Re: [Kimchi-devel] [RFC] [Wok] #147 Block authentication request after too many failures
On 01/05/2017 10:14 AM, Aline Manera wrote:
Hi Ramon,
On 12/22/2016 01:59 PM, Ramon Medeiros wrote:
>
> Propose: make adjustments at login page to make difficult brute force
> attack.
>
> Today, an intruder can make login tries without any action from Wok.
>
> Possible measures:
>
> Record source port and ip. After 3 tries, block user for 30 seconds
> and increase the time by each more try. Using source port and ip will
> avoid errors for connections from NAT networks.
>
> Example:
>
> 1) ip 192.168.1.1 tries to login as root 3 times and fail
>
You will consider ip and port, right? So when ip and port tries to
login as root 3 times and fail...
yep
>
> 2) A timeout of 30 seconds will be set
>
Does that mean the user will not be allowed to perform a login action
for 30 seconds?
yep. based on ip and port
>
> 3) After that, for 5 minutes, each try will add 30 seconds + x times
> the trial (60 seconds, 90 seconds. ..)
>
Not sure I got what you want here. After the 30 seconds block, the
user will be able to try to login again.
How many attempts he/she can try to login again before get blocked?
Will he/she get blocked for 5 minutes in the second round of attempts?
I was thinking about this:
1st try -> denied
2nd try -> denied
3rd try -> denied
30s timeout
After this 30s, other timeout will be added, letting user try just 1
time. If the mismatch continues, more time will be added. Let me explain:
5 minutes window:
4th try -> denied
Then we will add a new timeout block, but greater (60s)
After 60s timeout:
5th try -> denied
New timeout 90s
So, after received a 30s timeout, the user will be 5 minutes sensible to
the algorithm. Let me know if it was clear
> 4) After 5 minutes of the last try, the counter will be reset.
>
> --
>
> Ramon Nunes Medeiros
> Kimchi Developer
> Linux Technology Center Brazil
> IBM Systems & Technology Group
> Phone : +55 19 2132 7878
> ramonn(a)br.ibm.com
>
>
> _______________________________________________
> Kimchi-devel mailing list
> Kimchi-devel(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
--
Ramon Nunes Medeiros
Kimchi Developer
Linux Technology Center Brazil
IBM Systems & Technology Group
Phone : +55 19 2132 7878
ramonn(a)br.ibm.com
Attachments:
- attachment.html (text/html — 5.0 KB)