HomeITAdmin
commented
2 years ago Hi, I think this leads us to the more fundamental question, what is this app good for at all.
It cannot prevent that the Nextcloud instance is found at all (e.g. login page is shown to all) and it cannot prevent any attacks that can avoid the login flow so that the hook the app is using is not called. For mitigating this with geoblocking the admin has to do something on network level, which is in all ways better then this app beside that it is maybe more difficult and depending on the hosting details maybe not possible.
So the possible attack vectors that could be mitigated are ones, where the attacker have some credentials or is trying out some. For the later case reducing the number of retrys per IP is a better mitigation than geoblocking and for the first you have an attacker that is directly attacking your Nextcloud instance, geoblocking will not keep the attacker away. Maybe you get more time, because you see something earlier in the logs.
So this brings us to the main question, what are the possible attacks, that this app is really solving/mitigating? Is this app "better then nothing" or should it be erased, because it gives the admin a false sense of security and prevents her from implementing suitable measures?
If we go with "better then nothing", I do not think that the message is giving away a lot to an attacker. Every attacker knowing a little bit what he is doing knows of the possibilities of IP based filtering and will try to circumvent them. On the other hand it is good to tell users, why they cannot login. But the decision for which reaction to us could be made optional and leave it to the admin to decide, what she values more. The question is then, what should be the reaction to give nothing about the geoblocker away. Any reaction that is specific to the Geoblocker app, would give it away that it is used independent of the text, because how the app reacts is publicly known. The only think I can think of that would really give nothing away would be reacting, as if the credentials were wrong. I remember that I tried this in the beginning and didn't found an obvious way to do this. Maybe there are possibilities now or I just overlooked them?
For security reasons I prefer that my nextcloud instance is not telling the user why the login failed.
With the current failure message the user/attacker is aware of geo blocking and therefore can easily take evasive actions. E.g. using a VPN which is routing their traffic into the same country as my server is located (the latter information is public).
Hence I suggest to implement an option which produces generalized failure messages.