Introduction

Security improvements for CMS access against BOT attacks.

User Story

Hello everyone, I noticed that some recent security improvements have been implemented in the CMS starting from V3.3.5, and this has prompted me to make some suggestions. In the year 2023, I’ve heard reports from some partner companies that have suffered hacker attacks involving brute force access breaches.
The use of bots for such attacks is becoming increasingly common.

Currently, I use the strong password policy feature available in the CMS, but I would like to see a few more options in the CMS that the administrator can choose to use (similar to the password policy).

These options would mainly include:

• Use of Captcha on the login screen
• User deactivation after X failed login attempts (the number of attempts would be chosen by the Administrator).
  Password recovery can be done directly through the registered user’s email.

I believe that these implementations would add significant value to all users of the Xibo CMS.

I think these two would have to come hand in hand. We’d likely need our own basic captcha service with the option of plugging into 3rd parties.

Providing an option like this is arguably less secure than not, but I can see why it would be desirable. It is similar (but different) to this: Users: Email login details · Issue #2207 · xibosignage/xibo · GitHub

I’ve captured this all for discussion, thanks for the suggestions.

Oh, yes, that was just a suggestion. I still agree that the CMS administrator should grant access. Perhaps this could be replaced by a way to notify the administrator to approve user access, which is also useful for the administrator to contact the user before granting access.

Thank you!