Hello, I opened a forum from flarum but is there an extension that I can prevent users from brute-force other users' accounts, or is it needed or not?
Flarum Account Security
WisHa if you are talking about free Flarum you should post in the according thread https://discuss.flarum.org/d/7585-free-flarum-hosting-on-an-expert-platform-by-freeflarum-com
No Flarum does not include any API throttling for login/registration out of the box.
For general API throttling you might be able to configure that at the webserver level. For general HTTP throttling you might use tools like fail2ban.
We have an extension API to register custom throttling https://docs.flarum.org/extend/api-throttling.html This can be used by extension to register custom rules. By default the only throttling defined with that system is the time between discussions/posts. This could absolutely be used to implement an incrementing wait time between failed login attempts.
- Edited
Configuration at the webserver level will be highly dependent on the software used (nginx, apache, caddy etc)
You also need to address questions like how to separate users, how many requests is too much, what to do if they reach that limit, etc.
What I have for caddy is this, with the ratelimit module installed and differentiating on their flarum_session cookie for all requests to /login. It limits to 2 requests a second and generates a 429 Too many requests
error otherwise.
domain.tld {
header /assets {
+Cache-Control max-age=25000
+Cache-Control public, must-revalidate, proxy-revalidate Pragma public
}
reverse_proxy internalip
route /login {
rate_limit {cookie.flarum_session} 2r/s
}
}
[deleted]
- Edited
Kulga you can do something very similar to this with NGINX
https://www.nginx.com/blog/rate-limiting-nginx/
Hmm. I haven’t really thought about this. There’s always something else to consider...