Project

General

Profile

Actions

Bug #7693

closed

Brute force protection does not kill states, so additional login attemps may be possible in some cases

Added by Jim Pingle about 7 years ago. Updated about 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
User Manager / Privileges
Target version:
Start date:
07/14/2017
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

The way that browsers and ssh clients work, it may be possible to exceed brute force protection limits enforced by sshlockout_pf.

sshlockout_pf adds the client IP address to a lockout table, but it does not kill states from the client IP address. In the case of ssh clients, this usually means they can fail an additional time or two, which is not that worrisome. In the case of web browsers, however, they can keep trying as long as the browser continues to reuse the open connection to the server.

It seems like the best approach here is to have sshlockout_pf kill client states when adding an address to a lockout table. In addition to that, the login form should check if the client address is in a lockout table and refuse to accept a login attempt in that case.

I'll handle the GUI part, Renato is looking into sshlockout_pf.

Actions

Also available in: Atom PDF