Reply
New Member
Posts: 12
Registered: ‎11-11-2017
Kudos: 1

UCRM account lockout for incorrect password entries?

I noticed that you can try as many times as you want with apparently no rate limiting to log into a UCRM account.   Would it be possible to force a captcha test and/or a lockout timer to help protect accounts from being brute forced?

 

I know failed logins show up in the log but I could not get locked out from further instant tries and I failed 10+ times sequentially in my quick testing.

 

This is something that probably should be in place simply to protect user data since the usernames are most often public information (the customer's email address).

 

 

John 

Member
Posts: 321
Registered: ‎04-14-2014
Kudos: 62
Solutions: 2

Re: UCRM account lockout for incorrect password entries?

I just put denyhost on my server, easy to install and seems to have a good review. Then having a strong password on the GUI side will help. 

New Member
Posts: 12
Registered: ‎11-11-2017
Kudos: 1

Re: UCRM account lockout for incorrect password entries?

yep, I have fail2ban on most of my stuff too but obviously, the web portal bypasses all that local account protection.   I am mostly worried about exposing customer data by customer accounts (or far worse) an admin account getting hacked.

 

 

John

Ubiquiti Employee
Posts: 3,511
Registered: ‎12-10-2015
Kudos: 1248
Solutions: 271

Re: UCRM account lockout for incorrect password entries?

Hi, currently, the administrator's account can use 2fa with brute force protection. The client accounts are just using basic brute force protection, it will be extended, it's already on our roadmap.
Reply