You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "Ashish George (Jira)" <ji...@apache.org> on 2020/03/09 14:45:00 UTC
[jira] [Commented] (AIRFLOW-4182) Rate limit log in attempts
[ https://issues.apache.org/jira/browse/AIRFLOW-4182?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17055034#comment-17055034 ]
Ashish George commented on AIRFLOW-4182:
----------------------------------------
[~ash] Hi, So do we have any kind of mechanism to prevent DDoS attacks from the apache side?
> Rate limit log in attempts
> --------------------------
>
> Key: AIRFLOW-4182
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4182
> Project: Apache Airflow
> Issue Type: Improvement
> Components: security, ui
> Reporter: t oo
> Priority: Minor
>
> The Airflow application does not lock a user's account after a reasonable number of failed login attempts. Account lockout is a mechanism used to stop non-valid users from guessing for the right password. It is also a protection against brute force attacks wherein an automated system can use common/dictionary passwords or even build passwords based on set of characters just to try to guess the valid one. The user is still able to login after 10 failed login attempts.
> Business Impact/Attack Scenario
> It is possible for an attacker to use dictionary or brute force attacks and set it to attempt sending the requests on a particular amount of time to bypass the validation. Once a username has been correctly guessed, the attacker may then be able to gain access to the application.
> Recommendation
> Enforce account lockout conditions to temporary lock a user out after a number of unsuccessful attempts. Typically, account lock out is set to 3-5 failed login attempts.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)