[Kimchi-devel] [RFC] [Wok]  #147 Block authentication request after too many failures

Ramon Medeiros ramonn at linux.vnet.ibm.com
Tue Jan 17 17:25:00 UTC 2017 

Got a new issue:


When using username+ ip + port as unique identifier, i saw that the port 
is not used too much times. Take a look at this log:


{

u'a127.0.0.153634': [{'username': u'a', 'ip': '127.0.0.1', 'port': 
53634, 'time': 1484672673.735578}], u'a127.0.0.153636': [{'username': 
u'a', 'ip': '127.0.0.1', 'port': 53636, 'time': 1484672676.018149}], 
u'a127.0.0.153630': [{'username': u'a', 'ip': '127.0.0.1', 'port': 
53630, 'time': 1484672664.44004}], u'a127.0.0.153632': [{'username': 
u'a', 'ip': '127.0.0.1', 'port': 53632, 'time': 1484672668.298648}], 
u'a127.0.0.153628': [{'username': u'a', 'ip': '127.0.0.1', 'port': 
53628, 'time': 1484672661.977025}]

}

In 5 tries, 5 different ports were used. So, remote port isn't a good 
information.


I tried to use  cherrypy.session.originalid. Which, seems to be better. 
take a look at this test:
4 attemps, the first went with a different originalid. The others with 
the same:

{u'a127.0.0.13534ea7fa9cdb23e37ae914f2e6cf7b0e04dab28': [{'username': 
u'a', 'ip': '127.0.0.1', 'port': 53770, 'time': 1484673652.558314}],

u'a127.0.0.1a7f2be8054048de62d2ce90e57939ee5ebb55fae': [

{'username': u'a', 'ip': '127.0.0.1', 'port': 53772, 'time': 
1484673655.356095},

{'username': u'a', 'ip': '127.0.0.1', 'port': 53774, 'time': 
1484673657.863454},

{'username': u'a', 'ip': '127.0.0.1', 'port': 53776, 'time': 
1484673660.436111}]}






On 12/22/2016 01:59 PM, Ramon Medeiros wrote:
>
> Propose: make adjustments at login page to make difficult brute force 
> attack.
>
> Today, an intruder can make login tries without any action from Wok.
>
> Possible measures:
>
> Record source port and ip. After 3 tries, block user for 30 seconds 
> and increase the time by each more try. Using source port and ip will 
> avoid errors for connections from NAT networks.
>
> Example:
>
> 1) ip 192.168.1.1 tries to login as root 3 times and fail
> 2) A timeout of 30 seconds will be set
> 3) After that, for 5 minutes, each try will add 30 seconds + x times 
> the trial (60 seconds, 90 seconds. ..)
>
> 4) After 5 minutes of the last try, the counter will be reset.
>
> -- 
>
> Ramon Nunes Medeiros
> Kimchi Developer
> Linux Technology Center Brazil
> IBM Systems & Technology Group
> Phone : +55 19 2132 7878
> ramonn at br.ibm.com  
>
>
> _______________________________________________
> Kimchi-devel mailing list
> Kimchi-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/kimchi-devel

-- 

Ramon Nunes Medeiros
Kimchi Developer
Linux Technology Center Brazil
IBM Systems & Technology Group
Phone : +55 19 2132 7878
ramonn at br.ibm.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/kimchi-devel/attachments/20170117/df1bb573/attachment.html>

More information about the Kimchi-devel mailing list