search

Graylog2 / graylog2-server

Free and open log management
https://www.graylog.org
Other
7.35k stars 1.06k forks source link

Lock user account after failed login attempts #13189

Open damianharouff opened 2 years ago

damianharouff commented 2 years ago

Graylog's implementation of users does not provide functionality to lock a user account on a number of failed login attempts. While we rely on an external auth provider (LDAP, Okta, etc) to handle such an action, this may not be available in an organization that does not use SSO, or uses an auth provider that Graylog does not support.

Source: HS-1032446263

kodjo-anipah commented 2 years ago

@boosty I guess the number of attempts should be configurable, would you want this configuration to be available for admins in the user overview page or should this be a server setting. Should the lock time be configurable too?

boosty commented 2 years ago

Hi @kodjo-anipah, this just came in. I had not time to think about it yet.

boosty commented 2 years ago

If we build this, we should take the source IP of the login attempt into account. Otherwise an attacker could easily abuse this feature to lock out another user.

ckristo commented 1 year ago

Stumbled across this issue, thought to add my Security specific viewpoint:

There should be definitely some protection measures against password brute-force/-guessing attacks. In my opinion, this should not consider the source IP as it seems easy for me that attackers prepare a sufficiently large pool of IP addresses (using Tor, a bunch of VPN providers, or simply some Cloud IaaS resources).

I would see the following basic approaches: a) Account lockout after a defined number of failed login attempts b) Tar Pit approach - enforcing a timeout between failed login attempts, whereas the timeout (drastically) increases on every failed login attempt.

Ad account lockout concerns) I‘m not sure if we can (and should) handle that within the protection approach (regardless of the approach) - we could automatically unlock (for a.) or reset the timeout (for b.) after some time (as fail2ban does), but I‘m not sure if this helps much; an admin might not be happy to wait for some hours until the account gets automatically unlocked to investigate some Security issue. Instead, I would suggest to make sure admins can unlock their accounts easily (and securely), and provide monitoring to warn for ongoing password brute-force/-guessing attacks.

ckristo commented 1 year ago

Another related topic to this is multi-step verification / MFA.

Missing protection measures against password brute-force/-guessing attacks and missing MFA are the reasons why I currently would not recommend to expose graylog to the Internet (without having additional Security measures in place.)