I have a Username-Password-Authentication database where login with usernames is enabled.
I have the following users registered:
Alice, with email contact@alice.com and username “Alice”
Bob, with email contact@bob.com and username “Bob”
When I try to login multiple times with username “contact” and an random password, both accounts of Alice and Bob are blocked for too many login attempts, even tough “contact” is neither of their usernames.
This is even possible when login with usernames is disabled.
If “contact” is given as username and a correct password for either one of the two accounts is given, no access is granted.
I tried to login with the following command, but it also should work with the Universal Login also make sure that Brute Force Protection is enabled:
That brute-force feature blocks an IP address, not a user, which is why Alice & Bob appear to be blocked. You need to unblock the IP via the Management API.
Edit: By the above I mean, if Alice or Bob tried logging in from another location (different IP), they would be able to log in.
I’m indeed able to unblock both users, but when I look at the management dashboard Alice & Bob are the only users that appear to be blocked, by IP. Other users don’t have the “Blocked (BruteForce)” tag.
If an user is indeed blocked for an IP it’s listed there indeed
This morning I tried again to block Alice and Bob by login in with the “contact” username. This time however it didn’t block any users… I don’t know why I’m not able to reproduce it any more
I think my original explanation was misleading … I made it sound like: “once one person triggers a block on an IP address, all users at that IP will be blocked.” which I am fairly certain is not true. That IP address will only be added to blocked IP list of the user trying to log in. So Alice and Bob should be blocked when Jane triggers the block (assuming all three are behind the same IP).
The exception to this is: if there are 100+ failed logins from a given IP, then that IP is blocked for everyone.
Maybe my explanation was wrong or not clear. But I meant that I have registered accounts for Alice, Bob and Jane in a database where usernames are not required. Alice and Bob share the same mailbox (for example “contact”) and Jane has a different one, all their e-mails have a different domain name and are created on the same IP.
When I try to login multiple times as “contact” (there is no account with this username) Alice and Bob are both blocked, but Jane is not
My assumption was that Alice and Bob their accounts were blocked because the login name was the same as their mailbox