yggdrasil-network/yggdrasil-go
1
0
Fork 0
mirror of https://github.com/yggdrasil-network/yggdrasil-go.git synced 2025-08-27 09:25:09 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add brute force protection to authentication system

Browse source 
- Implemented IP-based blocking after 3 failed login attempts, with a 1-minute lockout period.
- Enhanced login handler to check for blocked IPs and record failed attempts.
- Added tests for brute force protection and successful login clearing failed attempts.
- Updated README and example configuration to document new security features.
This commit is contained in:
Andy Oknen 2025-07-30 09:19:05 +00:00
parent 113dcbb72a
commit a984fba30d
5 changed files with 309 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/webui/example_config.hjson
View file

@ -33,9 +33,13 @@
// - Session-based authentication with secure cookies
// - 24-hour session expiration
// - Automatic session cleanup
// - Brute force protection (3 failed attempts = 1 minute block)
// - IP-based blocking with automatic cleanup
//
// Security recommendations:
// - Use a strong, unique password (12+ characters)
// - Bind to localhost (127.0.0.1) unless you need remote access
// - Consider using HTTPS reverse proxy for production deployments
// - Sessions are stored in memory and lost on server restart
// - Sessions are stored in memory and lost on server restart
// - Failed login attempts are tracked per IP address
// - If behind a reverse proxy, ensure X-Forwarded-For headers are set correctly