Unique IP address for multiple users - Allow specifying a username in whitelist

[mircesco]

Hello,

What can i do if there is a single IPv4 address for a location with multiple computers? All users share the same IP address so blocking one user will block all users from that location.

Thank you

[codeling]

Good question, I have heard that this applies for some providers (especially mobile ones), which use NAT routing because of the limited amount of IPv4 addresses. At the moment bfstop only differentiates by IP address, so there is no way to treat such users differently. But I also don't know how bfstop even could reliably identify individual users in that scenario apart from intrusive and unreliable methods such as cookies (which could be quite easily fooled/circumvented). If you have any ideas, let me know!

[mircesco]

I'm thinking to a whitelist for certain IP's + a limit per entered username (not mandatory). So don't block the IP if added into a whitelist but block the user (if exist in database) after X attempts..

[codeling]

Blocking by a specific username is not really what this plugin is for (and has limited security benefits), see also https://github.com/codeling/bfstop/issues/123 .

And I don't really see what a whitelist for an IP plus username based blocking has to do with several users trying login from the same IP address? I understood your original request as that you are worried that legitimate users might get locked out if they (because of e.g. NAT routing) have the same IPv4 address as an attacker. How would this be helped by whitelisting the address? (Side note: Whitelisting, as it works at the moment, means that if the request IP is in that list, no further checks are performed by the plugin). Regarding blocking a specific username - typical attacks I've seen so far try several different usernames anyway.

What might help I guess, is a whitlelist for the combination of an IPv4 address and a username, so that a legitimate user from that address could still log in, even if somebody else is trying attacks on other user names, right?

[mircesco]

In my case, the information are not available for public, all users have to be pre registered. I am thinking that having a whitelist it mean that i can decide which IP will never be blocked no matter what user will login from that IP address. Just to be sure - paranoic mode - i can assign certain users to that IP address, so "a whitlelist for the combination of an IPv4 address and a username" will help me.

[codeling]

In my case, the information are not available for public, all users have to be pre registered.

OK, so public registration is disabled; I don't follow what this has to do with blocking users or blocking IPs though? What information do you mean which is not public?

I am thinking that having a whitelist it mean that i can decide which IP will never be blocked no matter what user will login from that IP address.

Yes, that is exactly as it is implemented at the moment.

Just to be sure - paranoic mode - i can assign certain users to that IP address, so "a whitlelist for the combination of an IPv4 address and a username" will help me.

OK, then if that's ok for you I will convert this issue into a feature request for the "whitlelist for the combination of an IPv4 address and a username".