Last modified: 2013-02-11 15:35:19 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T36913, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 34913 - AbuseFilter should hook LoginAuthenticateAudit, allowing rules to ban IP's who make repeated failed login attempts
AbuseFilter should hook LoginAuthenticateAudit, allowing rules to ban IP's wh...
Status: NEW
Product: MediaWiki extensions
Classification: Unclassified
AbuseFilter (Other open bugs)
unspecified
All All
: Low enhancement (vote)
: ---
Assigned To: Nobody - You can work on this!
http://www.mediawiki.org/wiki/Thread:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-02 23:26 UTC by Carl Austin Bennett
Modified: 2013-02-11 15:35 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Carl Austin Bennett 2012-03-02 23:26:28 UTC 
AbuseFilter provides various mechanisms to block or demote a user who repeatedly does something questionable, based on its own ruleset (for instance, repeatedly blanking articles or article sections) but provides no means to create a rule which would perform some action in response to repeated login failures or repeated failures to get spam past an extension (such as ConfirmEdit or SpamBlacklist).

While we don't currently have a mechanism to notify AbuseFilter that a user is repeatedly falling CAPTCHA (short of changing code elsewhere in the system) we do have LoginAuthenticateAudit to report failed attempts to log in with repeated bad passwords. Unfortunately, the only extensions to use this info are either Fail2Ban (which firewalls the offending IP at the server level) or other CAPTCHAs (to present a CAPTCHA on subsequent login attempts if previous brute-force attempts have failed). There is nowhere where AbuseFilter requests to be notified on LoginAuthenticateAudit failures and no means to create a rule in the AbuseFilter to block an IP after an abusive number of failed login attempts.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links