David,

you are absolutely, 100% correct: I SHOULD have renamed "Administrator" from the beginning, and/or created another admin account to use as my normal ID - "live and learn", indeed. Still, we can hope for better logging, monitoring and self-defense features to appear in SC in the (near?) future...

Thanks again for all the enlightening posts in this thread.  You *really* know your stuff...

David,

Thanks for these links.

I see that IP blocking actually offers both "Block IP Addresses" and "Restrict to IP Addresses", the latter of which could be particularly useful under the right circumstances.  Nevertheless, you got it exactly right when you alluded to "IP based fail2ban style greylist/autoban" as the desirable (but so far missing) feature.

Regarding locking user accounts, I have now raised the "MaxInvalidPasswordAttempts" setting to an absurdly high level, so I may be protected (somewhat) against getting 100% locked out of my own self-hosted SC installation.  Furthermore, I have now created a second administrator account with a non-obvious name (and strong password), something I will admit I should have done from the beginning.  I also activated 2FA on both accounts.  And finally, I have implemented a daily task that stops SC services, saves a daily archive of the entire SC program directory (not that big, around 80 MB presently) and restarts SC services.

I still think that my original configuration, with ONLY the standard/default "Administrator" user, should have had some kind of safeguard or mitigation built-in, such that I could not end up locked out of my own PAID self-hosted server through actions of some unknown external bad actor (and on a Patch Tuesday morning, of all possible times...).  But that's water under the bridge, as they say.

Moving on,

Renald

swhite,

That's good news, and very welcome. Of course, it would have been just as welcome, as well as more timely, if it had been implemented more quickly (pick any time delay between 5 weeks and 5 years...). Still, I am grateful for the action on this item at this time - looking forward to checking it out when it comes out, possibly even in pre-release.

However, this will only respond to ONE of the 3 questions that were in my original query, which was brushed off as belonging in feature requests: WHEN, HOW MANY and WHICH IPs? I guess I will have to take the last two and make them part of a new post on the Feature Request Portal...

It would also be desirable to have a configurable setting as to how many (consecutive?) bad logins it would take before an account is locked out. Also, in the case of a self-hosted SC installation with only the ONE "Administrator" account, locking it out seems to me to be a far from optimal response to multiple bad logins. I would find it highly preferable if one of the following measures were implemented instead:

*) limited time lockout - least desirable, but certainly preferable to a PERMANENT lockout that makes the whole installation UNUSABLE (forcing recourse to a password reset that also deletes the user table, if there is one).

*) blacklisting of originating IP address of the bad logins, with settings to manage the list of blacklisted IPs (and possible auto-expiration from that list)

Again, I realize this probably belongs in a separate feature request, which is where I am headed next. But I also thought it would be appropriate to first previous these comments here, as part of this long thread with (FINALLY) some action at the end...

jp,

First, thanks for your comments. I am a lone, self-employed IT consultant, and my path to ScreenConnect was as a duly researched replacement to LogMeIn, whose doubling of prices year after year (after first going back on their long term promise to always offer a basic free version) quickly became untenable.  Having been "bitten" this once, I was "twice shy" about committing myself 100% to a single other platform.  Still, the more than adequate quality and performance of SC in 2015 won me over.  I just ALSO signed up, around the same time, to a second remote access service as a backup (remember: "once bitten, twice shy" - or "not putting all your eggs in the same basket").  My cost for that first year was 325$ US for SC, plus 60$ for Splashtop, my "plan B" service.  Then, for the next few years, remaining eligible to updates and support cost me 20% yearly of the original SC cost, while I had to fork over 100% of the modest Splashtop price to keep the service active (also with updates).  Frankly, I would have probably bought into a cloud-based version of SC if it had been offered at the time, at a reasonable price of course (what does that EVEN mean nowadays^).

This whole situation stinks.  I strongly suspect that ScreenConnect, if it had not been bought out by ConnectWise, might have been maintained and improved at a faster clip, I am seriously considering NOT renewing my license when it expires next summer...

Today (of all possibilities, on a PATCH TUESDAY morning), I woke up to the following response from my self-hosted SC installation: "Too many incorrect password attempts; you have been locked out".  6 YEARS with them, and it's the first time this happens...

Chat with a support rep, some rigmarole about needing to go through a back and forth Email exchange in which I confirm a COUPLE of times that I do, INDEED, want their assistance in resetting my Administrator password, which I am then instructed to perform myself by following these instructions: Forgot on-premises username or password

Then I ask, pretty reasonably IMHO, the following questions:

How can I determine WHEN those "incorrect password attempts" occurred, HOW MANY there were, and (if possible) which IP ADDRESSES they came from?

The response: "this is not possible as this would be a Feature Request", and I get the link to their Feature Request Portal, which quickly brought me HERE...

FIVE YEARS???!!! "Just Roadmapped" (but no timetable or delivery ETA)???!!!  Grrrrr... As I expressed in my conclusion to the email support thread, I now feel EXTREMELY VULNERABLE...

I will set up a backup administrator account, probably implement a nightly SC folder backup to expedite recovery if this happens again, but I am extremely dismayed at the lack of attention this "feature request" has received over the last 5 years... :-(