Project

General

Profile

Bug #7693

Brute force protection does not kill states, so additional login attemps may be possible in some cases

Added by Jim Pingle about 3 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
User Manager / Privileges
Target version:
Start date:
07/14/2017
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:
All

Description

The way that browsers and ssh clients work, it may be possible to exceed brute force protection limits enforced by sshlockout_pf.

sshlockout_pf adds the client IP address to a lockout table, but it does not kill states from the client IP address. In the case of ssh clients, this usually means they can fail an additional time or two, which is not that worrisome. In the case of web browsers, however, they can keep trying as long as the browser continues to reuse the open connection to the server.

It seems like the best approach here is to have sshlockout_pf kill client states when adding an address to a lockout table. In addition to that, the login form should check if the client address is in a lockout table and refuse to accept a login attempt in that case.

I'll handle the GUI part, Renato is looking into sshlockout_pf.

Associated revisions

Revision cc9b0f76 (diff)
Added by Jim Pingle about 3 years ago

If a client address is in the webConfiguratorlockout table, do not allow them to access the GUI. Print an error and kill their states. Ticket #7693
Extra check to be sure that an existing open state cannot bypass lockout controls.

Revision f0da1eda (diff)
Added by Jim Pingle about 3 years ago

If a client address is in the webConfiguratorlockout table, do not allow them to access the GUI. Print an error and kill their states. Ticket #7693
Extra check to be sure that an existing open state cannot bypass lockout controls.

(cherry picked from commit cc9b0f76da4936ac7510eee6cb5e0574d11b5973)

Revision 7505efe7 (diff)
Added by Jim Pingle about 3 years ago

If a client address is in the webConfiguratorlockout table, do not allow them to access the GUI. Print an error and kill their states. Ticket #7693
Extra check to be sure that an existing open state cannot bypass lockout controls.

(cherry picked from commit cc9b0f76da4936ac7510eee6cb5e0574d11b5973)
(cherry picked from commit f0da1eda7c38c18202cc0563fd1c83c20a05e2b2)

History

#1 Updated by Jim Pingle about 3 years ago

  • Assignee changed from Jim Pingle to Renato Botelho

GUI portion is done. It also kills states if someone tries to access the GUI while in the table, so if it isn't feasible to add state killing to sshlockout_pf at the moment this could be set to Feedback for testing.

#2 Updated by Jim Pingle about 3 years ago

  • % Done changed from 0 to 50

#3 Updated by Jim Pingle about 3 years ago

  • Status changed from Confirmed to Feedback
  • Assignee changed from Renato Botelho to Jim Pingle
  • % Done changed from 50 to 100

Moving the sshlockout portion to #7695

#4 Updated by Jim Pingle about 3 years ago

  • Status changed from Feedback to Resolved

Works. States get killed, client cannot make new connections.

#5 Updated by Jim Pingle about 3 years ago

  • Private changed from Yes to No

Also available in: Atom PDF