Postleaf / postleaf

Simple, beautiful publishing with Node.js.
https://www.postleaf.org/
MIT License
505 stars 203 forks source link

Security: brute force attack #103

Open kylechine opened 6 years ago

kylechine commented 6 years ago

Auth log needed for defending brute force attack.

I've read the code at:

No login-attempts log action was found. If I am wrong, please forgive me, this could be a problem for brute force attack.

Ideally, the system should provide a login-attempts failure counter to prevent some IP, which attempted too many times. Or at least provide an auth log system for other software like fail2ban to do so.

Thanks for your beautiful work!

claviska commented 6 years ago

Your observation is correct. I omitted that from the software layer because rate limiting is easy enough to configure on one's server. However, it would still be helpful to log failed attempts, so I'll leave this open for comments.

ovidiucp commented 4 years ago

This project appears to be dead, big bummer!

In any case, it would probably make sense to delegate the authentication to a third-party system like Google, Facebook etc., and have something like oauth2_proxy handle the user authentication.

claviska commented 4 years ago

In any case, it would probably make sense to delegate the authentication to a third-party system like Google, Facebook etc., and have something like oauth2_proxy handle the user authentication.

That would defeat the purpose of Postleaf being a decentralized publishing platform.

This project appears to be dead, big bummer!

Dev is paused for awhile due to lack of interest and other obligations. I will revisit it when the time is right.

kylechine commented 4 years ago

@claviska I love this project. Don't give it up!

M8inC commented 4 years ago

@claviska I agree with @kylechine!