Considering for Future Release

add dynamic ip block for the login page, against brute force logins

Yves 4 years ago updated by anonymous 3 years ago 8

we authenticate through Active Directory, but our public login page is sometimes attacked by brute force attempts, so some AD accounts are locked.

It would be great if ip could be banned after some bad attempts.

Available in Version:

Definitely important otherwise the SC login page basically open up a potential DoS attack surface when combined with AD.

Related question is http://product.screenconnect.com/topics/585-allow-e-mail-trigger-for-maxinvalidpasswordattempts-with-ip-info/ - possibly by setting 'MaxInvalidPasswordAttempts' you may be able to help mitigate this.

Still, I strongly believe that SC should support a fail2ban style automatic IP block on multiple failed login attempts. It should be configurable for number of accounts attempted, number of invalid passwords attempted and number of non-existant usernames attempted. This would allow much more effective blockage of brute force attacks while running a very low risk of locking out a legitimate user. A legit user will not likely misspell their own username 5 times - or try 3 different accounts, etc.

Pending Review

We do not allow users connecting from the internet to use the admin-page due to this... hope that we can see some improvements. :)


I don't understand what you mean by "We do not allow users connecting from the internet to use the admin-page". I use it through Internet almost each day

We have the SC server on our DMZ and authenticate towards the AD (private network). Today its possible to try to brute force the loginpage on the SC-admin and we do not want that to happen.

To restrict this we set "RestrictToIPs" in web.config and only allow internal IP's towards the Host.asp Administration.aspx and Login.aspx

ok, thanks. As we can't restrict by ip we lock accounts after some bad attempts...and still hope ScreenConnect implement more security features

Considering for Future Release