feat/login-security #1824

Closed

bookenjoyer67 wants to merge 2 commits from bookenjoyer67/continuwuity:feat/login-security into main

pull from: bookenjoyer67/continuwuity:feat/login-security

merge into: continuwuation:main

continuwuation:main

continuwuation:renovate/rust-non-major

continuwuation:renovate/rust-zerover-patch-updates

continuwuation:renovate/ruma-digest

continuwuation:aranje/illegal-car-mods

continuwuation:nex/perf/get-missing-events

continuwuation:ginger/oauth

continuwuation:nex/feat/admin-api

continuwuation:renovate/serde-saphyr-0.x

continuwuation:ginger/kill-sync-tokens

continuwuation:renovate/rand_core-0.x

continuwuation:nex/feat/deprecated-room-versions

continuwuation:release/v0.5.9

continuwuation:nex/feat/enable-debug-log-release-builds

continuwuation:nex/feat/room-purging

continuwuation:nex/feat/room-shutdown

continuwuation:ginger/ruma-upstreaming

continuwuation:jade/tls-backends

continuwuation:ginger/email-fixes

continuwuation:jade/changelog-labels

continuwuation:nex/fix/v12-publishing

continuwuation:jade/build-info

continuwuation:jade/purge-sync-tokens

continuwuation:ginger/terms-and-conditions

continuwuation:ginger/remove-sliding-sync-proxy

continuwuation:nex/fix/pusher-association

continuwuation:ginger/email-support

continuwuation:jade/community-guidelines

continuwuation:nex/fix/federation-format

continuwuation:jade/git-deps-updates

continuwuation:jade/changelog-check

continuwuation:jade/rust-1-92

continuwuation:ginger/password-reset

continuwuation:nex/experiment/push-gateway-logs

continuwuation:ginger/msc3575-obliteration

continuwuation:nex/feat/block-busted-rooms

continuwuation:nex/fix/informative-startup-errs

continuwuation:ginger/no-left-room-initial-sync

continuwuation:jade/docker-entrypoint

continuwuation:jade/dehydrated-devices

continuwuation:ginger/complement-fixes

continuwuation:nex/fix/stale-destination-cache

continuwuation:nex/experiment/sync-mutex

continuwuation:tcpipuk/docker-docs

continuwuation:jade/snafu

continuwuation:jade/rand-update

continuwuation:nex/stateres-refactor

continuwuation:ginger/779-in-troubleshooting

continuwuation:jade/liveit-guide

continuwuation:jade/http3

continuwuation:nex/feat/admin-hide-empty-rooms

continuwuation:ginger/oobe

continuwuation:nex/fix/debian-thingy

continuwuation:jade/ldap-admin-check

continuwuation:nex/fix/remote-restricted-joins

continuwuation:nex/feat/msc4406-sender-ignored

continuwuation:jade/deadlock-detection

continuwuation:jade/get-started

continuwuation:jade/docs-guide

continuwuation:ginger/fix-local-invites

continuwuation:nex/fix/tpi

continuwuation:nex/feat/room-deletion

continuwuation:nex/feat/msc4322-media-redaction

continuwuation:ginger/stitched-order

continuwuation:ginger/deps/update-rspress

continuwuation:jade/admin-announce-improvements

continuwuation:ginger/xtask-improvements

continuwuation:jade/improve-admin-config-display

continuwuation:nex/fix/better-stateres-error-logs

continuwuation:jade/sender-timeouts

continuwuation:nex/feat/custom-v12-room-ids

continuwuation:ginger/update-metadata

continuwuation:nex/feat/admin-force-logout

continuwuation:tom/max-perf-docs

continuwuation:nex/fix/invalid-appservice-reg

continuwuation:nex/feat/antispam

continuwuation:nex/feat/account-locking

continuwuation:jade/logging-cleanup

continuwuation:jade/remove-legacy-appservice-auth

continuwuation:nex/fix/key-query

continuwuation:jade/update-prek

continuwuation:nex/fix/room-summaries

continuwuation:ginger/restrict-admin-commands

continuwuation:ginger/enable-console-by-default

continuwuation:jade/tag-fixes

continuwuation:jade/otlp

continuwuation:nex/meta/pull-req-template

continuwuation:nex/fix/fed-invite-compliance

continuwuation:nex/feat/build-commit

continuwuation:nex/feat/join-logging

continuwuation:jade/mailmap-updates

continuwuation:jade/hack-ci-tmp

continuwuation:jade/v12-stable

continuwuation:jade/relations

continuwuation:ginger/database-refactor

continuwuation:jade/fix-ldap-uiaa

continuwuation:nex/fix/validation

continuwuation:ginger/nuke-invalid-msc4133-fields-in-migration

continuwuation:ginger/downgrade-artifact-actions

continuwuation:oddlid/reload-fix

continuwuation:jade/fix-assert

continuwuation:ginger/sync-v3-cleanup

continuwuation:ginger/remove-absolute-action-urls

continuwuation:jade/website

continuwuation:nex/fix/backoff

continuwuation:ginger/fix-mdbook-for-0.5

continuwuation:ginger/no-docker-on-prs

continuwuation:backport/v0.5.0-rc.8-1

continuwuation:nex/fed-improvements

continuwuation:jade/rust-1.90

continuwuation:jade/mirror-dockerhub

continuwuation:jade/clippy-fixes

continuwuation:jade/fix-support

continuwuation:jade/clean-images

continuwuation:jade/wal-compression-type

continuwuation:jade/flake-clone

continuwuation:ginger/upload-rpms-on-schedule

continuwuation:nex/fix/incoming-fetch

continuwuation:nex/fix/upgrade

continuwuation:tom/ci-fedora-rpm

continuwuation:jade/ci-release-fix

continuwuation:jade/rocksdb-10-5

continuwuation:ginger/fix-msc4133-migration

continuwuation:ginger/migrate-busted-tz

continuwuation:hydra/public

continuwuation:nex/feat/manual-extremities

continuwuation:nex/feat/async-media

continuwuation:nex/feat/fast-joins-hack-do-not-use-DO-NOT-USE

continuwuation:nex/feat/better-logging

continuwuation:trigger-ci-so-latest-isnt-on-illegal-car-mods

continuwuation:nex/feat/pins-backfill

continuwuation:jade/tuwunel-2025-06-old

continuwuation:jade/ai-slop-db-docs

continuwuation:nex/fix-create-auth

continuwuation:jade/version-stats

continuwuation:jade/read-receipts

continuwuation:jade/rust-toolchain-no-targets

continuwuation:jade/logging-features

continuwuation:jade/syncv5-typing

continuwuation:jade/msc2815

continuwuation:morguldir/see-eye

continuwuation:jade/css-small-screen

continuwuation:nex/wip-751

continuwuation:tuwunel-rebase

continuwuation:test

continuwuation:oddlid/rename-admin-room-bot

continuwuation:strawberry/nix-ci-stuff

continuwuation:strawberry/valgrind

continuwuation:phonemain

continuwuation:strawberry/morgs-snake-sync-jason-main

continuwuation:newer-media-endpoints

continuwuation:folly-coroutines-async-io

continuwuation:federation-retry-timer-port

continuwuation:bad-attempt-at-extracting-homeserver-signing-key

continuwuation:room-deletion-attempt-do-not-use

Conversation 1 Commits 2 Files changed 11 +1159 -4

bookenjoyer67 commented 2026-05-28 19:45:05 +00:00

First-time contributor

Copy link

Adds a login_security service providing brute-force protection for Matrix
homeservers. Helps operators defend against credential-stuffing and
password-spraying attacks.

What it does

• Tracks failed login attempts per user and per IP address
• Automatically locks accounts and blocks IPs when thresholds are exceeded
• Supports graduated lock durations (escalating for repeat offenders)
• Configurable attempt windows, thresholds, and lock TTLs
• Admin room commands for inspecting and managing blocks/locks
• Optional audit logging of all login attempts

Configuration

New [global.login_security] section in conduwuit.toml:

• max_failed_attempts_per_user (default: 5)
• max_failed_attempts_per_ip (default: 10)
• lock_duration_seconds (default: 300)
• attempt_window_seconds (default: 900)
• enable_ip_rate_limiting / enable_user_rate_limiting (default: true)
• log_all_attempts (default: true)
• graduated_lock_durations (default: [300, 900, 3600])
  All defaults are conservative and can be tightened or disabled per
  operator preference.

Testing

• Deployed and running on a live federated homeserver
• Verified against repeated login failures from same user / same IP
• Admin commands tested in management room

Adds a login_security service providing brute-force protection for Matrix homeservers. Helps operators defend against credential-stuffing and password-spraying attacks. ### What it does - Tracks failed login attempts per user and per IP address - Automatically locks accounts and blocks IPs when thresholds are exceeded - Supports graduated lock durations (escalating for repeat offenders) - Configurable attempt windows, thresholds, and lock TTLs - Admin room commands for inspecting and managing blocks/locks - Optional audit logging of all login attempts ### Configuration New `[global.login_security]` section in `conduwuit.toml`: - `max_failed_attempts_per_user` (default: 5) - `max_failed_attempts_per_ip` (default: 10) - `lock_duration_seconds` (default: 300) - `attempt_window_seconds` (default: 900) - `enable_ip_rate_limiting` / `enable_user_rate_limiting` (default: true) - `log_all_attempts` (default: true) - `graduated_lock_durations` (default: [300, 900, 3600]) All defaults are conservative and can be tightened or disabled per operator preference. ### Testing - Deployed and running on a live federated homeserver - Verified against repeated login failures from same user / same IP - Admin commands tested in management room

bookenjoyer67 added 2 commits 2026-05-28 19:45:05 +00:00

feat: add login security module with rate limiting and account locking f1175dac4a

feat: add login security configuration with graduated lock durations 08c17cada6

forgejo-actions added the

Changelog

Missing

label 2026-05-28 19:45:12 +00:00

nex closed this pull request 2026-05-28 19:58:29 +00:00

Jade commented 2026-05-28 19:59:54 +00:00

Owner

Copy link

Please discuss large changes in the development discussion room, and follow the pull request template.

Please discuss large changes in [the development discussion room](https://matrix.to/#/!ksTlboXVgcyWjv5GrlEeKyQuJ8ZCprnwQx2b6-BQ44Q?via=continuwuity.org&via=matrix.org&via=federated.nexus), and follow the pull request template.

ginger added the

Status

Invalid

label 2026-05-28 20:08:34 +00:00

Some checks failed

Hide all checks

Auto Labeler / Apply labels based on changed files (pull_request_target) Successful in 2s

Details

Documentation / Build and Deploy Documentation (pull_request) Has been cancelled

Details

Checks / Prek / Pre-commit & Formatting (pull_request) Has been cancelled

Required

Details

Checks / Prek / Check changed files (pull_request) Has been cancelled

Required

Details

Checks / Prek / Clippy and Cargo Tests (pull_request) Has been cancelled

Required

Details

Checks / Changelog / Check changelog is added (pull_request_target) Failing after 9s

Required

Details

Pull request closed

Please reopen this pull request to perform a merge.

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

Blocked

This pull request or issue is currently blocked from being merged/closed

  

Bug

Something isn't working as intended

  

Changelog

Added

Changelog entry added

  

Changelog

Missing

No changelog when one is needed

  

Changelog

None

Changelog is unnecesary for this change

  

Cherry-picking

Commits picked from other conduit projects

  

Database

This requires or includes changes to the database

  

Dependencies

Something dependency related

  

Dependencies/Renovate

Automatic dependency upgrades by Renovate

  

Difficulty

Easy

Low difficulty to implement - touches few parts of the codebase, low complexity

  

Difficulty

Hard

High difficulty to implement - touches many parts of the codebase, high complexity

  

Difficulty

Medium

Medium difficulty to implement - touches more parts of the codebase, higher complexity

  

Documentation

Improvements or additions to documentation

  

Enhancement

New feature or request

  

Good first issue

Good for newcomers

  

Help wanted

Additional eyes and keyboards are required for this one

  

Inherited

Issues that have been inhereted from the project pre-fork

  

Matrix/Administration

Features pertaining to homeserver administration

  

Matrix/Appservices

Features pertaining to the appservice API

  

Matrix/Auth

Features pertaining to authentication

  

Matrix/Client

Features pertaining to client-to-server interactions

  

Matrix/Core

Issues relating to core matrix functionality, such as state resolution and PDU formats

  

Matrix/E2EE

Issues related to end to end encryption

  

Matrix/Federation

Features pertaining to server-to-server interactions

  

Matrix/Hydra

Issues related to room version 12 and related changes (temporary label)

  

Matrix/MSC

Features pertaining to unstable matrix features

  

Matrix/Media

Features pertaining to media interactions

  

Matrix/T&S

Changes or issues related to trust & safety tooling

  

Merge

This PR is ready to be merged

  

Merge/Manual

This PR should be manually merged

  

Merge/Squash

This PR should be squashed when it is merged

  

Meta

Related to housekeeping, maintenance, or other repo-meta.

  

Meta/CI

Issues related to CI changes

  

Meta/Packaging

Packaging

  

Priority

Blocking

This issue is blocking the next release

  

Priority

High

This issue is very important

  

Priority

Low

This issue is of a rather low priority

  

Security

This item is related to general security

  

Status

Confirmed

This issue has enough information and is confirmed

  

Status

Duplicate

This issue or pull request already exists

  

Status

Invalid

This issue doesn't seem right

  

Status

Needs Investigation

This issue needs further investigation

  

Support

Questions or support requests

  

Wont fix

This will not be worked on

  

old/ci/cd

Ci/CD

Archived

  

old/rust

Pull requests that update Rust code

Archived

No labels

Blocked

Bug

Changelog

Added

Changelog

Missing

Changelog

None

Cherry-picking

Database

Dependencies

Dependencies/Renovate

Difficulty

Easy

Difficulty

Hard

Difficulty

Medium

Documentation

Enhancement

Good first issue

Help wanted

Inherited

Matrix/Administration

Matrix/Appservices

Matrix/Auth

Matrix/Client

Matrix/Core

Matrix/E2EE

Matrix/Federation

Matrix/Hydra

Matrix/MSC

Matrix/Media

Matrix/T&S

Merge

Merge/Manual

Merge/Squash

Meta

Meta/CI

Meta/Packaging

Priority

Blocking

Priority

High

Priority

Low

Security

Status

Confirmed

Status

Duplicate

Status

Invalid

Status

Needs Investigation

Support

Wont fix

old/ci/cd

old/rust

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

continuwuation/continuwuity!1824

No description provided.