search

open-iscsi / targetd

Remote configuration of a LIO-based storage appliance
GNU General Public License v3.0
71 stars 28 forks source link

Security improvements #69

Closed tasleson closed 4 years ago

tasleson commented 4 years ago

Address two potential issues:

  1. Client sending excessive amounts of data in a request
  2. Password brute force attacks

Resolves: https://github.com/open-iscsi/targetd/issues/66

tasleson commented 4 years ago

@dsonck92 If you have the time I would appreciate you looking this over, thanks.

dsonck92 commented 4 years ago

Looks good regarding the payload size. Regarding the password delay: Nothing is preventing users from connecting in parallel and executing multiple passwords. Maybe a fail2ban style approach might be more effective, i.e. let a specific IP/user or combination thereof try a fixed amount of times before ignoring it for a fixed timespan (probably both configurable). This would not stop a distributed attack but it would help mitigate an attempt from one location.

tasleson commented 4 years ago

@dsonck92 I'll see what I can add to mitigate a parallel attack.

tasleson commented 4 years ago

@dsonck92 Updated PR to prevent concurrent failed authentication attempts from same IP.

tasleson commented 4 years ago

@dsonck92 Thanks for the review