From 5539e187885d32354a8ba5158985bc8610f40b72 Mon Sep 17 00:00:00 2001 From: Cristina <579522+CristinaRO@users.noreply.github.com> Date: Wed, 17 Jan 2024 17:37:59 +0000 Subject: [PATCH 1/3] Add rack-attack --- Gemfile | 1 + Gemfile.lock | 3 +++ 2 files changed, 4 insertions(+) diff --git a/Gemfile b/Gemfile index 308d7e30e..b2ddc5dcd 100644 --- a/Gemfile +++ b/Gemfile @@ -29,6 +29,7 @@ gem "puma", "~> 6.4" gem "pundit" gem "rollbar" gem "rails", "~> 6.1.7" +gem "rack-attack" gem "rollout" gem "rollout-ui" gem "redis", "< 5" diff --git a/Gemfile.lock b/Gemfile.lock index e9e9b107c..991ab153b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -315,6 +315,8 @@ GEM rspec-support (~> 3.12) racc (1.7.3) rack (2.2.8) + rack-attack (6.7.0) + rack (>= 1.0, < 4) rack-protection (2.2.4) rack rack-session (1.0.2) @@ -573,6 +575,7 @@ DEPENDENCIES puma (~> 6.4) pundit pundit-matchers (~> 3.1.2) + rack-attack rails (~> 6.1.7) rails-controller-testing rails_layout From f802cd3e0d185844bd82540d3742f31b3f6a9aa1 Mon Sep 17 00:00:00 2001 From: Cristina <579522+CristinaRO@users.noreply.github.com> Date: Wed, 17 Jan 2024 17:42:41 +0000 Subject: [PATCH 2/3] Minimal Rack:Attack configuration Prevent brute-force login attacks. Once we have confirmed that this works as intended and doesn't block legitimate users, and once we have configured the environment variables on all environments, we can remove the fallbacks, to avoid giving the potential attackers any clues on how to refine their attempts. --- CHANGELOG.md | 2 ++ config/initializers/rack_attack.rb | 9 +++++++++ 2 files changed, 11 insertions(+) create mode 100644 config/initializers/rack_attack.rb diff --git a/CHANGELOG.md b/CHANGELOG.md index f0f6e2e98..f877aeded 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,8 @@ [Full changelog][unreleased] +- Configure rack-attack to prevent brute force login attacks + ## Release 144 - 2024-01-24 [Full changelog][144] diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb new file mode 100644 index 000000000..bfe8d0c26 --- /dev/null +++ b/config/initializers/rack_attack.rb @@ -0,0 +1,9 @@ +### Prevent Brute-Force Login Attacks ### +# Throttle POST requests to /users/sign_in by IP address +# +# Key: "rack::attack:#{Time.now.to_i/:period}:logins/ip:#{req.ip}" +Rack::Attack.throttle("logins/ip", limit: ENV.fetch("LOGIN_ATTEMPTS_COUNT_BEFORE_THROTTLE", 5), period: ENV.fetch("LOGIN_ATTEMPTS_INTERVAL_BEFORE_THROTTLE", 300)) do |request| + if request.path.start_with?("/users/sign_in") && request.post? + request.ip + end +end From 85632f5174692ca6b181055fe048642d4c1fbb46 Mon Sep 17 00:00:00 2001 From: Cristina <579522+CristinaRO@users.noreply.github.com> Date: Thu, 25 Jan 2024 17:10:03 +0000 Subject: [PATCH 3/3] Release 145 - Configure rack-attack to prevent brute force login attacks --- CHANGELOG.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f877aeded..c935198a4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ [Full changelog][unreleased] +## Release 145 - 2024-01-25 + +[Full changelog][145] + - Configure rack-attack to prevent brute force login attacks ## Release 144 - 2024-01-24 @@ -1663,7 +1667,8 @@ - Planned start and end dates are mandatory - Actual start and end dates must not be in the future -[unreleased]: https://github.com/UKGovernmentBEIS/beis-report-official-development-assistance/compare/release-144...HEAD +[unreleased]: https://github.com/UKGovernmentBEIS/beis-report-official-development-assistance/compare/release-145...HEAD +[145]: https://github.com/UKGovernmentBEIS/beis-report-official-development-assistance/compare/release-144...release-145 [144]: https://github.com/UKGovernmentBEIS/beis-report-official-development-assistance/compare/release-143...release-144 [143]: https://github.com/UKGovernmentBEIS/beis-report-official-development-assistance/compare/release-142...release-143 [142]: https://github.com/UKGovernmentBEIS/beis-report-official-development-assistance/compare/release-141...release-142