Allow a user to set restricted IP ranges that can log into their account. I’m not sure if this is a just a false sense of security though, since an attacker can and most likely will be spoofing their IP through some other route.
GitHub issue: Allow logins from only certain countries · Issue #41 · bitwarden/server · GitHub
Defense in depth. Won’t stop a determined advisory, but will deter or slow someone down with limited knowledge.
original requestor here - These sorts of geo-ip address blocklists actively monitor such things as TOR exit nodes and proxy companies. Realistically, if the code is secure otherwise, I’m not as concerned with some sophisticated adversary then as much as the every day scenarios. If I log in at a hotel while I’m on vacation I can’t terminate that lingering session nor restrict access from that country when I return home.
This is such a low-cost improvement and implementation and help with some of the most common scenarios.
from original request:
I really like Lastpass’ feature to restrict logins to only certain countries on an allowed list.
I see MaxMind free location tables https://www.maxmind.com used a lot for this though I’m sure there are probably others out there.
The only time I allow any other country might be if I’m on vacation and I definitely block all TOR login access.
But you can… Go to web vault -> Settings -> Deauthorize Sessions
This combined with an ability to proxy traffic (via SSH or something) would be a game changer.
I would only allow my home IP and an IP of some server that I own and to which I could connect with my phone. It would thus reduce the attack surface to my physical circle, I would no longer have to worry about keyloggers or malware on my pc stealing my passwords because attacker would not be able to login anyway (unless he proxies through my pc).
I don’t know how much I like the idea of totally blocking someone via geo-restrictions or proxy restrictions. At the very least, though, maybe there could be an additional challenge when logging in from either a higher-risk or sufficiently different location (e.g. a different IP, an IP a certain number of miles away from my last recorded IP, etc). This could be as simple as master password and MFA, plus an additional random PIN being sent to an email that needs to be entered to log in.
I agree with this one, it is one more defense to put in place. It would at least force an attacker to come from a country/region that has been allowed by the vault owner before being able to try to brute force credentials.
@kspearrin you could use http://iplists.firehol.org to allow users to optionally block access from IP in some of the lists in addition to GEO IP.
Even if it’s not blocking it could be just sent an alert email, so for someone based in France it could be interesting to know that someone is logging or trying to (fail logs) from china, US or from an IP in some of the block lists (TOR, suspicious IP, etc.)
Some tools here to implement firehol lists
http://firehol.org/
@kspearrin
yes, its not a perfect solution, but a non-meaningless roadblock that can help improve security. as we know security is all about layers, and this is yet another layer.
I’m looking for this feature as well. I keep getting notifications that someone is attempting to brute force my account. While it will not prevent it, unless the attacker knows where I live it will prevent them from trying to brute force my account.
Sorry if this has already been requested but I’ve only been able to find threads about whitelisting devices.
It’d be awesome if we could implement trusted locations to autoblock certain countries. I’ve gotten a few notifications of failed login attempts from blatant VPN locations (Martinique, Burkina Faso, Seychelles) and I’d like to either whitelist certain IP ranges or just block entire regions. Stuff that it considered standard for cloud tenants but… well, Bitwarden is obviously a huge vulnerable weakpoint if all hell breaks out.
I would like to see the option for restrict what countries (based on source IP) are allowed to log into a cloud hosted Vault.
Country Based Geo-IP Block
"By default, LastPass restricts you to the country where your account was created. If you plan to travel internationally, we recommend adding any additional countries to your trusted list. "
Just wondering if there’s any update on this ?
I think this is very useful for blocking people outside your country.
Any hacker can bypass this with a VPN service. This is more of a sales gimmick by LastPass than real protection, IMO.
It’s still better than allowing anybody in the world to log into your account and it wouldn’t tell the user what country you have to sign in from to use the username/email.
Once U2F is implemented, blocking of any kind becomes moot. The only thing your password serves is to encrypt your vault because you shouldn’t trust BW. You know what I mean. zero-knowledge E2EE and all that.