highly dependent on the software used (nginx, apache, caddy etc)
You also need to address questions like how to separate users, how many requests is too much, what to do if they reach that limit, etc.

What I have for caddy is this, with the ratelimit module installed and differentiating on their flarum_session cookie for all requests to /login. It limits to 2 requests a second and generates a 429 Too many requests error otherwise.

domain.tld {
  header /assets { 
    +Cache-Control max-age=25000
    +Cache-Control public, must-revalidate, proxy-revalidate    Pragma public
  }
  reverse_proxy internalip
  route /login {
    rate_limit {cookie.flarum_session} 2r/s
  }
}

[deleted]

Kulga you can do something very similar to this with NGINX
https://www.nginx.com/blog/rate-limiting-nginx/

010101

Hmm. I haven’t really thought about this. There’s always something else to consider... 😳