[Kimchi-devel] [RFC] [Wok]  #147 Block authentication request after too many failures

Aline Manera alinefm at linux.vnet.ibm.com
Thu Jan 5 15:24:45 UTC 2017 


On 01/05/2017 10:58 AM, Ramon Medeiros wrote:
>
>
>
> On 01/05/2017 10:14 AM, Aline Manera wrote:
>> Hi Ramon,
>>
>> On 12/22/2016 01:59 PM, Ramon Medeiros wrote:
>>>
>>> Propose: make adjustments at login page to make difficult brute 
>>> force attack.
>>>
>>> Today, an intruder can make login tries without any action from Wok.
>>>
>>> Possible measures:
>>>
>>> Record source port and ip. After 3 tries, block user for 30 seconds 
>>> and increase the time by each more try. Using source port and ip 
>>> will avoid errors for connections from NAT networks.
>>>
>>> Example:
>>>
>>> 1) ip 192.168.1.1 tries to login as root 3 times and fail
>>>
>>
>> You will consider ip and port, right? So when ip and port tries to 
>> login as root 3 times and fail...
>>
> yep
>>>
>>> 2) A timeout of 30 seconds will be set
>>>
>>
>> Does that mean the user will not be allowed to perform a login action 
>> for 30 seconds?
>>
> yep. based on ip and port
>>>
>>> 3) After that, for 5 minutes, each try will add 30 seconds + x times 
>>> the trial (60 seconds, 90 seconds. ..)
>>>
>>
>> Not sure I got what you want here. After the 30 seconds block, the 
>> user will be able to try to login again.
>> How many attempts he/she can try to login again before get blocked?
>>
>> Will he/she get blocked for 5 minutes in the second round of attempts?
>>
>
> I was thinking about this:
>
> 1st try -> denied
> 2nd try -> denied
> 3rd try -> denied
>
> 30s timeout
>
> After this 30s, other timeout will be added, letting user try just 1 
> time. If the mismatch continues, more time will be added. Let me explain:
>
> 5 minutes window:
>
> 4th try -> denied
>
> Then we will add a new timeout block, but greater (60s)
>
> After 60s timeout:
>
> 5th try -> denied
>
> New timeout 90s
>
>
> So, after received a 30s timeout, the user will be 5 minutes sensible 
> to the algorithm.  Let me know if it was clear
>

Yeap! It is clearer now. I'd suggest to let user tries at least 3 times 
before blocking him/her again.

first 3 failures = block for 30 seconds
more 3 failures = block for 1 min
more 3 failures = block for 2 min
more 3 failures = block for 3 min

>
>>
>>
>>> 4) After 5 minutes of the last try, the counter will be reset.
>>>
>>> -- 
>>>
>>> Ramon Nunes Medeiros
>>> Kimchi Developer
>>> Linux Technology Center Brazil
>>> IBM Systems & Technology Group
>>> Phone : +55 19 2132 7878
>>> ramonn at br.ibm.com  
>>>
>>>
>>> _______________________________________________
>>> Kimchi-devel mailing list
>>> Kimchi-devel at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>>
>
> -- 
>
> Ramon Nunes Medeiros
> Kimchi Developer
> Linux Technology Center Brazil
> IBM Systems & Technology Group
> Phone : +55 19 2132 7878
> ramonn at br.ibm.com  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/kimchi-devel/attachments/20170105/88a52abd/attachment.html>

More information about the Kimchi-devel mailing list