Project

General

Profile

Actions
Copy link

Bug #26847

open

Brute-force protection being triggered using haproxy

Added by Luis Pigueiras over 5 years ago. Updated over 5 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Authentication
Target version:
-
Difficulty:
Triaged:
Yes
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

When using a haproxy in front of Foreman, the IP that is being checked in failed logins is the one for haproxy. So 30 authentications in 5 minutes coming from the same haproxy blocks all the logins coming from that haproxy.

https://github.com/theforeman/foreman/blob/7995d863de877ba9aa6071c6943d528ce591df07/app/controllers/concerns/foreman/controller/bruteforce_protection.rb#L5

Should it use request.remote_ip instead of request.ip to make it work with X-Forwarded-For headers?

Actions
Copy link
 #1

Updated by Lukas Zapletal over 5 years ago

  • Category set to Authentication
  • Triaged changed from No to Yes

Hello, we can't make use of X-Forwarded-For header because then an attacker can spoof any data in it. However I was big advocate of increased limit, what we have by default is too small - for bruteforcing one need tens of thousands tries to consider something to be bruteforcing I believe. Feel free to increase this number if you think the same.

Actions
Copy link

Also available in: Atom PDF