You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@couchdb.apache.org by rnewson <gi...@git.apache.org> on 2015/08/18 22:51:29 UTC

[GitHub] couchdb-couch pull request: Temporarily lock out authentication at...

GitHub user rnewson opened a pull request:

    https://github.com/apache/couchdb-couch/pull/88

    Temporarily lock out authentication attempts after repeated failures

    COUCHDB-2778

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/cloudant/couchdb-couch 2778-auth-lockout

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/couchdb-couch/pull/88.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #88
    
----
commit ea1aeed28d926fa8b969182920f376b55b151aac
Author: Robert Newson <rn...@apache.org>
Date:   2015-08-18T14:56:49Z

    Temporarily lock out authentication attempts after repeated failures
    
    COUCHDB-2778

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] couchdb-couch pull request: Temporarily lock out authentication at...

Posted by rnewson <gi...@git.apache.org>.

Github user rnewson closed the pull request at:

    https://github.com/apache/couchdb-couch/pull/88


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] couchdb-couch pull request: Temporarily lock out authentication at...

Posted by rnewson <gi...@git.apache.org>.

Github user rnewson commented on the pull request:

    https://github.com/apache/couchdb-couch/pull/88#issuecomment-132359157
  
    for a lockout to be effective it has to slow the attacker, the only way to do that is to make requests take longer. That does tie up the socket, sadly. Any thoughts?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] couchdb-couch pull request: Temporarily lock out authentication at...

Posted by kxepal <gi...@git.apache.org>.

Github user kxepal commented on the pull request:

    https://github.com/apache/couchdb-couch/pull/88#issuecomment-132354797
  
    ```$ git apply 88.patch
    88.patch:209: new blank line at EOF.
    +
    warning: 1 line adds whitespace errors.
    ```


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] couchdb-couch pull request: Temporarily lock out authentication at...

Posted by kxepal <gi...@git.apache.org>.

Github user kxepal commented on the pull request:

    https://github.com/apache/couchdb-couch/pull/88#issuecomment-132356451
  
    Behavior is strange: when lock happens CouchDB doesn't sends any response back holding the connection. So I believe, this could be used to cause resources leak on server.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] couchdb-couch pull request: Temporarily lock out authentication at...

Posted by kxepal <gi...@git.apache.org>.

Github user kxepal commented on the pull request:

    https://github.com/apache/couchdb-couch/pull/88#issuecomment-132361345
  
    @rnewson I think, much better to just log it and configure fail2ban or similar system which will generate firewall rules about. TARPIT for iptables can cause a lot of troubles for attacker and it's much more effective that we can implement. So far, there is no need to implement poor man firewall with which we can shoot ourselfs.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] couchdb-couch pull request: Temporarily lock out authentication at...

Posted by kxepal <gi...@git.apache.org>.

Github user kxepal commented on the pull request:

    https://github.com/apache/couchdb-couch/pull/88#issuecomment-132362041
  
    Also, it seems locking doesn't happens if I provide non existed username. So with current behaviour I can figure which users are registered during bruteforce.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] couchdb-couch pull request: Temporarily lock out authentication at...

Posted by rnewson <gi...@git.apache.org>.

Github user rnewson commented on the pull request:

    https://github.com/apache/couchdb-couch/pull/88#issuecomment-132678306
  
    I'll rethink, thanks for the feedback.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] couchdb-couch pull request: Temporarily lock out authentication at...

Posted by rnewson <gi...@git.apache.org>.

Github user rnewson commented on the pull request:

    https://github.com/apache/couchdb-couch/pull/88#issuecomment-132364880
  
    two good points, will ponder.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---