Lennart Posted March 23, 2021 Share Posted March 23, 2021 Hi there, Right now I got a user that is blocked from accessing Passwordstate and Im unable to find any options to unlock it (Im a Security Administrator). Please provide information about this, the sooner the better as I suspect this will happen with more frequency in the coming future. Thanks. //Lennart Link to comment Share on other sites More sharing options...
Martin_Castillo Posted March 23, 2021 Share Posted March 23, 2021 If it is due to Brute Force, you may find: Brute Force Blocked IPs section under Administration menu Link to comment Share on other sites More sharing options...
support Posted March 24, 2021 Share Posted March 24, 2021 Thanks Martin, and the customer has confirmed via email that the user's IP Address was blocked Regards Click Studios Link to comment Share on other sites More sharing options...
abj Posted March 29, 2021 Share Posted March 29, 2021 Is there a way to disable this feature? We're getting too many accounts locked out. We don't allow public access to Password State and I guess users are typing their password wrong enough to cause lockouts. Link to comment Share on other sites More sharing options...
support Posted March 29, 2021 Share Posted March 29, 2021 Hi abj, For security reasons, we have no way of disabling this feature. Is it the IP Addresses of your user's workstations that you are seeing being blocked, or is it some sort of network device? If it's a network device, we do have x-forwarded support, which can be configured on the screen Administration -> System Settings -> Proxy & Syslog Server tab. Your network devices also need to be configured for x-forwarded support, and then the correct IP Address of your workstations will be detected. Regards Click Studios Link to comment Share on other sites More sharing options...
abj Posted March 29, 2021 Share Posted March 29, 2021 I'm not sure what makes this security feature so special that it can't be disabled, but all the other security features can be configured. Is this how you will be doing product development in the future, where you just add security features as you see fit and not provide any options to configure them? 100% of the IPs blocked so far by this feature have been false positives. At least provide a threshold so that users are not getting blocked so quickly / add an auto-unblock option. We do not have any network devices in front of Password State, all the IPs blocked were individual workstation IPs. Link to comment Share on other sites More sharing options...
support Posted March 29, 2021 Share Posted March 29, 2021 Hi abj, Most customers appreciate us implementing new security features like this, and in this case it's to prevent brute force login attempts into your Passwordstate environment - is that not of a concern to you? What IP Addresses are being reported, if you have no network devices in between your Passwordstate web server and your clients? If you go to the System Settings screen, you can configure the blocked threshold, so we do provide features that can be configured. Regards Click Studios Link to comment Share on other sites More sharing options...
abj Posted March 29, 2021 Share Posted March 29, 2021 Our Passwordstate instance is not exposed to the Internet and we use 2FA authentication as well, so brute force is not a concern for us. The IP address of end user workstations is being reported. Thanks for the pointer to the threshold, I have set it high enough that this should not be an issue for us anymore. Link to comment Share on other sites More sharing options...
support Posted March 29, 2021 Share Posted March 29, 2021 Hi Abj, It's also applicable for internal - i.e. malware, account compromises, etc. Ad that's good it's reporting the IP Address of your workstations' What was the false/positives you were referring to? Regards Click Studios Link to comment Share on other sites More sharing options...
Cholden Posted April 14, 2021 Share Posted April 14, 2021 I'm going to second report this feature being an issue. after upgrades last night, have had 2 users report issues with accounts being blocked after an error relating to 2fa. Will be opening a ticket, but wanted to throw this here to be visible. What I've discovered: removing them from the blocklist does not work- the users immediatly get re-added to the blocklist the next time they try to sign in. However, using a browser on the same PC in incognito mode does let them log in from the PC on the blocklist. This.. doesn't make a lot of sense from a blocklist perspective, but it has given us a workaround. Will have to test if increasing the number of failures allows them to log in normally. I will second that this feature is not really something that we want. We also have passwordstate only accessible from on our network, and 2fa /should/ be adequate protection against malware or compromised PCs. If an attacker is already able to bypass or deal with 2fa, being blocked on a single IP doesn't seem to be much of a hinderance. And if the ability to use browsers in private/incognito mode is not something specific to a glitch we are encountering, it seems that this isn't much of a hinderance, more an annoyance. Link to comment Share on other sites More sharing options...
support Posted April 14, 2021 Share Posted April 14, 2021 Hello All, Please upgrade to build 9112, and you will now have options to disable this feature (not recommended), and the feature will also now track per UserID - so one user will not be able to lock out another user. Regards Click Studios Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.