Closed seluianova closed 1 week ago
f1sh1918
commented
2 months ago Probably we only want to ban failed requests? Currently we log these failed attempts and ban the ip for endpoints that don't require login. Currently we have a Limit of 5 attempts. Not sure if this is a proper solution here. I think setting a general rate limit is difficult to find since there may be people creating 30 cards in an hours (internal card creation)
Any other suggestions here?
seluianova
commented
2 months ago Currently we log these failed attempts and ban the ip for endpoints that don't require login.
@f1sh1918 could you please tell me how to reproduce that exactly? If I just send requests that fail, I don't get a ban
f1sh1918
commented
2 months ago Currently we log these failed attempts and ban the ip for endpoints that don't require login.
@f1sh1918 could you please tell me how to reproduce that exactly? If I just send requests that fail, I don't get a ban
we don't do this right now for this mutation. But you can test with failed login attempts on production f.e.
You can check SignInMutationService for example. We log there failed logins.
And with fail2ban we check the logs if the same ip addresses with a certain log pattern occur frequently and ban the ip address.
https://git.tuerantuer.org/DF/salt/src/branch/master/states/entitlementcard/files/fail2ban/filter.conf
But i dunno exactly how to configure this, f.e. set after how many requests someone will be banned. Probably we should use different values depending on the log pattern
Maybe @maxammann or @svenseeberg can help here.
maxammann
commented
2 months ago Currently we log these failed attempts and ban the ip for endpoints that don't require login.
@f1sh1918 could you please tell me how to reproduce that exactly? If I just send requests that fail, I don't get a ban
we don't do this right now for this mutation. But you can test with failed login attempts on production f.e.
You can check
SignInMutationServicefor example. We log there failed logins. And with fail2ban we check the logs if the same ip addresses with a certain log pattern occur frequently and ban the ip address. https://git.tuerantuer.org/DF/salt/src/branch/master/states/entitlementcard/files/fail2ban/filter.conf But i dunno exactly how to configure this, f.e. set after how many requests someone will be banned. Probably we should use different values depending on the log pattern Maybe @maxammann or @svenseeberg can help here.
Configuration is in salt I believe or just on the server. I can make changes if wanted :)
f1sh1918
commented
2 months ago @maxammann maybe you can just tell me where the amount of failed attempts is configured :) I think we may need different amounts depending on the mutation but this has to be discussed
maxammann
commented
2 months ago @maxammann maybe you can just tell me where the amount of failed attempts is configured :) I think we may need different amounts depending on the mutation but this has to be discussed
Replied in chat
Is your feature request related to a problem? Please describe. Follow up to https://github.com/digitalfabrik/entitlementcard/issues/1421
Since this endpoint is not protected, it should be ensured that IPs with too many requests should be blocked, especially because the argon2id calculation is expensive.
Describe the solution you'd like
Describe alternatives you've considered Maybe there is a possibility to implement limiting at the infrastructure level?
Additional context Add any other context or screenshots about the feature request here.