nextcloud / bruteforcesettings

🕵 Allow admins to configure the brute force settings
https://apps.nextcloud.com/apps/bruteforcesettings
GNU Affero General Public License v3.0
49 stars 13 forks source link

Brute-force whitelisted IP are ineffective for password resetting #325

Open m4dz opened 3 years ago

m4dz commented 3 years ago

How to use GitHub

Steps to reproduce

  1. Block IP with too many login attempts (brute-force blacklisting)
  2. Whitelist IP in the Brute-force settings app
  3. Try to reset the password from the regarding IP

Expected behaviour

Once whitelisted, the login operations (both login or reset password) should be allowed from the regarding IP.

Actual behaviour

User can login from the IP, but reset password action still returns a HTTP 412 error.

Server configuration

Operating system: Debian Buster

Web server: Apache / PHP-FPM

Database: MySQL 10.4.13

PHP version: 7.4.4

Nextcloud version: 20.0.5

Updated from an older Nextcloud/ownCloud or fresh install: Upgraded

Where did you install Nextcloud from: Official download page

Signing status:

Signing status ``` No errors have been found. ```

List of activated apps:

App list ``` Enabled: - accessibility: 1.6.0 - activity: 2.13.4 - bruteforcesettings: 2.0.1 - calendar: 2.1.3 - cloud_federation_api: 1.3.0 - comments: 1.10.0 - contacts: 3.4.3 - contactsinteraction: 1.1.0 - dashboard: 7.0.0 - dav: 1.16.2 - documentserver_community: 0.1.8 - federatedfilesharing: 1.10.2 - federation: 1.10.1 - files: 1.15.0 - files_markdown: 2.3.1 - files_pdfviewer: 2.0.1 - files_rightclick: 0.17.0 - files_sharing: 1.12.2 - files_trashbin: 1.10.1 - files_versions: 1.13.0 - files_videoplayer: 1.9.0 - firstrunwizard: 2.9.0 - groupfolders: 8.2.0 - logreader: 2.5.0 - lookup_server_connector: 1.8.0 - mail: 1.7.2 - nextcloud_announcements: 1.9.0 - notifications: 2.8.0 - oauth2: 1.8.0 - onlyoffice: 6.2.0 - password_policy: 1.10.1 - photos: 1.2.3 - privacy: 1.4.0 - provisioning_api: 1.10.0 - recommendations: 0.8.0 - serverinfo: 1.10.0 - settings: 1.2.0 - sharebymail: 1.10.0 - support: 1.3.0 - survey_client: 1.8.0 - systemtags: 1.10.0 - text: 3.1.0 - theming: 1.11.0 - twofactor_admin: 3.0.0 - twofactor_backupcodes: 1.9.0 - twofactor_totp: 5.0.0 - updatenotification: 1.10.0 - user_status: 1.0.1 - viewer: 1.4.0 - weather_status: 1.0.0 - workflowengine: 2.2.0 Disabled: - admin_audit - encryption - files_external - user_ldap ```

Nextcloud configuration:

Config report ``` { "system": { "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "nextcloud.alwaysdata.org", "ad-nextcloud.alwaysdata.net" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "overwrite.cli.url": "https:\/\/ad-nextcloud.alwaysdata.net", "dbtype": "mysql", "version": "20.0.5.2", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "mysql.utf8mb4": true, "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_smtpmode": "smtp", "mail_domain": "***REMOVED SENSITIVE VALUE***", "maintenance": false, "theme": "", "loglevel": 2, "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpsecure": "ssl", "mail_smtpport": "465", "app_install_overwrite": [ "calendar" ], "memcache.local": "\\OC\\Memcache\\APCu", "memcache.distributed": "\\OC\\Memcache\\Memcached", "memcached_servers": [ [ "localhost", 11211 ] ], "memcache.locking": "\\OC\\Memcache\\Redis", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": 6379 }, "mail_sendmailmode": "smtp" }, "apps": { "accessibility": { "enabled": "yes", "installed_version": "1.6.0", "types": "" }, "activity": { "enabled": "yes", "installed_version": "2.13.4", "types": "filesystem" }, "backgroundjob": { "lastjob": "254" }, "bruteForce": { "whitelist_1": "81.28.201.184\/0" }, "bruteforcesettings": { "enabled": "yes", "installed_version": "2.0.1", "types": "" }, "calendar": { "enabled": "yes", "installed_version": "2.1.3", "types": "" }, "cloud_federation_api": { "enabled": "yes", "installed_version": "1.3.0", "types": "filesystem" }, "comments": { "enabled": "yes", "installed_version": "1.10.0", "types": "logging" }, "contacts": { "enabled": "yes", "installed_version": "3.4.3", "types": "dav" }, "contactsinteraction": { "enabled": "yes", "installed_version": "1.1.0", "types": "dav" }, "core": { "backgroundjobs_mode": "cron", "enterpriseLogoChecked": "yes", "installedat": "1534865793.7312", "lastcron": "1611058213", "lastupdateResult": "[]", "lastupdatedat": "1611058181", "moveavatarsdone": "yes", "oc.integritycheck.checker": "[]", "previewsCleanedUp": "1", "public_files": "files_sharing\/public.php", "public_webdav": "dav\/appinfo\/v1\/publicwebdav.php", "scss.variables": "acf04738bafad3d2d16346746aeff1ba", "theming.variables": "c96da5636ef759cb25916c25b9288e2a", "updater.secret.created": "1603350162", "vendor": "nextcloud" }, "dashboard": { "enabled": "yes", "installed_version": "7.0.0", "types": "" }, "dav": { "buildCalendarReminderIndex": "yes", "buildCalendarSearchIndex": "yes", "chunks_migrated": "1", "enabled": "yes", "installed_version": "1.16.2", "regeneratedBirthdayCalendarsForYearFix": "yes", "types": "filesystem" }, "documentserver_community": { "enabled": "yes", "installed_version": "0.1.8", "types": "filesystem" }, "federatedfilesharing": { "enabled": "yes", "installed_version": "1.10.2", "types": "" }, "federation": { "autoAddServers": "1", "enabled": "yes", "installed_version": "1.10.1", "types": "authentication" }, "files": { "cronjob_scan_files": "500", "enabled": "yes", "installed_version": "1.15.0", "types": "filesystem" }, "files_fulltextsearch": { "enabled": "no", "installed_version": "1.4.3", "types": "filesystem" }, "files_markdown": { "enabled": "yes", "installed_version": "2.3.1", "types": "" }, "files_pdfviewer": { "enabled": "yes", "installed_version": "2.0.1", "types": "" }, "files_rightclick": { "enabled": "yes", "installed_version": "0.17.0", "types": "" }, "files_sharing": { "enabled": "yes", "installed_version": "1.12.2", "types": "filesystem" }, "files_texteditor": { "enabled": "no", "installed_version": "2.8.0", "types": "" }, "files_trashbin": { "enabled": "yes", "installed_version": "1.10.1", "types": "filesystem,dav" }, "files_versions": { "enabled": "yes", "installed_version": "1.13.0", "types": "filesystem,dav" }, "files_videoplayer": { "enabled": "yes", "installed_version": "1.9.0", "types": "" }, "firstrunwizard": { "enabled": "yes", "installed_version": "2.9.0", "types": "logging" }, "fulltextsearch": { "enabled": "no", "installed_version": "1.4.2", "types": "" }, "gallery": { "enabled": "no", "installed_version": "18.4.0", "types": "" }, "groupfolders": { "enabled": "yes", "installed_version": "8.2.0", "types": "filesystem,dav" }, "logreader": { "enabled": "yes", "installed_version": "2.5.0", "levels": "11111", "types": "" }, "lookup_server_connector": { "enabled": "yes", "installed_version": "1.8.0", "types": "authentication" }, "mail": { "enabled": "yes", "installed_version": "1.7.2", "types": "" }, "nextcloud_announcements": { "enabled": "yes", "installed_version": "1.9.0", "pub_date": "Thu, 24 Oct 2019 00:00:00 +0200", "types": "logging" }, "notifications": { "enabled": "yes", "installed_version": "2.8.0", "types": "logging" }, "oauth2": { "enabled": "yes", "installed_version": "1.8.0", "types": "authentication" }, "onlyoffice": { "DocumentServerUrl": "https:\/\/nextcloud.alwaysdata.org\/index.php\/apps\/documentserver_community\/", "defFormats": "{\"docx\":true,\"pptx\":true,\"xlsx\":true,\"odp\":true,\"ods\":true,\"odt\":true,\"doc\":true,\"ppt\":true,\"xls\":true}", "editFormats": "{\"csv\":true,\"docx\":true,\"pptx\":true,\"txt\":true,\"xlsx\":true,\"odp\":true,\"ods\":true,\"odt\":true,\"rtf\":true}", "enabled": "yes", "installed_version": "6.2.0", "sameTab": "true", "types": "filesystem" }, "ownpad": { "enabled": "no", "installed_version": "0.6.14", "ocsid": "174679", "ownpad_ethercalc_enable": "yes", "ownpad_ethercalc_host": "https:\/\/ethercalc.alwaysdata.org", "ownpad_etherpad_enable": "yes", "ownpad_etherpad_host": "https:\/\/etherpad.alwaysdata.org", "ownpad_etherpad_useapi": "no", "types": "" }, "password_policy": { "enabled": "yes", "installed_version": "1.10.1", "types": "authentication" }, "photos": { "enabled": "yes", "installed_version": "1.2.3", "types": "" }, "privacy": { "enabled": "yes", "installed_version": "1.4.0", "types": "" }, "provisioning_api": { "enabled": "yes", "installed_version": "1.10.0", "types": "prevent_group_restriction" }, "recommendations": { "enabled": "yes", "installed_version": "0.8.0", "types": "" }, "serverinfo": { "enabled": "yes", "installed_version": "1.10.0", "types": "" }, "settings": { "enabled": "yes", "installed_version": "1.2.0", "types": "" }, "sharebymail": { "enabled": "yes", "installed_version": "1.10.0", "types": "filesystem" }, "support": { "SwitchUpdaterServerHasRun": "yes", "enabled": "yes", "installed_version": "1.3.0", "types": "session" }, "survey_client": { "enabled": "yes", "installed_version": "1.8.0", "last_report": "{\"id\":\"ocuv4tp55nnj\",\"items\":[[\"server\",\"version\",\"20.0.5.2\"],[\"server\",\"code\",\"other\"],[\"server\",\"enable_avatars\",\"yes\"],[\"server\",\"enable_previews\",\"yes\"],[\"server\",\"memcache.local\",\"\\\\OC\\\\Memcache\\\\APCu\"],[\"server\",\"memcache.distributed\",\"\\\\OC\\\\Memcache\\\\Memcached\"],[\"server\",\"asset-pipeline.enabled\",\"no\"],[\"server\",\"filelocking.enabled\",\"yes\"],[\"server\",\"memcache.locking\",\"\\\\OC\\\\Memcache\\\\Redis\"],[\"server\",\"debug\",\"no\"],[\"server\",\"cron\",\"cron\"],[\"php\",\"version\",\"7.4.4\"],[\"php\",\"memory_limit\",536870912],[\"php\",\"max_execution_time\",0],[\"php\",\"upload_max_filesize\",268435456],[\"database\",\"type\",\"mysql\"],[\"database\",\"version\",\"10.4.13\"],[\"database\",\"size\",64233472],[\"apps\",\"accessibility\",\"1.6.0\"],[\"apps\",\"activity\",\"2.13.4\"],[\"apps\",\"calendar\",\"2.1.3\"],[\"apps\",\"cloud_federation_api\",\"1.3.0\"],[\"apps\",\"comments\",\"1.10.0\"],[\"apps\",\"contacts\",\"3.4.3\"],[\"apps\",\"contactsinteraction\",\"1.1.0\"],[\"apps\",\"dashboard\",\"7.0.0\"],[\"apps\",\"dav\",\"1.16.2\"],[\"apps\",\"documentserver_community\",\"0.1.8\"],[\"apps\",\"federatedfilesharing\",\"1.10.2\"],[\"apps\",\"federation\",\"1.10.1\"],[\"apps\",\"files\",\"1.15.0\"],[\"apps\",\"files_fulltextsearch\",\"disabled\"],[\"apps\",\"files_markdown\",\"2.3.1\"],[\"apps\",\"files_pdfviewer\",\"2.0.1\"],[\"apps\",\"files_rightclick\",\"0.17.0\"],[\"apps\",\"files_sharing\",\"1.12.2\"],[\"apps\",\"files_texteditor\",\"disabled\"],[\"apps\",\"files_trashbin\",\"1.10.1\"],[\"apps\",\"files_versions\",\"1.13.0\"],[\"apps\",\"files_videoplayer\",\"1.9.0\"],[\"apps\",\"firstrunwizard\",\"2.9.0\"],[\"apps\",\"fulltextsearch\",\"disabled\"],[\"apps\",\"gallery\",\"disabled\"],[\"apps\",\"groupfolders\",\"8.2.0\"],[\"apps\",\"logreader\",\"2.5.0\"],[\"apps\",\"lookup_server_connector\",\"1.8.0\"],[\"apps\",\"mail\",\"1.7.2\"],[\"apps\",\"nextcloud_announcements\",\"1.9.0\"],[\"apps\",\"notifications\",\"2.8.0\"],[\"apps\",\"oauth2\",\"1.8.0\"],[\"apps\",\"onlyoffice\",\"6.2.0\"],[\"apps\",\"ownpad\",\"disabled\"],[\"apps\",\"password_policy\",\"1.10.1\"],[\"apps\",\"photos\",\"1.2.3\"],[\"apps\",\"privacy\",\"1.4.0\"],[\"apps\",\"provisioning_api\",\"1.10.0\"],[\"apps\",\"recommendations\",\"0.8.0\"],[\"apps\",\"serverinfo\",\"1.10.0\"],[\"apps\",\"settings\",\"1.2.0\"],[\"apps\",\"sharebymail\",\"1.10.0\"],[\"apps\",\"support\",\"1.3.0\"],[\"apps\",\"survey_client\",\"1.8.0\"],[\"apps\",\"systemtags\",\"1.10.0\"],[\"apps\",\"text\",\"3.1.0\"],[\"apps\",\"theming\",\"1.11.0\"],[\"apps\",\"twofactor_backupcodes\",\"1.9.0\"],[\"apps\",\"twofactor_totp\",\"5.0.0\"],[\"apps\",\"updatenotification\",\"1.10.0\"],[\"apps\",\"user_status\",\"1.0.1\"],[\"apps\",\"viewer\",\"1.4.0\"],[\"apps\",\"weather_status\",\"1.0.0\"],[\"apps\",\"workflowengine\",\"2.2.0\"],[\"stats\",\"num_files\",122900],[\"stats\",\"num_users\",9],[\"stats\",\"num_storages\",10],[\"stats\",\"num_storages_local\",1],[\"stats\",\"num_storages_home\",9],[\"stats\",\"num_storages_other\",0],[\"stats\",\"num_comments\",2],[\"stats\",\"num_comment_markers\",2],[\"stats\",\"num_systemtags\",0],[\"stats\",\"num_systemtags_mappings\",0],[\"files_sharing\",\"num_shares\",472],[\"files_sharing\",\"num_shares_user\",163],[\"files_sharing\",\"num_shares_groups\",48],[\"files_sharing\",\"num_shares_link\",115],[\"files_sharing\",\"num_shares_link_no_password\",115],[\"files_sharing\",\"num_fed_shares_sent\",0],[\"files_sharing\",\"num_fed_shares_received\",0],[\"files_sharing\",\"permissions_2_0\",\"1\"],[\"files_sharing\",\"permissions_1_1\",\"1\"],[\"files_sharing\",\"permissions_2_1\",\"3\"],[\"files_sharing\",\"permissions_3_1\",\"65\"],[\"files_sharing\",\"permissions_1_3\",\"2\"],[\"files_sharing\",\"permissions_2_3\",\"6\"],[\"files_sharing\",\"permissions_1_15\",\"1\"],[\"files_sharing\",\"permissions_2_15\",\"3\"],[\"files_sharing\",\"permissions_0_17\",\"6\"],[\"files_sharing\",\"permissions_1_17\",\"6\"],[\"files_sharing\",\"permissions_2_17\",\"20\"],[\"files_sharing\",\"permissions_3_17\",\"50\"],[\"files_sharing\",\"permissions_0_19\",\"154\"],[\"files_sharing\",\"permissions_1_19\",\"16\"],[\"files_sharing\",\"permissions_2_19\",\"73\"],[\"files_sharing\",\"permissions_0_31\",\"3\"],[\"files_sharing\",\"permissions_1_31\",\"22\"],[\"files_sharing\",\"permissions_2_31\",\"39\"],[\"files_sharing\",\"permissions_4_31\",\"1\"],[\"encryption\",\"enabled\",\"no\"],[\"encryption\",\"default_module\",\"no\"]]}", "last_sent": "1611050114", "types": "" }, "systemtags": { "enabled": "yes", "installed_version": "1.10.0", "types": "logging" }, "text": { "enabled": "yes", "installed_version": "3.1.0", "types": "dav" }, "theming": { "cachebuster": "17", "color": "#464646", "enabled": "yes", "installed_version": "1.11.0", "logoMime": "image\/png", "name": "Cloud alwaysdata", "slogan": "***REMOVED SENSITIVE VALUE***", "types": "logging", "url": "***REMOVED SENSITIVE VALUE***" }, "twofactor_admin": { "enabled": "yes", "installed_version": "3.0.0", "types": "" }, "twofactor_backupcodes": { "enabled": "yes", "installed_version": "1.9.0", "types": "" }, "twofactor_totp": { "enabled": "yes", "installed_version": "5.0.0", "types": "" }, "updatenotification": { "calendar": "2.1.3", "contacts": "3.4.3", "core": "20.0.5.2", "documentserver_community": "0.1.8", "enabled": "yes", "files_markdown": "2.3.1", "files_rightclick": "0.15.1", "groupfolders": "8.2.0", "installed_version": "1.10.0", "mail": "1.7.2", "onlyoffice": "6.2.0", "twofactor_totp": "5.0.0", "types": "", "update_check_errors": "0" }, "user_status": { "enabled": "yes", "installed_version": "1.0.1", "types": "" }, "viewer": { "enabled": "yes", "installed_version": "1.4.0", "types": "" }, "weather_status": { "enabled": "yes", "installed_version": "1.0.0", "types": "" }, "workflowengine": { "enabled": "yes", "installed_version": "2.2.0", "types": "filesystem" } } } ```

Are you using external storage, if yes which one: no

Are you using encryption: no

Are you using an external user-backend, if yes which one: no

Client configuration

Browser: Firefox 84.0.2

Operating system: Ubuntu 20.10

joshtrichards commented 8 months ago

I suspect this was the Rate Limiter being hit on the lost password controller rather than BFP:

https://github.com/nextcloud/server/blob/1bc8129623d15b369a7b6bf7ac65931b0e83455e/core/Controller/LostController.php#L172-L173

That'll still trigger after BFP is reset (I just confirmed it as well in testing).

joshtrichards commented 8 months ago

But I can only trigger if in addition to triggering BFP then whitelisting BFP, I also hit the Reset Password button a bunch of times in a short window (10 within 300s will do it per current code). And it'll come back to life within 300s.

That's expected behavior.

I can see how if a user couldn't access the password reset function, after the admin clears them from BFP, that would be a problem.

But I can't see how this would happen under normal circumstances since just using the password reset function a handful of times won't trigger (much) rate limiting. I actively had to go out of my way to trigger like 10 attempts reset my password. :thinking: