From: Brad D. <buc...@us...> - 2004-02-23 20:10:41
|
Jonathan Angliss wrote: > Hello P, > On Monday, February 23, 2004, p dont think wrote... > >>> What I'd like to see is a plugin that works like the NT4 (yikes!) >>> login prompt. The bad guy gets three shots at logging into squirrel >>> mail, and then the system would lock that particular requestor(ip >>> address?) out for, say twenty minutes. This would be a login >>> security feature, not an idle time disconnect feature (although I >>> do like that plugin as well...). > >> Your original request was understood. Weren't you watching the >> responses >> on that thread? > >> You then requested a timeout plugin as well (which you did again here). >> That is why I referred you to the one that already exists. > > Not entirely... Read again. What he is requesting is that on the 3rd > login attempt, the account is locked for X minutes (his description is > timeout, confusion of words I guess). This would probably more ideally > be done at the IMAP level, but some servers don't allow you to > implement something like this. Though I've not looked at the timeout > plugin, so not sure if that does what he is _really_ after ;) The lock_down plugin monitors login attempts and after 3 failures (configurable in the config file), it will lock you out for 15 (again configurable in the config file) minutes before it will allow you to try and logon again. If you try again before the lockout time is up, you simply get a message saying that you need to wait another X minutes until you will be able to try and logon again. It uses a MySQL table to keep track of logon attempts. It doesn't track IP addresses, but that might not be a bad idea. It used to get confussed when used in conguntion with the virtusertable plugin and the password forget plugin, but those are fixed in my current devel version. Brad -- Last time I had this much fun was, ... uh ... |