New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GUACAMOLE-990: Add extension for automatically blocking brute-force auth attempts. #758
Conversation
…he internal DecoratedUserContext wrapper.
…tion has absolutely succeeded or failed, including the details of any failure. Previously, these events were fired only after the user's identity had been determined (or failed to be determined). If we don't wait until after the user contexts have also been successfully obtained (or failed to be obtained), then things like MFA will not be taken into account for auth events.
NOTE: This extension works by aborting authentication early by throwing a guacamole-client/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java Lines 208 to 211 in fe56df7
This is naturally dependent on the order that extensions are loaded, hence naming things such that it's loaded first within the Docker image: guacamole-client/guacamole-docker/bin/start.sh Lines 1168 to 1173 in fe56df7
Loading the extension before all other auth extensions is necessary for correct behavior with respect to timing, and we'll have to document this in the manual. If the extension is installed but not loaded first, then extensions that load earlier will be given a chance to authenticate the user before guacamole-auth-ban can abort the auth process. Even though repeated auth attempts will still be blocked, the amount of time taken until that block occurs might vary by whether the credentials provided were valid according to those other extensions, and that variance in timing might allow an attacker to determine whether their guess is correct even though full auth is temporarily blocked. |
...amole-auth-ban/src/main/java/org/apache/guacamole/auth/ban/AuthenticationFailureTracker.java
Outdated
Show resolved
Hide resolved
guacamole/src/main/frontend/src/app/auth/service/authenticationService.js
Outdated
Show resolved
Hide resolved
guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java
Show resolved
Hide resolved
guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java
Show resolved
Hide resolved
guacamole-ext/src/main/java/org/apache/guacamole/net/event/FailureEvent.java
Show resolved
Hide resolved
…own to be invalid.
…ys notify of problematic addresses.
…ons of a common interface.
4f6e15a
to
2e5d3f4
Compare
This change adds a new extension, "guacamole-auth-ban", which automatically tracks failed authentication attempts. After a specified limit has been reached, the IP address that is failing to authenticate is temporarily banned. This includes failures to provide valid MFA codes, etc., if Guacamole is configured to require them.
By default, addresses that repeatedly fail authentication are banned for 5 minutes (300 seconds) after 5 failed attempts, and these values can be overridden with the
ban-address-duration
andban-max-invalid-attempts
properties respectively.The maximum number of addresses tracked is ~10 million by default (10485760), and this can be overridden with the
ban-max-addresses
property. It is intentionally not possible to remove the limit entirely, though it can be set as high as desired.If too many authentication failures have occurred, the user failing to authenticate will see a message like:
In addition to implementing the extension itself, this change involved: