Hi,
The locked out functionality in SCP portal does not have the behavior typically adopted on different platforms.
The system should only block the offending IP and not block the username. Only in this way we can ensure that we block a brute force attack without blocking the legitimate user who is accessing through an IP that has not done anything wrong.
Another issue is the blocking time. Is the user locked forever (until manually unlocked)?
The behavior of Locked Out has generated many unnecessary requests for assistance, at least with us. Can we disable it?
Tks.
The lock out behavior is more or less adopted from Active Directory lock out as far as i am aware (it is introduced in either DNP or WSP times).
I agree IP block would be better, however currently SolidCP does not track / log IP's + login (or failed logins) It would be a nice feature enhancement however so far no one (that i am aware of) is working on such a feature.
It is currently not possible to disable it i'm afraid. (but would again be a nice feature enhancement).
Please note SolidCP is opensource (and more or less goes with the flow of contributors / trends) any person or company can help improve the project as a whole by adding new features/ fixing bugs/ etc.
Hi Marco,
I think in WSP it was possible to control the number of attempts and the duration of the blocking time in the web.config
I do not know if these definitions are still possible to apply in the SCP. I have to see if I find a backup of the WSP.
I am not a programmer, but during this year our company will try to contribute to the development of SCP.
I know in WSP earlier versions there where some options in the WSP Policy tab.
however at some point they got removed/ replaced with password policy settings (this is all before SolidCP started).