Add an expiration (setting) for blocked IPs and usernames

Created on 17 April 2024, 8 months ago
Updated 28 June 2024, 6 months ago

Problem/Motivation

A client just asked, for how long an IP address will be blocked and if it will be auto-unblocked after a defined period of time. I wasn't able to answer that question and can't find documentation or settings at /admin/config/people/flood-control

So I guess it would be a real bonus to also have this expiration configurable?
Or is this already possible or documented somewhere else? Am I missing something?

Would be great to hear what you think. At least I think we should document how it works in the description on the settings page, so that site owners are aware of the process?

Maybe currently the configured time window is used for both:

  • Tracking failed login attempts
  • Locking the users

?

What I'd expect and find more useful is to separate this and allow unblocking users for example after a defined, shorter period of time.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Feature request
Status

Closed: works as designed

Version

2.3

Component

Code

Created by

🇩🇪Germany Anybody Porta Westfalica

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @Anybody
  • 🇩🇪Germany Anybody Porta Westfalica

    Please note that also the user-facing message shown isn't very clear:

    Too many failed login attempts from your IP address. This IP address is temporarily blocked.

    It might or might not be wanted to tell the user for how long he's blocked?

    Let's also discuss this and the way we should go here.

  • 🇩🇪Germany Anybody Porta Westfalica
  • 🇦🇺Australia elc

    The flood system is a little confusing on expiration - there is no need for an additional setting to specifically dictate expiration as these are handled by the limit + window parameters for IP and Username. In simple terms the "expiration" is the "time window", and it's automatic.

    For logging into a Drupal site, there are two flood identifiers - IP and IP+Username. As set out in the config form, both have a limit number and a time window.

    On failed login, an event is registered for IP and possibly IP+Username (depending on if it is available ie. the user entered a valid username).

    Also during login, the IP and IP+Username is checked to see if "Limit" number of attempts have happened inside "Time window".

    If so many events have happened inside window, they are blocked. If not, they are allowed.

    As such the expiration is dictated by the user - if they try enough to be blocked, and then don't try again until window expires for enough events that they no longer hit the limit, they are unblocked. But if continue to register new blocked events, they will continue to be blocked with a near infinite time being blocked.

    Hence, Flood Control module to be able to manually unblock a user if they contact you about it. Otherwise, they need to wait at least "window" time from the first attempt to be allowed back in automatically. Expiry of events is automatic.

    So, using the default from Drupal Core:
    https://git.drupalcode.org/project/drupal/-/blob/11.x/core/modules/user/...

    ip_limit: 50
    ip_window: 3600
    user_limit: 5
    user_window: 21600
    

    If a user attempts 6 bad sign-ins with a recognised username inside 6 hours, they are blocked for 6 hours from the first attempt. Unless of course they just keep on trying, at which point block expires 6 hours after they stop trying (or really 6 hours from the 5th previous attempt after stopping).

    For an IP address it's the same except for different limit and window, plus they'd be using multiple or unrecognised usernames.

    Pretty simple eh? Anyway, no need for an expiration setting as it's already built in. It's just not a set expiration, it's a sliding window.

  • 🇩🇪Germany Anybody Porta Westfalica

    Thanks for the clarifications @ELC! Great!

    So I'd say it's just a thing of adding documentation to the user-facing UI to explain that? Should we combine all that information into 💬 Unclear what time is mentioned... Needs review ?

  • 🇳🇱Netherlands batigolix Utrecht
  • 🇦🇺Australia elc

    Are the changes from 💬 Unclear what time is mentioned... Needs review adequate? If so, this issue can be closed off.

    Alternatively, a much better expiation could be added to the hook_help for the settings page.

  • Status changed to Postponed: needs info 6 months ago
  • 🇳🇱Netherlands batigolix Utrecht
  • Status changed to Closed: works as designed 6 months ago
  • 🇳🇱Netherlands batigolix Utrecht
Production build 0.71.5 2024