Old Forums
Search:
ASPX templates
Version 5.x > ASPX templates > cmsdesk login security View modes: 
User avatar
Certified Developer v7
Certified Developer v7
adam-syndicut - 11/19/2010 5:24:34 AM
   
cmsdesk login security
We have a number of kentico sites that use the standard logn to the /cmsdesk
we have noticed that there is no limit on the password attempts that can be made to access the cmsdesk!

has anyone come across this security issue before?

we would like to track the amount of password attempts and limit them to 5 and then disable that login.

Any suggestions about going about this

User avatar
Kentico Consulting
Kentico Consulting
kentico_mirekr - 11/19/2010 7:25:30 AM
   
RE:cmsdesk login security
Hi,

I assume that you are using standard logon page for logging into CMS Desk which can be found in ~/CMSPages/Logon.aspx location. If so, you can add your custom code which will track number of attempts per user name (this.Login1.UserName) in this file in Login1_LoginError method/event.

In this case you can store user name (this.Login1.UserName), used password (this.Login1.Password) and for example IP address of the visitor (http://forums.asp.net/p/892765/953638.aspx) into web analytics as custom statistics:

http://devnet.kentico.com/docs/devguide/creating_custom_reports.htm

You can then check the data from database whether the user exceeded number of attempts and simply you can disable the user via Kentico CMS API (set UserEnabled property of existing user [UserInfo object]):

http://devnet.kentico.com/docs/devguide/managing_users.htm

Once the account is disabled, user will not be able to log in.

However, we do not recommend you to use this approach since someone could try to log in as different user and at this point such user account will be disabled.

So, I would recommend you to just send an e-mail to administrator in case someone is trying repetitively to log in as some other user with detail information (user name, password, IP address).

Best regards,
Miroslav Remias

User avatar
Certified Developer v7
Certified Developer v7
adam-syndicut - 11/24/2010 10:30:50 AM
   
RE:cmsdesk login security
Thanks that looks good to me.

have a few questions

in CMSPages/logon.aspx i have ammended the code

 void Login1_LoginError(object sender, EventArgs e)
    {        
        if (this.FailureLabel != null)
        {           
            HitLogProvider.LogHit("loggedattempt", CMSContext.CurrentSiteName, null, this.Login1.UserName,  0);
            FailureLabel.Text = ResHelper.GetString("Login_FailureText");            
        }
    }


when a user attempts to logon in it displays the username and the number of hits to the code.

how can i add multiple StatisticsObjectName's , so i can add the used password and the ip address of the attempt to one report.
User avatar
Certified Developer v7
Certified Developer v7
adam-syndicut - 11/24/2010 12:16:09 PM
   
RE:cmsdesk login security
we have decided to do it using a custom table and adding to it when a successful login is made and setting a counter column to 0, then on each unsuccessful attempt adding 1 to the counter column.

when it gets to five we will disable the account.

what are your thoughts on this?

we are doing it this way cause i don't fully understand how to use the web analytics api to check the records and there hit values

User avatar
Kentico Consulting
Kentico Consulting
kentico_mirekr - 11/26/2010 2:21:35 AM
   
RE:cmsdesk login security
Hi,

There can be only one ObjectName (StatisticsObjectName) so you can include all of the necessary information which you need into this column in some format which will be easy then to parse – work with.

Example:

CodeName (StatisticsCode) = "loggedattempt"
ObjectName (StatisticsObjectName) = "UserName|UserPassword|UserIPAddress"

Well, it does not really matter where you are storing your information as far as you know how to access it. It was just my initial thought to use web analytics, but your approach with storing the data in custom table also looks fine, but there is still some disadvantage (down-side):

Someone could try to log in as different user (if he knows the UserName) and at this point such user account will be disabled in your case.

Maybe it would be worth it to notify such user before or after the user account is disabled (sent e-mail to this user according to his/her e-mail) about such event and for example automatically generate him/her link to your web site which will be able to enable back the user account (link with some user GUID and hash of the user password).

Best regards,
Miroslav Remias.
User avatar
Certified Developer v7
Certified Developer v7
adam-syndicut - 11/26/2010 5:32:48 AM
   
RE:cmsdesk login security
Someone could try to log in as different user (if he knows the UserName) and at this point such user account will be disabled in your case.


Thats what we want to stop against, people trying to hack the cmsdesk. as it stands there is no way out of the box of stopping repeated attempts.

We manage all our kentico sites so an email will be sent to us of the sitename and the user that tried to access the site. we can then contact them to reset there password and enable the user. of course if some one tries to login with a user that is not set up then nothing will happen.

We think its a quick solution to quite a big security issue when accessing the cmsdesk. theres doen't seem to be anything stopping someone who knows a user name running a password script on the login page and eventually they could gain access and screw with the site and that would make us look bad.

Maybe Kentico could build something into a future release to address this issue

User avatar
Kentico Consulting
Kentico Consulting
kentico_mirekr - 11/26/2010 6:04:02 AM
   
RE:cmsdesk login security
Hi,

maybe the my point from quoted sentence was not clear, so let me rephrase the sentence:

Someone could try to disable the user account by repetitively trying to log in to CMS Desk if he know the UserName in your case.

Example:

If I would know that there is such mechanism on your web site and I know for sure that there is user with UserName administrator, I can easily disable such account by trying to log in with this user name with whatever password.

I was not thinking about gaining the access to CMS Desk, but about disabling the account according to UserName.

I’m discussing side effect of the mechanism which you are trying to implement.

I hope it is clear now.

If you want to prevent dictionary brute-force attack (slow it down), you can add some sophisticated CAPTCHA control to your login page which would require some additional information before the user name and password is even checked.

Best regards,
Miroslav Remias.
User avatar
Member
Member
rubi_it - 11/22/2013 2:29:49 AM
   
RE:cmsdesk login security
Hi,

Now I don't want to block user's account after he input wrong password 5 times.
Could you show me how to disable this feature of Kentico, please.

Thank you,
Rubie
User avatar
Kentico Customer Success
Kentico Customer Success
kentico_martind2 - 11/22/2013 3:32:54 AM
   
RE:cmsdesk login security
Hello Rubie,

If you want to change this behaviour you will need to upgrade at least to version 6 where the setting "Maximum invalid logon attempts" is available in the Site Manager -> Settings -> Security -> Protection.

Best regards,
Martin Danko

User avatar
Member
Member
rubi_it - 11/22/2013 4:02:31 AM
   
RE:cmsdesk login security
Hi Martin,

Thank you for replying me.

I am using Kentico 7. I found the setting of this feature in CmsSiteManager/Security & Membership/Protection/Invalid log on attempts.

I set the option [Maximum invalid logon attempts] to value 100. Anyway it seems not work. After 5 times input wrong password, it automatically sets user account UserEnabled to 0.

Now I resolved this problem with a small trick that each time user inputs wrong password I manual set the field UserInvalidLogOnAttempts to 0. But I think it is not the good way :).

Many thank,
Rubie
User avatar
Kentico Customer Success
Kentico Customer Success
kentico_martind2 - 11/22/2013 6:02:33 AM
   
RE:cmsdesk login security
Hello Rubie,

In the left upper corner you can see a drop-down menu where you can select a site or global level, could you please check this setting also on the site level, not just global as this setting is not inherited for a site by default?

I believe this is the reason why the user is still allowed to try it only 5 times.

Best regards,
Martin Danko

User avatar
Member
Member
rubi_it - 11/22/2013 8:44:59 PM
   
RE:cmsdesk login security
Hello Martin,

It works fine as I followed your tip and set [ Maximum invalid logon attempts] to -1. My concern was resolved.
Thank you very much!

My best,
Rubie
Top