Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rating Limit. #1333

Closed
ghost opened this issue Dec 30, 2016 · 3 comments
Closed

Rating Limit. #1333

ghost opened this issue Dec 30, 2016 · 3 comments
Assignees
@wanton1950
Labels
Defect Low
Milestone
0.4.7.1-alpha

Comments

@ghost
Copy link

ghost commented Dec 30, 2016

Hi ,

OS : In Linux Ubuntu 16.04 LTS

Looks like there is no rating limit in the BeeF Login Portal.
Able make a brute.

Request to have a look !
beef

Thank you
@bcoles
Copy link
Collaborator

bcoles commented Dec 30, 2016
edited

Hi @f0rum

You're correct. There are no account lockout or IP banning restrictions.

Access to the management interface should be restricted using the IP subnet access controls in a production deployment. This can be configured with the beef.restrictions.permitted_ui_subnet option in config.yaml.

The default username and password should also be changed to something more secure using the beef.credentials.user and beef.credentials.passwd options respectively.

The panel path should also be changed using the beef.http.web_ui_basepath configuration option in config.yaml. Admittedly this is security through obscurity and won't prevent attacks against the RESTful interface.

Edit: See also: #182

@ghost
Copy link
Author

ghost commented Jan 12, 2017

Hi @bcoles

Any update on this, looking forward to this.

@bcoles
Copy link
Collaborator

bcoles commented Feb 4, 2017

Turns out the admin UI does have request throttling. However, it's set to 1 second by default. You can change the beef.extensions.admin_ui.login_fail_delay: 1 value in extensions/admin_ui/config.yaml.

The RESTful API does not have the same restrictions.

@bcoles bcoles added Defect and removed Enhancement labels Feb 4, 2017
@bcoles bcoles added this to the 0.4.7.1-alpha milestone Aug 13, 2017
@RootUp RootUp mentioned this issue Sep 23, 2017
Closed
@wadealcorn wadealcorn assigned wanton1950 and unassigned antisnatchor Oct 1, 2017
wanton1950 added a commit to wanton1950/beef that referenced this issue Nov 24, 2017
@wanton1950
FIXED beefproject#1333 Rate limit calls.
f92446a 
Clean-up duplicate functionality.
EOL whitespace removed

Changes to be committed:
	modified:   extensions/admin_ui/controllers/authentication/authentication.rb
wanton1950 added a commit to wanton1950/beef that referenced this issue Nov 28, 2017
@wanton1950
FIXED beefproject#1333 Rate limit calls.
a94c6f3 
Clean-up duplicate functionality.
EOL whitespace removed

Changes to be committed:
	modified:   extensions/admin_ui/controllers/authentication/authentication.rb
@bcoles bcoles modified the milestones: 0.4.7.1-alpha, 0.4.8.0-alpha Dec 8, 2017
wanton1950 added a commit to wanton1950/beef that referenced this issue Dec 11, 2017
@wanton1950
FIXED beefproject#1333 Rate limit calls.
01dd3eb 
Clean-up duplicate functionality.
EOL whitespace removed

Changes to be committed:
	modified:   extensions/admin_ui/controllers/authentication/authentication.rb
@bcoles bcoles modified the milestones: 0.4.8.0-alpha, 0.4.7.1-alpha Jan 9, 2018
wanton1950 added a commit to wanton1950/beef that referenced this issue Jan 9, 2018
@wanton1950
FIXED beefproject#1333 Rate limit calls.
4026e0f 
Clean-up duplicate functionality.
EOL whitespace removed

Changes to be committed:
	modified:   extensions/admin_ui/controllers/authentication/authentication.rb
@bcoles bcoles closed this as completed in 3e1266f Mar 7, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wanton1950 wanton1950

Labels
Defect Low
Projects
None yet
Milestone
0.4.7.1-alpha
Development

No branches or pull requests
3 participants
@bcoles @antisnatchor @wanton1950