Project

General

Profile

Actions

Bug #7693

closed

Brute force protection does not kill states, so additional login attemps may be possible in some cases

Added by Jim Pingle about 7 years ago. Updated about 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
User Manager / Privileges
Target version:
Start date:
07/14/2017
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

The way that browsers and ssh clients work, it may be possible to exceed brute force protection limits enforced by sshlockout_pf.

sshlockout_pf adds the client IP address to a lockout table, but it does not kill states from the client IP address. In the case of ssh clients, this usually means they can fail an additional time or two, which is not that worrisome. In the case of web browsers, however, they can keep trying as long as the browser continues to reuse the open connection to the server.

It seems like the best approach here is to have sshlockout_pf kill client states when adding an address to a lockout table. In addition to that, the login form should check if the client address is in a lockout table and refuse to accept a login attempt in that case.

I'll handle the GUI part, Renato is looking into sshlockout_pf.

Actions #1

Updated by Jim Pingle about 7 years ago

  • Assignee changed from Jim Pingle to Renato Botelho

GUI portion is done. It also kills states if someone tries to access the GUI while in the table, so if it isn't feasible to add state killing to sshlockout_pf at the moment this could be set to Feedback for testing.

Actions #2

Updated by Jim Pingle about 7 years ago

  • % Done changed from 0 to 50
Actions #3

Updated by Jim Pingle about 7 years ago

  • Status changed from Confirmed to Feedback
  • Assignee changed from Renato Botelho to Jim Pingle
  • % Done changed from 50 to 100

Moving the sshlockout portion to #7695

Actions #4

Updated by Jim Pingle about 7 years ago

  • Status changed from Feedback to Resolved

Works. States get killed, client cannot make new connections.

Actions #5

Updated by Jim Pingle about 7 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF