Restrict account access to certain countries/IP ranges

But you can… Go to web vault -> Settings -> Deauthorize Sessions

2 Likes

This combined with an ability to proxy traffic (via SSH or something) would be a game changer.

I would only allow my home IP and an IP of some server that I own and to which I could connect with my phone. It would thus reduce the attack surface to my physical circle, I would no longer have to worry about keyloggers or malware on my pc stealing my passwords because attacker would not be able to login anyway (unless he proxies through my pc).

I don’t know how much I like the idea of totally blocking someone via geo-restrictions or proxy restrictions. At the very least, though, maybe there could be an additional challenge when logging in from either a higher-risk or sufficiently different location (e.g. a different IP, an IP a certain number of miles away from my last recorded IP, etc). This could be as simple as master password and MFA, plus an additional random PIN being sent to an email that needs to be entered to log in.

I agree with this one, it is one more defense to put in place. It would at least force an attacker to come from a country/region that has been allowed by the vault owner before being able to try to brute force credentials.

@kspearrin you could use http://iplists.firehol.org to allow users to optionally block access from IP in some of the lists in addition to GEO IP.
Even if it’s not blocking it could be just sent an alert email, so for someone based in France it could be interesting to know that someone is logging or trying to (fail logs) from china, US or from an IP in some of the block lists (TOR, suspicious IP, etc.)

Some tools here to implement firehol lists
http://firehol.org/
@kspearrin

yes, its not a perfect solution, but a non-meaningless roadblock that can help improve security. as we know security is all about layers, and this is yet another layer.

I’m looking for this feature as well. I keep getting notifications that someone is attempting to brute force my account. While it will not prevent it, unless the attacker knows where I live it will prevent them from trying to brute force my account.

Sorry if this has already been requested but I’ve only been able to find threads about whitelisting devices.

It’d be awesome if we could implement trusted locations to autoblock certain countries. I’ve gotten a few notifications of failed login attempts from blatant VPN locations (Martinique, Burkina Faso, Seychelles) and I’d like to either whitelist certain IP ranges or just block entire regions. Stuff that it considered standard for cloud tenants but… well, Bitwarden is obviously a huge vulnerable weakpoint if all hell breaks out.

Whitelist IP’s that can access an organisation

  • We would like to use BitWarden, but we would like to be able to limit what IPs are able to log in to our organisation. So we would have X users, and those users would have to connect to our company VPN before being able to log into Bitwarden.
  • This whitelist would apply to a user or role, not the organisation as a whole. IE Non Admins can only access from a whitelist of X addresses, but Admins can access from Y Addresses.

Feature function

  • Limit where users can log in from.
  • Allow us extra security in that not one of our office staff should be logging into our company account from anywhere but the office, we don’t have remote staff and don’t need to allow them.

Related topics + references

  • There is a similar feature request for locking down what countries can access the account, but we only want to allow specific IPs, at our disgression,
  • LastPass, Zoho, ManageEngine all have this feature already, it’s fairly common security practice to limit what IPs can access a resource.

I would like to see the option for restrict what countries (based on source IP) are allowed to log into a cloud hosted Vault.

2 Likes

Country Based Geo-IP Block

"By default, LastPass restricts you to the country where your account was created. If you plan to travel internationally, we recommend adding any additional countries to your trusted list. "

2 Likes

Just wondering if there’s any update on this ?

I think this is very useful for blocking people outside your country.

Any hacker can bypass this with a VPN service. This is more of a sales gimmick by LastPass than real protection, IMO.

19 Likes

It’s still better than allowing anybody in the world to log into your account and it wouldn’t tell the user what country you have to sign in from to use the username/email.

7 Likes

Once U2F is implemented, blocking of any kind becomes moot. The only thing your password serves is to encrypt your vault because you shouldn’t trust BW. You know what I mean. zero-knowledge E2EE and all that.

But how will a hacker know which country I live in. A VPN provider like Private Internet Access has servers located in more than 48 countries. How will the hacker make a decision? This feature will give some security to our accounts.

4 Likes

Yep, uncrackable!

:frowning:

1 Like

This would surely increase the security of the vault, even if the attacker used a VPN or a proxy!

It would also be really nice if Bitwarden notifies the user through email that someone entered the correct Master Password but could not access the Vault because of its IP address isn’t allowed by this setting, because then, the user would be able to change the compromised master password without having any of its passwords stolen!

I would certainly love to see this feature implemented soon! :grinning:

5 Likes