Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No logging of failed login attempts for admin/webmail #1926

Closed
7 tasks done
Diman0 opened this issue Aug 11, 2021 · 0 comments · Fixed by #1987
Closed
7 tasks done

No logging of failed login attempts for admin/webmail #1926

Diman0 opened this issue Aug 11, 2021 · 0 comments · Fixed by #1987
Labels
type/bug Bug. Not working as intended

Comments

@Diman0
Copy link
Member

Diman0 commented Aug 11, 2021

Thank you for opening an issue with Mailu. Please understand that issues are meant for bugs and enhancement-requests.
For user-support questions, reach out to us on matrix.

To be able to help you best, we need some more information.

Before you open your issue

  • Check if no issue or pull-request for this already exists.
  • Check documentation and FAQ. (Tip, use the search function on the documentation page)
  • You understand Mailu is made by volunteers in their free time — be conscise, civil and accept that delays can occur.
  • The title of the issue should be short and simple. It should contain specific terms related to the actual issue. Be specific while writing the title.

Environment & Versions

Environment

  • docker-compose
  • kubernetes
  • docker swarm

Versions

1.7, 1.8 and master

Description

See the logic for handling login attempt via the admin application:

Mailu/core/admin/mailu/ui/views/base.py

Line 27 in 3a96bf2

flask.flash('Wrong e-mail or password', 'error') 

@ui.route('/login', methods=['GET', 'POST'])
def login():
    form = forms.LoginForm()
    if form.validate_on_submit():
        user = models.User.login(form.email.data, form.pw.data)
        if user:
            flask.session.regenerate()
            flask_login.login_user(user)
            endpoint = flask.request.args.get('next', '.index')
            return flask.redirect(flask.url_for(endpoint)
                or flask.url_for('.index'))
        else:
            flask.flash('Wrong e-mail or password', 'error')
    return flask.render_template('login.html', form=form)

When a logon attempt fails, nothing is logged. The model (models.py) also shows nothing happens when a logon attempt fails.

Mailu/core/admin/mailu/models.py

Line 458 in fc1a663

def login(cls, email, password):

So we have no rate limiting and no audit trail for failed logon attempts. Someone can try to bruteforce the password without consequences.

Replication Steps

1). Login with an incorrect email or password in the admin applications.
2). Check the admin logs. note that nothing is logged.

Expected behaviour

Failed logon attempts should be logged. It would also be handy if we add some kind of rate limiting for the login. Possibly every next login attempt can be delayed with x amount of seconds? This is a handy measure against brute force attempts.
@Diman0 Diman0 mentioned this issue Aug 16, 2021
Open
@Diman0 Diman0 added the type/bug Bug. Not working as intended label Aug 17, 2021
@nextgens nextgens mentioned this issue Sep 23, 2021
Merged
2 tasks
@bors bors bot closed this as completed in a1192d8 Oct 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/bug Bug. Not working as intended
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Enhancement to the rate limits nextgens/Mailu
1 participant
@Diman0