diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/api-json-rpc.markdown | 1 | ||||
| -rw-r--r-- | docs/bruteforce-protection.markdown | 26 | ||||
| -rw-r--r-- | docs/config.markdown | 14 | ||||
| -rw-r--r-- | docs/index.markdown | 1 |
4 files changed, 42 insertions, 0 deletions
diff --git a/docs/api-json-rpc.markdown b/docs/api-json-rpc.markdown index 9c572304..7c211081 100644 --- a/docs/api-json-rpc.markdown +++ b/docs/api-json-rpc.markdown @@ -27,6 +27,7 @@ Security - Always use HTTPS with a valid certificate - If you make a mobile application, it's your job to store securely the user credentials on the device +- After 3 authentication failure on the user api, the end-user have to unlock his account by using the login form - Two factor authentication is not yet available through the API Protocol diff --git a/docs/bruteforce-protection.markdown b/docs/bruteforce-protection.markdown new file mode 100644 index 00000000..633cfe87 --- /dev/null +++ b/docs/bruteforce-protection.markdown @@ -0,0 +1,26 @@ +Bruteforce Protection +===================== + +The brute force protection of Kanboard works at the user account level: + +- After 3 authentication failure for the same username, the login form show a captcha image to prevent automated bot tentatives. +- After 6 authentication failure, the user account is locked down for a period of 15 minutes. + +This feature works only for authentication methods that use the login form. + +However, **after 3 authentication failure through the user API**, the account have to be unlocked by using the login form. + +Kanboard doesn't block any IP addresses since bots can use several anonymous proxies. However, you can use external tools like [fail2ban](http://www.fail2ban.org) to avoid massive scans. + +Default settings can be changed with these configuration variables: + +```php +// Enable captcha after 3 authentication failure +define('BRUTEFORCE_CAPTCHA', 3); + +// Lock the account after 6 authentication failure +define('BRUTEFORCE_LOCKDOWN', 6); + +// Lock account duration in minute +define('BRUTEFORCE_LOCKDOWN_DURATION', 15); +``` diff --git a/docs/config.markdown b/docs/config.markdown index 45ba7a91..44f72b32 100644 --- a/docs/config.markdown +++ b/docs/config.markdown @@ -196,6 +196,20 @@ define('ENABLE_HSTS', true); define('ENABLE_XFRAME', true); ``` +Bruteforce protection +--------------------- + +```php +// Enable captcha after 3 authentication failure +define('BRUTEFORCE_CAPTCHA', 3); + +// Lock the account after 6 authentication failure +define('BRUTEFORCE_LOCKDOWN', 6); + +// Lock account duration in minute +define('BRUTEFORCE_LOCKDOWN_DURATION', 15); +``` + Various settings ---------------- diff --git a/docs/index.markdown b/docs/index.markdown index 5ef523f9..181e1d03 100644 --- a/docs/index.markdown +++ b/docs/index.markdown @@ -81,6 +81,7 @@ Using Kanboard - [Advanced Search Syntax](search.markdown) - [Command line interface](cli.markdown) - [Syntax guide](syntax-guide.markdown) +- [Bruteforce protection](bruteforce-protection.markdown) - [Frequently asked questions](faq.markdown) Technical details |