Feature Request: Temp. Blacklist Source IP on X invalid login attempts for PIN/Password

[m0nji]

I dont see this at the Roadmap but it would be nice to have this Feature for PIN and Password Authentication.
Right now, someone could try the PIN/Password without any Limitations? So it would be nice if for example, after 5 invalid Login Attempts, the Public Source IP will be blacklisted for 24h. This makes it much harder for an hacker to compromise the Authentication Layer.
Of course, a configurable Login Attempts and Time for Blacklist would be great.

[miloschwartz]

The default rate limit we set (100 requests in 1 minute) should realistically make it very hard to brute force try all codes. You could set this to be more strict if you want.

We don't have exactly what you're requesting though. You might be able to get something similar with by installing Fail2ban as a plugin the the Traefik instance Pangolin uses.

We could expose a second rate limit in the config file just for the auth pages. If you notice, that section of the config is called rate_limits to allow us to add more types of limits there if we need to.