I have Mailgun set up successfully, but it only intermittently works as new users trying to sign up often receive the error message, “Too many different sign-in attempts, try again in X hours”.
Is there any way to disable whatever is blocking the attempts to subscribe?
For what it’s worth, I’m self-hosting Ghost v5.62.0 via Docker.
That message comes here in the code:
It’s using a module called express-brute, which has options documented here:
The docs show it can be configured with some other options like freeRetries which currently defaults to 2-- a pretty low number.
Someone could contribute a pull request to propose adding a section to config.production.json where values to customize this behavior could be stored.
Right now, it doesn’t appear possible to customize behavior without forking Ghost.
A very simple solution, though, might be to just raise the default value from from “2 free retries” to 3 or 5. It would typically take a lot more tries than that before a brute-force attack to succeed.
This should already be supported:
{
"spam": {
"member_login": { ... }
}
}
@vikaspotluri123 I now that it is supposed but there’s a flaw in the documentation.
The configuration for how to configure spamming links to an old version of the config file:
That version doesn’t contain the member_login key, so that part appears to not be configurable.
I’m not sure how to submit a pull request against the documentation, but the issue could be resolved by linking to the same section on the main branch instead:
Thanks for flagging. The docs have been updated!