Closed CharlesBlais closed 8 months ago
crotwell
commented
1 year ago In general I support the idea of banning after repeated fails, but should that belong in the protocol spec, or should that be up to implementations?
Perhaps we could say:
Implementation MAY ban connections after repeated AUTH failures.just to get the idea out there?
andres-h
commented
1 year ago Operational decisions of when to block authentication attempts should not be part of the spec. They should be up to the operator.
Add: "Implementation MAY ban connections after repeated AUTH failures." ¹ ²
¹ Server MAY respond with "ERROR LIMIT too many authentication attempts"
² Ban SHOULD be applied to a specific IP address to avoid DoS by an unrelated user.
crotwell
commented
9 months ago +1 on change
Hi all, I reviewed https://seedlink.readthedocs.io/en/latest/ and this is great work. TLS, AUTH and other a great to see coming in the new protocol.
As part of the Authentication section.
"Users MAY be authenticated using their IP address or AUTH command. Access to some stations MAY be restricted to selected users. If a user does not have access to a station, then all commands SHOULD behave as if the station does not exist."
Much like #4, it would be helpful to get some feedback on authentication failure much like HTTP protocol. But, that aside, to comply more closely to NIST 800-53, should the protocol, perhaps, also block the user after X failed attempts of the AUTH command? This might help brute force attempts and would add an equivalent "fail2ban" mechanism on the protocol.