Bug #7693
closed
Brute force protection does not kill states, so additional login attemps may be possible in some cases
100%
Description
The way that browsers and ssh clients work, it may be possible to exceed brute force protection limits enforced by sshlockout_pf.
sshlockout_pf adds the client IP address to a lockout table, but it does not kill states from the client IP address. In the case of ssh clients, this usually means they can fail an additional time or two, which is not that worrisome. In the case of web browsers, however, they can keep trying as long as the browser continues to reuse the open connection to the server.
It seems like the best approach here is to have sshlockout_pf kill client states when adding an address to a lockout table. In addition to that, the login form should check if the client address is in a lockout table and refuse to accept a login attempt in that case.
I'll handle the GUI part, Renato is looking into sshlockout_pf.
Updated by Jim Pingle almost 7 years ago
- Assignee changed from Jim Pingle to Renato Botelho
GUI portion is done. It also kills states if someone tries to access the GUI while in the table, so if it isn't feasible to add state killing to sshlockout_pf at the moment this could be set to Feedback for testing.
Updated by Jim Pingle almost 7 years ago
- Status changed from Confirmed to Feedback
- Assignee changed from Renato Botelho to Jim Pingle
- % Done changed from 50 to 100
Moving the sshlockout portion to #7695
Updated by Jim Pingle almost 7 years ago
- Status changed from Feedback to Resolved
Works. States get killed, client cannot make new connections.