What are Login Lockout details and timer

Strange_Fluid · February 13, 2022, 1:21am

I am running a Olimex Pioneer box, updated to Bullseye

I am the Administrator with administrator account. I also have my personal account.

While trying to setup a client app to access FBox services, I hit three strikes for login, and was locked out of the login interface.

It appears that it’s not account based. I am unable to login with admin credentials; in fact, I can’t even get access to the login GUI.

I’ve tried with other devices and they too are blocked from a login window.

This suggests that the block is based on a IP range.

All attempts from different browsers and machines show the following in the address bar:

https://www.mydomain.net/plinth/accounts/login/locked/?username=

What is the lockout time for this error?

Why would lockout on one account prevent me from login on a separate account?

I am able to ssh into the Fbox using Admin priveleges.

-SF

Update:

Using mybox.local I was able to login as Admin, but see no options to resolve the lockout issue, however, using the user/group panel and selecting my personal account, I saw that all previous priveleges were no longer selected.

I reselected the permissions for my personal account, logged out of the Admin account and attempted to login on my personal account thru the normal login process. I had the same results as above.

However, I could login to my personal acct using the mybox.local address.

My primary problem, web access, not local access, is still unresolved.

-SF

sunil · February 13, 2022, 2:57am

While trying to setup a client app to access FBox services, I hit three strikes for login, and was locked out of the login interface.

This should never happen. The intended behavior is to show a login form with CAPTCHA image after three unsuccessful tries. However, there is a temporary bug in one of the older versions of FreedomBox that caused the lockout. If you are running an recent FreedomBox, such as from latest image or let FreedomBox upgrade to the latest version (happens overnight when connected to the Internet and frequent feature updates enabled), then you should not face this issue.

Could you please check your version of FreedomBox in About page? Latest is 22.4.

It appears that it’s not account based. I am unable to login with admin credentials; in fact, I can’t even get access to the login GUI.
Why would lockout on one account prevent me from login on a separate account?

The lock out (actually showing CAPTCHA) is based on IP address as this is more effective to prevent brute force attacks.

It should have allowed login from other IP addresses, I shall investigate.

What is the lockout time for this error?

We don’t seem to have set a cool-off period since it is only about preventing a CAPTCHA. Perhaps we should add a cool-off time.

https://www.mydomain.net/plinth/accounts/login/locked/?username=

Using mybox.local I was able to login as Admin, but see no options to resolve the lockout issue, however, using the user/group panel and selecting my personal account, I saw that all previous priveleges were no longer selected.

I reselected the permissions for my personal account, logged out of the Admin account and attempted to login on my personal account thru the normal login process. I had the same results as above.

However, I could login to my personal acct using the mybox.local address.

My primary problem, web access, not local access, is still unresolved.

A successful login should resolve the problem. From shell (SSH or Cockpit) one can run the following to reset all the failures:

$ sudo su -
# apt install sqlite3
# echo "DELETE FROM axes_accesslog; DELETE FROM axes_accessattempt;" | sqlite3 /var/lib/plinth/plinth.sqlite3

There is a chance that we are seeing a new problem. Please report back if your issue is not resolved after upgrade to latest version of FreedomBox.

Strange_Fluid · February 13, 2022, 4:24am

About reports : You are running Debian GNU/Linux 11 (bullseye) and FreedomBox version 21.4.4. FreedomBox is up to date.

I have never seen a CAPTCHA on my FBox.

Strange_Fluid · February 13, 2022, 4:49am

Running the sql3 upgrade and then the above command restored my web access to my Fbox.

This is SOLVED

Regarding CAPTCHA, isn’t that just allowing a 3rd party access to an aspect of your communication?

-SF

Sunil → FTW!