search

owncloud / brute_force_protection

Brute-force protection app for ownCloud
GNU General Public License v2.0
6 stars 5 forks source link

[QA] 1.2.0 Testplan #194

Closed jnweiger closed 1 year ago

jnweiger commented 1 year ago

404: Not Found

'Brute_Force_Protection' Test Plan

TBD: Nothing useful found in https://github.com/owncloud/QA/tree/master/Server TBD: Here is a dummy testplan template. Please edit! TBD: Please also doublecheck https://github.com/owncloud/qa-enterprise/tree/master/Core

Setup

Setup details (click to view) `oc_release.sh app:get brute_force_protection`

Testing functionality

Test Case Expected Result Result Related Comment
enable app via cli app gets enabled :heavy_check_mark:
disable app via cli app gets disabled :heavy_check_mark:
enable app via web app gets enabled :heavy_check_mark:
disable app via web app gets disabled :heavy_check_mark:
create a user and try 3 logins with a wrong password after 3 attempts, another login attempt should be blocked :x: app counts wrong. Login is only blocked after the 4th attempt
create a public share with password and try 3 logins with wrong password after 3 failed attempts, another should be blocked :x: app counts wrong again. blocked again only after the 4th attempt
set the "Ban for how many seconds?" from 300 to 600 The block time should now be 10 minutes :heavy_check_mark:
set the value for "Count failed attempts over how many seconds?" to 10 seconds. try 5 bottle logins with 10 seconds between each login No block should happen :heavy_check_mark:
GeraldLeikam commented 1 year ago

Issues found while Testing

App counts failed logins wrong #197

GeraldLeikam commented 1 year ago

App behavior is weird. Shouldn't the attacker's IP be blocked? Because currently only another attempt to log in as user xyz is blocked. As soon the ownCloud is refreshed, another attack (on a new user) can be made.

jnweiger commented 1 year ago

Testplan used with the 1.1.0 release: https://github.com/owncloud/brute_force_protection/issues/132

jnweiger commented 1 year ago

I believe it is correct behavior to block by username, and not by IP-addr. An office going out via NAT should not be completely blocked, if one user plays havoc. Actually we block the combination user and IP:

MariaDB [owncloud]> select * from oc_bfp_failed_logins;
+----+---------------+------+--------------+
| id | ip            | uid  | attempted_at |
+----+---------------+------+--------------+
|  1 | 46.114.209.20 | dave |   1678878092 |
|  2 | 46.114.209.20 | dave |   1678878098 |
|  3 | 46.114.209.20 | dave |   1678878103 |
+----+---------------+------+--------------+