Werk #9527: Add bruteforce prevention for webconf
| Component | Firmware |
| Title | Add bruteforce prevention for webconf |
| Date | Apr 20, 2023 |
| Level | Trivial Change |
| Class | New Feature |
| Compatibility | Compatible - no manual interaction needed |
| Appliance Version | 1.6.5 |
Before this Werk an attacker was able to attempt an unlimited amount of password guesses in order to guess the webconf password through the login form (Bruteforce attack).
With this Werk after three failed attempts a cool down of one minute is necessary in order to try new guesses. After this minute one new attempt is possible and checked against the device password. If that attempt is successful a session is opened and others have three attempts again. If password attempts are currently blocked an error message is displayed with the amount of seconds to wait.
This slows down bruteforce attacks significantly. On the other hand this allows potentially denial-of-service attacks if an attacker can consistently send wrong password attempts. The sources of these attempts can be identified through the logs (e.g. apache access.log) and should then be investigated/blocked.