IP blocking not working for failed logins

[foliovision]

I tried to make several bad login attempts to see if Freescout will block my IP address.

Unfortunately nothing happened, I only saw this in my browser:

Whoops, looks like something went wrong — check logs in /storage/logs

So I checked public_html/storage/logs/laravel-2022-08-04.log and this is what is says

[2022-08-04 13:20:36] production.ERROR: Undefined property: Illuminate\Auth\Events\Lockout::$user {"exception":"[object] (ErrorException(code: 0): Undefined property: Illuminate\\Auth\\Events\\Lockout::$user at /home/dskminak/public_html/app/Listeners/LogLockout.php:29)
[stacktrace]
    #0 /home/dskminak/public_html/app/Listeners/LogLockout.php(29): Illuminate\\Foundation\\Bootstrap\\HandleExceptions->handleError(8, 'Undefined prope...', '/home/dskminak/...', 29, Array)
    #1 [internal function]: App\\Listeners\\LogLockout->handle(Object(Illuminate\\Auth\\Events\\Lockout))
    #2 /home/dskminak/public_html/vendor/laravel/framework/src/Illuminate/Events/Dispatcher.php(369): call_user_func_array(Array, Array)
    #3 /home/dskminak/public_html/vendor/laravel/framework/src/Illuminate/Events/Dispatcher.php(200): Illuminate\\Events\\Dispatcher->Illuminate\\Events\\{closure}('Illuminate\\\\Auth...', Array)
    #4 /home/dskminak/public_html/vendor/laravel/framework/src/Illuminate/Foundation/helpers.php(465): Illuminate\\Events\\Dispatcher->dispatch('Illuminate\\\\Auth...')
    #5 /home/dskminak/public_html/vendor/laravel/framework/src/Illuminate/Foundation/Auth/ThrottlesLogins.php(77): event(Object(Illuminate\\Auth\\Events\\Lockout))
    #6 /home/dskminak/public_html/vendor/laravel/framework/src/Illuminate/Foundation/Auth/AuthenticatesUsers.php(37): App\\Http\\Controllers\\Auth\\LoginController->fireLockoutEvent(Object(Illuminate\\Http\\Request))
    #7 [internal function]: App\\Http\\Controllers\\Auth\\LoginController->login(Object(Illuminate\\Http\\Request))
    #8 /home/dskminak/public_html/overrides/laravel/framework/src/Illuminate/Routing/Controller.php(54): call_user_func_array(Array, Array)
    #9 /home/dskminak/public_html/vendor/laravel/framework/src/Illuminate/Routing/ControllerDispatcher.php(45): Illuminate\\Routing\\Controller->callAction('login', Array)
    #10 /home/dskminak/public_html/vendor/laravel/framework/src/Illuminate/Routing/Route.php(212): Illuminate\\Routing\\ControllerDispatcher->dispatch(Object(Illuminate\\Routing\\Route), Object(App\\Http\\Controllers\\Auth\\LoginController), 'login')

So it seems Freescout has the code to ban IP addresses trying to guess the password, but it's not working.

app-logs/users show all the good and bad login attempt properly.

Our Freescout version is 1.8.21.

Hopefully you will be able to fix this.

[freescout-helpdesk]

Fixed in the master branch. When the user is locked he sees the following message on Login page:

Too many login attempts. Please try again in 30 seconds.

Also a "Locked out" record is added to the Manage > Logs > Users.

[foliovision]

Would it be possible to lock it for at least 1 hour? 30 seconds it really too little and it won't slow down possible brute force login attack form multiple IP addresses.

[freescout-helpdesk]

We've changed it to 10 minutes.

[foliovision]

10 minutes sounds like too little, we would prefer at least 1 hour or even 12 hours. Could you please add it as a setting or at least a hidden config file preference?

Could it also count the bad login attempts per user?

If you only ban based on IP addresses it might not be effective. One of our websites was targeted by a botnet attack recently. It made 200,000 login attempts in 17 hours using 10,000 unique IP addresses. So each IP address only made 20 attempts in 17 hours and nothing got banned.

So we are looking for a solution to show captcha if the login is for use who had more than 20 bad login attempts in last day or so. That would prevent password guessing for large-scale botnets.

Thanks,
Martin