Skip to main content
Open

Restriction on number of failed login attempts

Related products:FME Flow
  • January 20, 2021
  • 4 replies
  • 78 views

martinkoch
Enthusiast
Forum|alt.badge.img+25

In recent security audit, one of the concerns was with the FME Server log-in.

As there is no limit on the amount of retries, the login can be brute-forced.


Please add a toggle and a parameter for limited login-retries, just like 'Password Policy' in the system configuration.


Perhaps also adjust the system-event to only trigger after a set number of attempts, and have the IP-address of the source as one of the keys.


Kind regards,


Martin

4 replies

david_r
Celebrity
  • June 28, 2021

Seconded. Either block the account after a certain number of retries, or implement progressive rate-limiting after a certain number of failed attempts.

More information: https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks


  • September 14, 2021

This was also one of the major findings in our security audit.

I would love to see such a security measure in one of the next releases.


clayf
Participant
Forum|alt.badge.img
  • Participant
  • June 18, 2026

This is also still a problem for us in June 2026 until we can move to a single-sign on solution. Has there been any progress?


tino
Supporter
Forum|alt.badge.img+29
  • Supporter
  • July 10, 2026

Yes, that is still something every pentest flags as “not ideal”.

@clayf :
As a workaround: There is a system notification event for a failed login. You can build a simple workspace which listens to this and logs an attempt then to a e.g. sqlite file in ${DATA}. Then also on each run calc failed attempts per user in a time frame and if this above a treshold use the Rest API to disable the account.

I think with the current (and configurable) password complexity BF should be nearly impossible. And if you want to avoid DOS you really should place FME Flow behind a WAF and define some rules to block originating IP ranges if there are too many requests. Because FME Flow cannot avoid requests even if the user is disabled on FME Flow side.