[Kimchi-devel] [RFC] [Wok]  #147 Block authentication request after too many failures

Ramon Medeiros ramonn at linux.vnet.ibm.com
Thu Jan 5 12:58:09 UTC 2017



On 01/05/2017 10:14 AM, Aline Manera wrote:
> Hi Ramon,
>
> On 12/22/2016 01:59 PM, Ramon Medeiros wrote:
>>
>> Propose: make adjustments at login page to make difficult brute force 
>> attack.
>>
>> Today, an intruder can make login tries without any action from Wok.
>>
>> Possible measures:
>>
>> Record source port and ip. After 3 tries, block user for 30 seconds 
>> and increase the time by each more try. Using source port and ip will 
>> avoid errors for connections from NAT networks.
>>
>> Example:
>>
>> 1) ip 192.168.1.1 tries to login as root 3 times and fail
>>
>
> You will consider ip and port, right? So when ip and port tries to 
> login as root 3 times and fail...
>
yep
>>
>> 2) A timeout of 30 seconds will be set
>>
>
> Does that mean the user will not be allowed to perform a login action 
> for 30 seconds?
>
yep. based on ip and port
>>
>> 3) After that, for 5 minutes, each try will add 30 seconds + x times 
>> the trial (60 seconds, 90 seconds. ..)
>>
>
> Not sure I got what you want here. After the 30 seconds block, the 
> user will be able to try to login again.
> How many attempts he/she can try to login again before get blocked?
>
> Will he/she get blocked for 5 minutes in the second round of attempts?
>

I was thinking about this:

1st try -> denied
2nd try -> denied
3rd try -> denied

30s timeout

After this 30s, other timeout will be added, letting user try just 1 
time. If the mismatch continues, more time will be added. Let me explain:

5 minutes window:

4th try -> denied

Then we will add a new timeout block, but greater (60s)

After 60s timeout:

5th try -> denied

New timeout 90s


So, after received a 30s timeout, the user will be 5 minutes sensible to 
the algorithm.  Let me know if it was clear


>
>
>> 4) After 5 minutes of the last try, the counter will be reset.
>>
>> -- 
>>
>> Ramon Nunes Medeiros
>> Kimchi Developer
>> Linux Technology Center Brazil
>> IBM Systems & Technology Group
>> Phone : +55 19 2132 7878
>> ramonn at br.ibm.com  
>>
>>
>> _______________________________________________
>> Kimchi-devel mailing list
>> Kimchi-devel at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>

-- 

Ramon Nunes Medeiros
Kimchi Developer
Linux Technology Center Brazil
IBM Systems & Technology Group
Phone : +55 19 2132 7878
ramonn at br.ibm.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/kimchi-devel/attachments/20170105/1f791bb2/attachment.html>


More information about the Kimchi-devel mailing list