getgrav / grav-plugin-admin

Grav Admin Plugin
http://getgrav.org
MIT License
354 stars 227 forks source link

Login page vulnerable to brute force attack #847

Open rsip22 opened 8 years ago

rsip22 commented 8 years ago

The admin panel is vulnerable to brute force attacks. The login page (/admin) returns a code if the user exists and another code if the user doesn't exist and there is no barrier stopping automated systems of trying this. I don't quite enjoy this idea, but I think the easiest way to fix this immediately could be inserting a Captcha. Another alternative (not sure how effective) could be limiting the number of attempts from the same IP per day.

The forgotten password page is also vulnerable... When you try and request a forgotten password link, the system confirms whether the e-mail is registered or not. I would suggest changing it to a more generic message such as "If this is a registered e-mail, the recovery link has been sent to it. If you don't receive the link, contact your site administrator" or something like that... but I'm not quite sure if that would suffice. Maybe someone with more expertise might want to look into this.

mahagr commented 8 years ago

I would just use a single error message stating something like: Incorrect username or password. Those changes (forgotten password string change included) would make it impossible to guess usernames in either of the forms.

I wouldn't limit access by IPs, but adding captcha as an option isn't a bad idea.

rsip22 commented 8 years ago

I don't really like the captcha option, but if it must be added, could at least we have it active only after a few failed attempts (like 3, or something)?

billhemsley commented 8 years ago

Delays between log-in attempts - preferably increasing, perhaps exponentially, with each attempt up to a certain limit - effectively block brute-force attacks. The delays and limits could be set as parameters.

rhukster commented 7 years ago

The forgot password functionality has been modified in the beta version of the login plugin. It only takes email addresses now.

flaviocopes commented 7 years ago

Also, edited to print the same message whether the email exists or not, in https://github.com/getgrav/grav-plugin-login/commit/3e7c20fd66639123cfb2894d9298d4ccfb861af9

Mahagon commented 7 years ago

Logging failed attemps would be nice too for fail2ban etc :)

tech4him1 commented 7 years ago

What about a way to limit the number of incorrect login attempts in a certain time period?

flaviocopes commented 7 years ago

The Login plugin has now a security section in its configuration to control that: https://github.com/getgrav/grav-plugin-login/commit/590f188189c8453afb5992e7ec385795336ee711

Neicul commented 7 years ago

Would still be nice to even have the OPTION for a captcha. Also, the flood protection doesn't seem to work, at all. Grav never stops you from entering any more passwords, even with the security features enabled. Neither does it extend the time between login tries.

Am I doing something wrong or is the plugin simply broken?

flaviocopes commented 7 years ago

Actually the Login plugin brute force protection does not apply to Admin (my bad in writing the opposite up here). In Admin, you have the option to add webserver-level protection (e.g. htaccess/htpasswd in Apache) and also limit by IP range, until this feature lands in Admin as well.

Neicul commented 7 years ago

I see. Yes i guess that is the sensible thing to do until then. Currently, this seems like a glaring security flaw, if users don't get at least a warning that they should secure the Admin page.

Also, as already suggested: a warning for failed login attempts in the dashboard would be very nice.

Hoping for an update on this soon :)

EDIT: the .htaccess solution pretty much kills all css on the admin page. Which more or less renders it unusable.

Neicul commented 7 years ago

Currently, the best you can do for better Admin security is to hide the admin page by renaming it, like so: https://learn.getgrav.org/admin-panel/faq#custom-admin-url I really hope a login protection for admin comes soon, as this prevents me from using it on a corporate site.

diegovogel commented 5 years ago

Actually the Login plugin brute force protection does not apply to Admin (my bad in writing the opposite up here). In Admin, you have the option to add webserver-level protection (e.g. htaccess/htpasswd in Apache) and also limit by IP range, until this feature lands in Admin as well.

Brute force protection seems to be working on my admin login page. It's also in the docs. Is this comment outdated or am I misunderstanding?

Also does anyone know how to get Grav to work with fail2ban?

MakePixelsWork commented 4 years ago

My alternate solution only works if you have FTP access to all your servers/hosting.

You can edit the .htaccess to only allow your specific IP address to read the /admin/ folder. Any other IP (and subsequent bots) will not be able to load any of the folder contents.

I used to use this method to disallow all, but my own IP address... to check if a build website was working, before launching it. This was before you could run a local webserver. Maybe this still works for those few users that are afraid and want total control from only their IP.