Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    hCaptcha on Login Forms

    Feature Requests
    4
    8
    286
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dylightful last edited by

      Putting it out there the possibility of Google ReCaptcha or hCaptcha to prevent bots brute forcing login forms.

      marcusquinn d19dotca 2 Replies Last reply Reply Quote 0
      • marcusquinn
        marcusquinn @dylightful last edited by

        @dylightful Fail2Ban should already cover this.

        We're not here for a long time - but we are here for a good time :)
        Jersey/UK
        Work & Ecommerce Advice: https://brandlight.org
        Personal & Software Tips: https://marcusquinn.com

        D 1 Reply Last reply Reply Quote 2
        • d19dotca
          d19dotca @dylightful last edited by

          @dylightful I think it's a nice idea to add reCAPTCHA / hCaptcha as needed to the page. With that said, as @marcusquinn stated, fail2ban should more or less prevent any brute force attacks. Also the Cloudron has rate limits in place by default (https://docs.cloudron.io/security/#rate-limits) for Cloudron login page. Of course, that can be greatly improved as 10 requests per second per IP is far too high in my opinion, should be more like 10 requests per 5 or 10 minutes or something like that. But that was also requested already too to improve the rate limits to be more secure: https://forum.cloudron.io/post/28271 which @girish has already confirmed is going to be one of the focuses in 6.3.

          --
          Dustin Dauncey
          www.d19.ca

          D 1 Reply Last reply Reply Quote 4
          • D
            dylightful @marcusquinn last edited by

            @marcusquinn It covers it to a degree. Adding a hCaptcha to the login form kills 95% of bots from submitting the form, thus not sending a full authentication request.

            1 Reply Last reply Reply Quote 1
            • D
              dylightful @d19dotca last edited by

              @d19dotca All GREAT suggestions.

              1 Reply Last reply Reply Quote 0
              • marcusquinn
                marcusquinn last edited by

                I hate captchas - although it is perhaps fair game to add one after a number of failed attempts.

                As long as there's a minimum password length policy and 2FA enforceable, the rest doesn't keep me awake at night.

                We're not here for a long time - but we are here for a good time :)
                Jersey/UK
                Work & Ecommerce Advice: https://brandlight.org
                Personal & Software Tips: https://marcusquinn.com

                1 Reply Last reply Reply Quote 3
                • marcusquinn
                  marcusquinn last edited by

                  Complete thread hijacking - but if you want to see if your users are password numpties, stick their email address into here: https://haveibeenpwned.com

                  Also interesting to see the sort of interests people have from the leaked websites they've sign up to!

                  We're not here for a long time - but we are here for a good time :)
                  Jersey/UK
                  Work & Ecommerce Advice: https://brandlight.org
                  Personal & Software Tips: https://marcusquinn.com

                  1 Reply Last reply Reply Quote 1
                  • nebulon
                    nebulon Staff last edited by

                    I think enabling 2fa on your Cloudron will prevent brute-forcing already and the validation REST call on the server is pretty light-weight, so I don't think adding a captcha will be of great benefit.

                    1 Reply Last reply Reply Quote 4
                    • First post
                      Last post
                    Powered by NodeBB