search

OpenMage / magento-lts

Official OpenMage LTS codebase | Migrate easily from Magento Community Edition in minutes! Download the source code for free or contribute to OpenMage LTS | Security vulnerability patches, bug fixes, performance improvements and more.
https://www.openmage.org
Open Software License 3.0
869 stars 436 forks source link

Rate Limit on Login #1487

Open mark-netalico opened 3 years ago

mark-netalico commented 3 years ago

Description: There is no mitigation, defenses in anyway or a lockout mechanism in the login page. A malicious minded user can continually try to brute force an account password. I have tried to input more than 50 incorrect passwords and I have not been lockout, tried the correct password in the 91st time and it login successfully. As I observe on other websites they have a lock out mechanism if a user tried to input 20 incorrect passwords. So you should also have a lock out mechanism for user accounts security. My other point is you also have a weak password policy and I am able to take any password like this ''12345678'' which is a very weak password and can easily be guessed by an attacker.

Steps to reproduce: • Go to login page. • Enter any registered email with the wrong password. • Capture the request & Send the request to Intruder and add a Payload Marker on the password value. • Add the payload for the password field having a list of more than 100 or as you like passwords or more for test and start attack. • DONE!

AlterWeb commented 3 years ago

If this is a feature we want in the OpenMage core, I might have already done most of the work needed for this years ago. For all our customers we already use a module created by myself to rate limit login attempts (and other form submission attempts like submitting a newsletter subscription or contact form to mitigate spam, of course this is measured and configurable separately).

I could with a little bit of work make this logic (or parts of it) part of the OpenMage core. The logic if pretty straightforward. We log every attempt in a database table and check if the same IP has tried (without succeeding) more times than the number configured in the backend within a specified time in the backend. We could also pretty easily make it work for a number of attempts based on a account they try to login to (so not IP based) or a combination of those two.

As for the weak password policy, I agree that you could use very weak passwords like your example. Maybe we could add a restriction that it should not only contain digits or letters. But I'm not a fan of the huge password constrains like you have to use at least 2 digits, 2 letters, 1 special characters, and so on. It is then still possible to generate weak passwords like test1234! and I think a lot users will create even weaker password because of it (https://xkcd.com/936/). Maybe a friendly suggestion to not only use digits or letters would be better.

ADDISON74 commented 3 years ago

The form has two fields: email address and password. First you need to know the email address and then to "guess" the password. This is always damn hard to achieve. I agree Magento lacks a feature to ban those IP's which are trying to break through the login form.

My suggestions if this feature will be implemented are as follow:

  1. Based on an observer to record in a log file after a number of failed attempts the attacker IP address. Once this file exists it can be used by Fail2Ban which can manage the time to keep a banned IP.

  2. After a number of failed attempts to load the template related to reset password.

As options in Magento Backend I see: log file name, number of failed attempts, usage of reset form (yes/no).

For other forms like contact, newsletter, password I recommend HoneySpam extension https://github.com/magento-hackathon/HoneySpam (updated recently) in combination with Fail2Ban.

AlterWeb commented 3 years ago

@ADDISON74

Based on an observer to record in a log file after a number of failed attempts the attacker IP address. Once this file exists it can be used by Fail2Ban which can manage the time to keep a banned IP.

I think it would indeed be great if we can combine it with Fail2Ban. But I think we still need a mechanism to record the IP addresses (or a hash of the IP addresses) associated to the login attempts to determine how many login attempts there were. In that case why not also block the attempts within OpenMage so we are not depending on Fail2Ban but use it as an extra option?

After a number of failed attempts to load the template related to reset password.

Great idea.

For other forms like contact, newsletter, password I recommend HoneySpam extension

The other forms are out of the context of this issue I guess, but I mentioned it more because we use the same mechanism in our module for those. This is however in addition to the honeypot approach because that alone is not working perfectly anymore in the last years. Like they also say at the HoneySpam repository:

That said, honeyspam unfortunately doesn't work well anymore, so you might want to look into other alternatives like captchas.

I personally hate captchas so that's why I try everything to not have to use those ;-).

fballiano commented 6 months ago

nowadays we've a rateLimit API which would make this implementation very easy, could somebody provide a PR?