Brute force attack prevention


(Tom Hsiung) #1

Hello,

I wonder if the openEMR has security strategy against brute force attacks.

Tom


(Brady Miller) #2

Hi @TomHsiung ,

A basic feature for this has been added to OpenEMR 5.0.2 (which will be released in about 4 weeks):

Here’s a Issue where discussing further improvements:

-brady


(Tom Hsiung) #3

Glad to hear that news, Brady.

Tom


(Dan Ehrlich) #4

Tom:

First there is proper configuration at the infrastructure level. We can automate this ourselves by setting it up via Docker. and we are working on the documentation for this now for everyone else running on Bare Linux.

  1. ModEvasive module for Apache (similar stuff for Nginx and Caddy too)
  2. fail2ban and similar packages for Linux OS
  3. Utilizing DNSBL for known malicious IP’s (can also be done at code/app levels maybe)

Second regarding at the code level:

  1. IP bans for multiple failed log-ins
  2. Not disclosing if username/email actually exists for password resets
  3. Not disclosing if it was username or password that was flawed during failed login
  4. Settings in the administration globals for whitelisting IP’s perhaps
  5. Settings in the administration globals for GeoIP whitelisting, perhaps even down in the US at least to the State Level (in Texas this is starting to become quite common but seems hard to do for smaller states / in border areas)

(Tom Hsiung) #5

Thank you, Dan.

I wait for the new features.

Tom