Support

Hello Kenneth,

are you talking about frontend login or admin login?

I'm sorry but that's not possible.

There is a reason why this is not implemented: it can be trivially circumvented using a free proxy host. For example I can see at least 3 free proxy servers which will make me appear as though I am coming from the UK. Any spammer / hacker with a minimum amount of brains can use one of these and several other proxy servers to try to brute force their way into your site.

However, as you are running Joomla! 3.2.1, there is something you can do. It's a feature I wrote for Joomla! and is included in it since Joomla! 3.2: two factor authentication. You can set up Google Authenticator for use either in the front-end or the back-end (or both: that's the default). The attacker will need your username (known), your password (he's trying to brute force it) and a six digit code that changes every 30 seconds (that's the two factor authentication bit). Even if they do already know your username and password they have one chance in 160,000 to get the code right before it changes again. If they always stupidly try with the same code until they success they will need an average of 173 years to successfully log in to your site's front-end. I think that's far better than a trivially circumvented "security" feature, don't you think?

> I know it is not very more safe to hide the login module based on which country you are in

Not safe at all. The login functionality in Joomla! doesn't even require the module to be published. Just try visiting the /index.php?option=com_users URL on your site. Point proved. If you disable access to that component nobody can log in in the front-end (bummer!). Long story cut short: you can't disable logging in conditionally. It's the very definition of what logging in is. Hence the need for two factor authentication.

So, basically, what you did doesn't work. Hackers do not use your login module. They try to post the the com_users component directly. You've drilled a hole in the water.

> I use and like your two factor attentication. But I use when login in to the administrator.

So far you were using Admin Tools' Two Factor Authentication. As you implied, it's limited: it only works in the back-end and there's only one code for all back-end users. Since Joomla! 3.2.0 there is a MUCH more powerful TFA feature built in Joomla! itself. It works in the front-end, in the back-end or both. It can be turned on and off per user. Each user has their own secret code. That's why I'm saying that using TFA is the solution to your problem.

> I don't use the two factor attentication because the useres logging in at the frontend have problems remembering their own username and password. If I forced them to use two factor attentication the H... would break lose.

You said you have to force them? It's an opt-in feature. It was made opt-in exactly for the reasons you mention. Hey, give me some credit here, I've already thought of those basic issues :D

Just to prove my point: Our site (akeebabackup.com) has two-factor authentication enabled, in front-end and back-end. Out of the several thousands of our users do you know how many have opted in to two factor authentication? Ten, including me. Ten. Out of several thousands. Three of them are among the people who did the beta testing for Joomla!'s two factor authentication system.

In the end of the day you should not worry about hackers brute forcing your users' passwords. They never bother. If they have a list of known usernames and passwords (from other hacked sites) they might try their luck, but then the account is already compromised and the user has committed the two most grave sins of password management: use the same password in multiple sites and not change a known to be compromised password everywhere.

If you have to worry about something it's your Super Users. Especially if the usernames are easily guessed or easy to find out on your site. Hackers will try to brute force them. Enabling TFA on this small subset of people and training them on how to use it is fairly easy. The easiest method? Buy them YubiKeys. The whole training consists of: "type your username and your password, click on Secret Key, insert the YubiKey in the USB slot (the rectangular one on your PC), touch the golden disk, wait to be logged in". If someone can't follow those steps they shouldn't be allowed anywhere near a machine with a CPU, not even a modern refrigerator.

I think I made my point quite clear :)