Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum

Apps | Demo | Docs | Install

hCaptcha on Login Forms

Scheduled Pinned Locked Moved Feature Requests
8 Posts 4 Posters 356 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D Offline
    D Offline
    dylightful
    wrote on last edited by
    #1

    Putting it out there the possibility of Google ReCaptcha or hCaptcha to prevent bots brute forcing login forms.

    marcusquinnM d19dotcaD 2 Replies Last reply
    0
  • marcusquinnM Offline
    marcusquinnM Offline
    marcusquinn
    replied to dylightful on last edited by
    #2

    @dylightful Fail2Ban should already cover this.

    We're not here for a long time - but we are here for a good time :)
    Jersey/UK
    Work & Ecommerce Advice: https://brandlight.org
    Personal & Software Tips: https://marcusquinn.com

    D 1 Reply Last reply
    2
  • d19dotcaD Offline
    d19dotcaD Offline
    d19dotca
    replied to dylightful on last edited by
    #3

    @dylightful I think it's a nice idea to add reCAPTCHA / hCaptcha as needed to the page. With that said, as @marcusquinn stated, fail2ban should more or less prevent any brute force attacks. Also the Cloudron has rate limits in place by default (https://docs.cloudron.io/security/#rate-limits) for Cloudron login page. Of course, that can be greatly improved as 10 requests per second per IP is far too high in my opinion, should be more like 10 requests per 5 or 10 minutes or something like that. But that was also requested already too to improve the rate limits to be more secure: https://forum.cloudron.io/post/28271 which @girish has already confirmed is going to be one of the focuses in 6.3.

    --
    Dustin Dauncey
    www.d19.ca

    D 1 Reply Last reply
    4
  • D Offline
    D Offline
    dylightful
    replied to marcusquinn on last edited by
    #4

    @marcusquinn It covers it to a degree. Adding a hCaptcha to the login form kills 95% of bots from submitting the form, thus not sending a full authentication request.

    1 Reply Last reply
    1
  • D Offline
    D Offline
    dylightful
    replied to d19dotca on last edited by
    #5

    @d19dotca All GREAT suggestions.

    1 Reply Last reply
    0
  • marcusquinnM Offline
    marcusquinnM Offline
    marcusquinn
    wrote on last edited by
    #6

    I hate captchas - although it is perhaps fair game to add one after a number of failed attempts.

    As long as there's a minimum password length policy and 2FA enforceable, the rest doesn't keep me awake at night.

    We're not here for a long time - but we are here for a good time :)
    Jersey/UK
    Work & Ecommerce Advice: https://brandlight.org
    Personal & Software Tips: https://marcusquinn.com

    1 Reply Last reply
    3
  • marcusquinnM Offline
    marcusquinnM Offline
    marcusquinn
    wrote on last edited by
    #7

    Complete thread hijacking - but if you want to see if your users are password numpties, stick their email address into here: https://haveibeenpwned.com

    Also interesting to see the sort of interests people have from the leaked websites they've sign up to!

    We're not here for a long time - but we are here for a good time :)
    Jersey/UK
    Work & Ecommerce Advice: https://brandlight.org
    Personal & Software Tips: https://marcusquinn.com

    1 Reply Last reply
    1
  • nebulonN Offline
    nebulonN Offline
    nebulon Staff
    wrote on last edited by
    #8

    I think enabling 2fa on your Cloudron will prevent brute-forcing already and the validation REST call on the server is pretty light-weight, so I don't think adding a captcha will be of great benefit.

    1 Reply Last reply
    4

  • Login

  • Don't have an account? Register

  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Login

  • Don't have an account? Register

  • Login or register to search.