Feature #4238

Protection from Brute Force Password Attacks

Added by Bryan Kearney over 4 years ago. Updated 8 days ago.

Status:Closed
Priority:Normal
Assignee:Tomer Brisker
Category:Security
Target version:1.17.0
Difficulty: Team Backlog:
Triaged: Fixed in Releases:
Bugzilla link:1060745 Found in Releases:
Pull request:https://github.com/theforeman/foreman/pull/4132

Description

The login screen should protect the users from a brute force password attack. This can handled by approaches such as:

1) Locking an account out after X many failed attempts.
2) Supporting an escalated delay between logins (first failed login delay 5 seconds, second 10, third 20, etc)


Related issues

Related to Foreman - Refactor #22778: Allow admin to opt-out from the Brute-force attack protec... Closed 03/05/2018

Associated revisions

Revision 1ece1d32
Added by Tomer Brisker 7 months ago

Fixes #4238 - Prevent login brute forcing

After 30 failed attempts from the same ip, login will be blocked for 5
minutes from that ip.

History

#1 Updated by Dominic Cleal over 4 years ago

  • Subject changed from [RFE] Protection from Brute Force Password Attacks to Protection from Brute Force Password Attacks

#2 Updated by The Foreman Bot over 1 year ago

  • Status changed from New to Ready For Testing
  • Assignee set to Tomer Brisker
  • Pull request https://github.com/theforeman/foreman/pull/4132 added

#3 Updated by Marek Hulán over 1 year ago

  • Bugzilla link set to 1060745

#4 Updated by Dominic Cleal over 1 year ago

  • Status changed from Ready For Testing to New
  • Assignee deleted (Tomer Brisker)

PR closed.

#5 Updated by The Foreman Bot 8 months ago

  • Assignee set to Tomer Brisker
  • Status changed from New to Ready For Testing

#6 Updated by Lukas Zapletal 7 months ago

  • Legacy Backlogs Release (now unused) set to 296

I just merged sane implementation: 5 minutes window for 30 logins, not configurable, uses Rails cache to store the data.

#7 Updated by Anonymous 7 months ago

  • % Done changed from 0 to 100
  • Status changed from Ready For Testing to Closed

#8 Updated by Marek Hulán 4 months ago

  • Related to Refactor #22778: Allow admin to opt-out from the Brute-force attack protection added

Also available in: Atom PDF