lock user account after x login attempts


does anyone know if this feature (lock user account after x login attempts) is enabled in SuiteCRM or if there is a conf file for fail2ban to ban the ip address which tried to login.



Please see this SugarCRM forum topic.

Hello Will

Thanks for that. I found that too but I thought this is rather a clumsy approach given that possibly with every upgrade the code will be overwritten.

Isn’t there a more elegant version such as an addon or to build that into the code directly, given that SugarCRM is most likely not going to turn around on its decision on OpenSourcing SugarCRM 7.




I have created a fail2ban configuration for SuiteCRM. To implement you must add one line in the SuiteCRM code that logs an error:

file: modules/Users/authentication/SugarAuthenticate/SugarAuthenticate.php

Find the loginAuthenticate function as seen in the code snippet below and add the trigger_error line under the //FAIL2BAN CODE comment as seen in the code snippet below. (make sure its in the else statement)

	function loginAuthenticate($username, $password, $fallback=false, $PARAMS = array ()){
		global $mod_strings;
		$usr= new user();
		if ($this->userAuthenticate->loadUserOnLogin($username, $password, $fallback, $PARAMS)) {
			if(hasPasswordExpired($username)) {
				$_SESSION['hasExpiredPassword'] = '1';
			// now that user is authenticated, reset loginfailed
			if ($usr->getPreference('loginfailed') != '' && $usr->getPreference('loginfailed') != 0) {
			return $this->postLoginAuthenticate();

		{ //begin else statement
			if(!empty($usr_id) && $res['lockoutexpiration'] > 0){
				if (($logout=$usr->getPreference('loginfailed'))=='')

trigger_error("LOGIN FAILED");

		} //end else statement
		if(strtolower(get_class($this)) != 'sugarauthenticate'){
			$sa = new SugarAuthenticate();
			$error = (!empty($_SESSION['login_error']))?$_SESSION['login_error']:'';
			if($sa->loginAuthenticate($username, $password, true, $PARAMS)){
				return true;
			$_SESSION['login_error'] = $error;

		$_SESSION['login_user_name'] = $username;
		$_SESSION['login_password'] = $password;
			$_SESSION['login_error'] = translate('ERR_INVALID_PASSWORD', 'Users');

		return false;


(ensure logpath is pointed to the proper php log file, and ensure that E_USER_ERRORs are logged)

enabled = true
port    = http,https
action   = iptables[name=CRM, port=https, protocol=tcp]
           sendmail-whois[name=CRM, dest=banned@domain.ca, sender=fail2ban@domain.ca, sendername="Fail2Ban-CRM"]
filter  = apache-crm
logpath = /var/log/httpd/ssl_error_log
maxretry = 4


# Fail2Ban configuration file
failregex = [[]client <HOST>[]] PHP Notice:  LOGIN FAILED.*
ignoreregex =
1 Like

Could you give an explanation of what you want to do in this code?

@Espial you posted in a 8-year old thread :frowning:

Note that SuiteCRM now has adequate logging for fail2ban, there were several PR’s with this a few years ago. So you shouldn’t need to edit any code, you can just develop your fail2ban filters.

1 Like

I’m really digging a bit about this, just for the fact that I want to achieve something else:
I want to see a way to control the active sessions of an account
I have seen that in suite you can log in with the same account on different devices at the same time
Can this be configured so that it doesn’t happen?

I’ve seen that as a paid add-on, but I don’t think the option exists out-of-the-box, sorry.

1 Like

Could you give me the name of the plugin, or tell me where to get it?

1 Like