ilLU[TZ]mination main menu
You cannot have enough security for your own CMS. Typo3 security can be enhanced with fail2ban to reduce the risk of brute-forcing. Thats how it works:
Install fail2ban on your web-server as root administrator.
enabled = true
port = http,https
filter = apache-typo3
logpath = /var/log/apache*/*access.log
maxretry = 7
findtime = 3600
bantime = 7200
(that is a file named apache-typo3.conf in fail2bans subfolder filter.d)
The file has to have at least the following contents:
failregex = ^<HOST> -.*GET.*/login-alert-error\.gif
To make it easy download a ready-to-go file here .
Fail2ban checks the given file (here apaches access.log) for changes in short time cycles. When logging in the site /typo3/index.php is called and the account information is posted from there. If login fails, the image login-alert-error.gif is shown and on further attempts to login parameters are posted again from that site.
With the configuration above i decided that one of these events may apear 7 times (maxretry) within one hour (findtime 3600). If it happens one more time, the ip-address is banned for 2 hours (bantime 7200).
Parameters maxretry, findtime, bantime can be set like what ever you think to be useful, but:
Do not set maxretry < 4. The first failure will post the login parameters and get the image. So 2 events are gone. You need the third event for your next attempt.
So my tip: Set maxretry >= 5 !
Even for a succesful login there is one attempt needed. So if you use Typo3 with severel users, set maxretry at least to the number of users adding a few tries for login failures.